API Reference
Complete reference for the Synth server REST API. The server runs on
port 9410 by default. All request and response bodies
use JSON (Content-Type: application/json).
Authentication: All endpoints except GET /health
and GET /api/auth/status require a valid JWT token. Pass it via
the Authorization: Bearer <token> header. Obtain a token
from the POST /api/auth/login endpoint, or create a scoped API
key via POST /api/auth/api-keys.
Health & System
| Method | Path | Auth | Description |
|---|
GET | /health | None | Health check — returns server status, uptime, and component checks |
GET | /api/health/llm | Token | LLM connectivity status and model info |
POST | /api/health/llm/verify-task | Token | Run a verification task against the LLM to confirm end-to-end connectivity |
GET | /api/system/state | Token | System state overview — entity counts, active deployments, agent status |
# Basic health check (no auth required)
curl http://localhost:9410/health
# LLM connectivity status
curl http://localhost:9410/api/health/llm \
-H "Authorization: Bearer eyJhbG..."
Authentication
Synth uses JWT-based authentication. Access tokens are short-lived; refresh
tokens allow obtaining new access tokens without re-authenticating. The JWT
signing secret is configured via the SYNTH_JWT_SECRET environment
variable.
| Method | Path | Auth | Description |
|---|
GET | /api/auth/status | None | Auth configuration status — whether auth is enabled, available providers |
POST | /api/auth/register | None | Register a new user account |
POST | /api/auth/login | None | Authenticate and receive JWT access + refresh tokens |
POST | /api/auth/refresh | Refresh token | Exchange a refresh token for a new access token |
POST | /api/auth/logout | Token | Invalidate tokens and end the session |
GET | /api/auth/me | Token | Current user profile |
PUT | /api/auth/me | Token | Update current user profile |
POST | /api/auth/me/password | Token | Change current user's password |
GET | /api/auth/sessions | Token | List active sessions for the current user |
DELETE | /api/auth/sessions/:id | Token | Revoke a specific session |
DELETE | /api/auth/sessions | Token | Revoke all sessions (force re-login everywhere) |
GET | /api/auth/providers | None | List available authentication providers (for IdP integration) |
Login Example
curl -X POST http://localhost:9410/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"username": "admin",
"password": "your-password"
}'
# Response:
# {
# "accessToken": "eyJhbG...",
# "refreshToken": "eyJhbG...",
# "user": { "id": "...", "username": "admin", "role": "admin" }
# }
API Keys
API keys provide long-lived, scoped authentication for CI/CD pipelines and
programmatic access. Each key has a specific set of permissions, limiting
what it can do.
| Method | Path | Auth | Description |
|---|
GET | /api/auth/api-keys | Token | List all API keys for the current user |
POST | /api/auth/api-keys | Token | Create an API key with scoped permissions |
DELETE | /api/auth/api-keys/:id | Token | Delete an API key |
POST | /api/auth/api-keys/:id/regenerate | Token | Regenerate an API key (invalidates the previous value) |
Creating a Scoped API Key
# Create a scoped API key
curl -X POST http://localhost:9410/api/auth/api-keys \
-H "Content-Type: application/json" \
-H "Authorization: Bearer eyJhbG..." \
-d '{
"name": "ci-pipeline",
"permissions": ["deployment.create", "deployment.view", "artifact.create"]
}'
# Use the API key
curl http://localhost:9410/api/operations \
-H "Authorization: Bearer synth_key_..."
Artifacts
| Method | Path | Permission | Description |
|---|
GET | /api/artifacts | artifact.view | List artifacts — deployment-ready packages, images, or bundles |
POST | /api/artifacts | artifact.create | Register a new artifact |
Operations
| Method | Path | Permission | Description |
|---|
POST | /api/operations | deployment.create | Create and dispatch a new operation (deploy, maintain, query, investigate, trigger) |
GET | /api/operations | deployment.view | List operations — supports filtering by status, type, partition, environment |
GET | /api/debrief | deployment.view | Query debrief entries — the decision log for agent actions |
Create an Operation
curl -X POST http://localhost:9410/api/operations \
-H "Content-Type: application/json" \
-H "Authorization: Bearer eyJhbG..." \
-d '{
"artifactId": "art_abc123",
"envoyId": "envoy-prod-01",
"environmentId": "env_production",
"partitionId": "part_main",
"variables": {
"APP_VERSION": "2.4.1",
"REPLICAS": "3"
}
}'
List Operations
# List all operations
curl http://localhost:9410/api/operations \
-H "Authorization: Bearer eyJhbG..."
# Filter by status
curl "http://localhost:9410/api/operations?status=running" \
-H "Authorization: Bearer eyJhbG..."
# Filter by partition
curl "http://localhost:9410/api/operations?partitionId=part_main" \
-H "Authorization: Bearer eyJhbG..."
