Skip to main content
The Synthpop API is default-deny: every endpoint requires a valid bearer token, with the sole exceptions of the documentation endpoints (/docs, /redoc, /openapi.json) and the token-exchange endpoint itself (/auth/get_token). You obtain a token by exchanging a long-lived API secret for a JSON Web Token (JWT) (valid for 365 days), then send that JWT as a Authorization: Bearer <token> header on all other calls.
1

Get your API secret

An administrator in your organization creates the API secret from the Synthpop UI, or your Synthpop contact provides one. Secrets are per environment — see Environments below. Synthpop does not store your secret after it is shown, so keep it somewhere safe. Generating a new secret immediately invalidates the previous one.
2

Exchange it for a token

POST /auth/get_token with the secret in the request body. You get back a bearer JWT (token) and your organization’s settings (org_settings).
3

Call the API with the token

Send the token as Authorization: Bearer <token> on every request. The token is valid for 365 days (about a year); re-run the exchange when it expires.

The API secret format

An API secret is a single string with three colon-separated parts:
Some older material describes the secret as having an api-key: prefix. That is the same thing: api-key is just the provider segment, so a secret minted for API access looks like api-key:<uid>:<secret>. Always send the entire string — all three parts, colons included — exactly as it was issued to you. Do not trim, split, or add a prefix yourself.

Environments

Staging and production are separate systems with separate hosts and separate secrets. A secret issued for one environment will not work against the other.
Never send a production secret to the staging host (or vice versa). Because the two environments have distinct credentials, a mismatched secret is rejected as invalid — and you risk leaking a production secret onto a non-production system. Keep the environment’s base URL and its secret paired in your configuration.

Requesting a token

api_secret
string
required
Your full API secret in provider:uid:secret form (for example api-key:<uid>:<secret>). Send the entire string.

Response

A 200 returns the token and, when available, your organization’s settings.
token
string
required
The bearer JWT. Present it as Authorization: Bearer <token> on every authenticated request. Valid for 365 days (about a year).
org_settings
object
Settings for the organization the token belongs to.
Example response
org_settings tells you which asynchronous-delivery features are turned on for your org. Callbacks and auto-read are opt-in per organization — if the flags are false, retrieve results by polling instead. Contact Synthpop to have a flag enabled.

Using the token

Send the token on every subsequent request. Below, a call to GET /task/list confirms the token works.

Failure modes

400 — Malformed API secret
error
The api_secret is not a well-formed provider:uid:secret string. Confirm you are sending the entire secret, colons included, with nothing added or removed.
403 — Invalid or obsolete API secret
error
The secret is well-formed but not accepted — it was revoked, superseded by a newer secret, or belongs to a different environment than the host you called. Regenerate the secret if needed and make sure it matches the target environment.
401 — Unauthorized
error
Returned by other endpoints when the bearer token is missing, malformed, or expired. Because the API is default-deny, every path outside the small allowlist requires the header. Exchange your secret for a fresh token and retry.
For the full error model across endpoints, see Errors.

Next steps

Quickstart

Go from an API secret to your first task result.

Async results

Poll for results, or receive a callback when a task completes.

API reference

Every endpoint, request shape, and response field.

Versioning

How the v1 in the base URL defines the contract.