Container Auth Lifecycle - Synth AI

Summary
Important scope note
Tunnel-specific behavior

This page defines the canonical container auth lifecycle for synth-ai.

Summary

Backend API auth uses SYNTH_API_KEY bearer auth.
SynthTunnel relay auth uses container_worker_token.
GEPA rollout auth for SynthTunnel and other non-local container URLs uses signer-backed container auth tokens and requires:
- SYNTH_CONTAINER_AUTH_PRIVATE_KEY, or
- SYNTH_CONTAINER_AUTH_PRIVATE_KEYS

Important scope note

Legacy container key rollout parameters are removed from synth-ai prompt-learning surfaces.
Some non-container backend transport paths may still accept legacy API-key headers for compatibility; that is separate from container rollout auth lifecycle.

Tunnel-specific behavior

SynthTunnel URLs (https://st.usesynth.ai/s/...) require container_worker_token.
GEPA with SynthTunnel (or any non-local container URL) requires signer keys.
Localhost GEPA URLs are allowed without signer keys.

Containers Overview In-Process Container

⌘I