DocsAuthentication
API Authentication
Learn how to authenticate with the Syncaty API using JWT tokens or OAuth2 for third-party integrations.
Authentication Methods
Syncaty supports two authentication methods:
JWT Tokens
For direct API access using user credentials. Ideal for dashboard and frontend applications.
OAuth2
For third-party integrations like n8n. Provides secure delegated access.
JWT Authentication
Obtaining a Token
Send a POST request to the login endpoint:
Request
POST /auth/login
Content-Type: application/json
{
"email": "user@example.com",
"password": "your-password"
}Response
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"user": {
"id": "uuid",
"email": "user@example.com",
"name": "John Doe"
}
}Using the Token
Include the token in the Authorization header for all API requests:
GET /api/stores Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Token Details
| Property | Value |
|---|---|
| Algorithm | HS256 |
| Expiration | 7 days |
| Payload | sub (user ID),email,is_admin |
OAuth2 Authentication
OAuth2 is used for third-party integrations. Create an OAuth app in Syncaty to get your credentials.
Creating an OAuth App
- Go to Settings → OAuth Apps
- Click "Create New App"
- Enter app name and redirect URI
- Copy your Client ID and Client Secret
Authorization Flow
1
Redirect to Authorization
GET /oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=YOUR_REDIRECT_URI&response_type=code&scope=stores:read customers:read2
User Approves
User logs in and approves the requested permissions.
3
Receive Authorization Code
YOUR_REDIRECT_URI?code=AUTHORIZATION_CODE4
Exchange for Access Token
POST /oauth/token Content-Type: application/x-www-form-urlencoded grant_type=authorization_code &code=AUTHORIZATION_CODE &client_id=YOUR_CLIENT_ID &client_secret=YOUR_CLIENT_SECRET &redirect_uri=YOUR_REDIRECT_URI
Token Response
{
"access_token": "oauth_access_token_here",
"token_type": "Bearer",
"expires_in": 3600,
"refresh_token": "oauth_refresh_token_here",
"scope": "stores:read customers:read"
}Available Scopes
| Scope | Description |
|---|---|
stores:read | Read store information |
customers:read | Read customer data and analytics |
orders:read | Read order data |
products:read | Read product catalog |
segments:read | Read customer segments |
Error Responses
401 Unauthorized
Token is missing, invalid, or expired.
{
"statusCode": 401,
"message": "Unauthorized"
}403 Forbidden
Valid token but insufficient permissions.
{
"statusCode": 403,
"message": "Insufficient permissions"
}Security Best Practices
- • Never expose tokens in client-side code or URLs
- • Store tokens securely (httpOnly cookies or secure storage)
- • Use HTTPS for all API requests
- • Implement token refresh before expiration