Partitions
Partitions are optional logical groupings with scoped variables and
constraints. Deployments work with or without partition context.
| Method | Path | Permission | Description |
|---|
GET | /api/partitions | partition.view | List all partitions |
POST | /api/partitions | partition.create | Create a new partition |
Environments
| Method | Path | Permission | Description |
|---|
GET | /api/environments | environment.view | List environments (staging, production, etc.) |
POST | /api/environments | environment.create | Create a new environment |
Envoys
Envoys are lightweight deployment agents running on target machines. The
server manages envoy registration, health monitoring, and token rotation.
| Method | Path | Permission | Description |
|---|
GET | /api/envoys | envoy.view | List all registered envoys |
POST | /api/envoys | envoy.register | Register a new envoy |
GET | /api/envoys/:id/health | envoy.view | Get health status for a specific envoy |
PUT | /api/envoys/:id | envoy.configure | Update envoy configuration |
DELETE | /api/envoys/:id | envoy.configure | Unregister and remove an envoy |
POST | /api/envoys/:id/rotate-token | envoy.configure | Rotate the envoy's authentication token |
GET | /api/envoys/:id/knowledge | envoy.view | Retrieve the envoy's knowledge store (cached environment data) |
POST | /api/envoys/validate-token | Token | Validate an envoy authentication token |
Agent (Intelligence)
The agent is Synth's reasoning core. It generates deployment plans
and produces pre-flight analyses. These endpoints require a configured
LLM connection
(SYNTH_LLM_API_KEY).
| Method | Path | Auth | Description |
|---|
GET | /api/agent/context | Token | Agent context summary — current state the agent is reasoning about |
POST | /api/agent/pre-flight | Token | Generate a pre-flight analysis for a planned deployment |
POST | /api/agent/pre-flight/response | Token | Submit a user response to pre-flight questions or confirmations |
Settings
| Method | Path | Permission | Description |
|---|
GET | /api/settings | settings.manage | Get current application settings |
PUT | /api/settings | settings.manage | Update application settings (partial updates supported) |
GET | /api/settings/command-info | Token | Server version, build info, and runtime metadata |
Users & Roles
| Method | Path | Permission | Description |
|---|
GET | /api/users | users.manage | List all users |
POST | /api/users | users.manage | Create a new user |
GET | /api/roles | users.manage | List all roles and their permissions |
POST | /api/roles | roles.manage | Create a new role with specific permissions |
Telemetry
| Method | Path | Permission | Description |
|---|
GET | /api/telemetry | settings.manage | Query telemetry events — deployment metrics, agent usage, system performance |
Fleet Deployment
Fleet endpoints coordinate deployments across multiple envoys simultaneously.
| Method | Path | Auth | Description |
|---|
POST | /api/fleet/deploy | Token | Trigger a fleet-wide deployment to multiple envoys |
GET | /api/fleet/deployments | Token | List fleet deployments and their per-envoy status |
Deployment Graphs
Deployment graphs define multi-step, dependency-aware deployment workflows
as directed acyclic graphs.
| Method | Path | Auth | Description |
|---|
POST | /api/graphs | Token | Create a new deployment graph |
GET | /api/graphs | Token | List all deployment graphs |
GET | /api/graphs/:id | Token | Get full graph detail including nodes and edges |
PUT | /api/graphs/:id | Token | Update a deployment graph |
DELETE | /api/graphs/:id | Token | Delete a deployment graph |
Intake (CI/CD Webhooks)
Intake channels receive webhooks from CI/CD systems to automatically trigger
deployments when builds complete.
| Method | Path | Auth | Description |
|---|
GET | /api/intake/channels | Token | List configured intake channels |
POST | /api/intake/channels | Token | Create a new intake channel (returns a webhook URL) |
Each intake channel provides a webhook URL specific to the CI/CD provider.
Supported providers: GitHub Actions,
GitLab CI, Azure DevOps,
Jenkins, and CircleCI.
MCP Server
Synth exposes a Model Context Protocol
server, making deployment operations available as tools for any MCP-compatible
AI client.
| Method | Path | Auth | Description |
|---|
POST | /mcp | Token | MCP JSON-RPC endpoint — send tool calls and receive results |
GET | /mcp | Token | MCP Server-Sent Events endpoint — streaming responses |
DELETE | /mcp | Token | Close an active MCP session |
MCP sessions have a configurable TTL (default: 1 hour, set via
SYNTH_MCP_SESSION_TTL_MS). Idle sessions are cleaned up
automatically.
Permissions Reference
Permissions are assigned to roles, and roles are assigned to users. API keys
can be scoped to a subset of the creating user's permissions.
| Permission | Grants access to |
|---|
artifact.view | List and read artifacts |
artifact.create | Register new artifacts |
deployment.view | List deployments and query debriefs |
deployment.create | Create and dispatch deployments |
partition.view | List partitions |
partition.create | Create partitions |
environment.view | List environments |
environment.create | Create environments |
envoy.view | List envoys and view health/knowledge |
envoy.register | Register new envoys |
envoy.configure | Update, remove, and rotate envoy tokens |
settings.manage | Read and update application settings, query telemetry |
users.manage | List and create users, list roles |
roles.manage | Create and modify roles |
Error Responses
All error responses follow a consistent format:
{
"error": "Short error code",
"message": "Human-readable description of what went wrong"
}
| Status | Meaning |
|---|
400 | Bad request — invalid or missing parameters |
401 | Unauthorized — missing or invalid token |
403 | Forbidden — valid token but insufficient permissions |
404 | Not found — entity does not exist |
409 | Conflict — entity already exists or state conflict |
429 | Rate limited — too many requests (see SYNTH_RATE_LIMIT_MAX) |
500 | Internal server error — check server logs |
Rate Limiting
The server enforces per-IP rate limiting. Defaults: 100 requests
per 60-second window. Configure via environment variables:
SYNTH_RATE_LIMIT_MAX — maximum requests per window (default: 100)SYNTH_RATE_LIMIT_WINDOW_MS — window duration in milliseconds (default: 60000)
When rate limited, the server returns 429 Too Many Requests
with a Retry-After header.