/docs, /redoc, /openapi.json) and the token-exchange endpoint itself
(/auth/get_token). You obtain a token by exchanging a long-lived API secret
for a JSON Web Token (JWT) (valid for 365 days), then send that JWT as a
Authorization: Bearer <token> header on all other calls.
1
Get your API secret
An administrator in your organization creates the API secret from the
Synthpop UI, or your Synthpop contact provides one. Secrets are per
environment — see Environments below. Synthpop does not
store your secret after it is shown, so keep it somewhere safe. Generating a
new secret immediately invalidates the previous one.
2
Exchange it for a token
POST /auth/get_token with the secret in the request body. You get back a
bearer JWT (token) and your organization’s settings (org_settings).3
Call the API with the token
Send the token as
Authorization: Bearer <token> on every request. The
token is valid for 365 days (about a year); re-run the exchange when it
expires.The API secret format
An API secret is a single string with three colon-separated parts:Environments
Staging and production are separate systems with separate hosts and separate secrets. A secret issued for one environment will not work against the other.Requesting a token
Your full API secret in
provider:uid:secret form (for example
api-key:<uid>:<secret>). Send the entire string.Response
A200 returns the token and, when available, your organization’s settings.
The bearer JWT. Present it as
Authorization: Bearer <token> on every
authenticated request. Valid for 365 days (about a year).Settings for the organization the token belongs to.
Example response
org_settings tells you which asynchronous-delivery features are turned on
for your org. Callbacks and auto-read are opt-in per organization — if the
flags are false, retrieve results by polling instead. Contact Synthpop to
have a flag enabled.Using the token
Send the token on every subsequent request. Below, a call toGET /task/list confirms the token works.
Failure modes
The
api_secret is not a well-formed provider:uid:secret string. Confirm
you are sending the entire secret, colons included, with nothing added or
removed.The secret is well-formed but not accepted — it was revoked, superseded by a
newer secret, or belongs to a different environment than the host you called.
Regenerate the secret if needed and make sure it matches the target
environment.
Returned by other endpoints when the bearer token is missing, malformed, or
expired. Because the API is default-deny, every path outside the small
allowlist requires the header. Exchange your secret for a fresh token and
retry.
Next steps
Quickstart
Go from an API secret to your first task result.
Async results
Poll for results, or receive a callback when a task completes.
API reference
Every endpoint, request shape, and response field.
Versioning
How the
v1 in the base URL defines the contract.
