Introduction to API Authorization

JSON Web Tokens

Synerise uses JSON Web Token (JWT) as the authorization method in most of the API endpoints (some may require only the API key or no authorization at all).

The token is generated by one of the /auth/login/ endpoints depending on the Consumer Type, as described further in this article.

You need to include the received token in the Authorization header of your requests, with a Bearer prefix.

See this simplified example of a call:

curl -X GET https://{SYNERISE_API_BASE_PATH}/v4/clients \
-H 'Accept: application/json' \
-H 'Api-Version: 4.4' \
-H 'Authorization: Bearer eyJhbGciOiJSzZXIiL...UFBQUFBSXVPQlFBcHUwd05BZ0FBQUE9PSIsIm5tZSI' \
-H 'Content-Type: application/json'
Tip: Remember to include a space between Bearer and the token.

If you are unauthorized or are using an invalid/expired token, the API returns HTTP 401 Unauthorized or HTTP 403 Forbidden.

Token format

Our JWT use the RS512 hashing algorithm and their payload contains:

  • customer/user/profile identification.
  • the origin of the token (Synerise, Facebook, Oauth, Apple).
  • expiration time of the token.
  • user tokens only: information about the currently selected workspace and user permissions.

Token lifetime

By default, the token is valid for one hour. You can request a refreshed token for the session by using the /auth/refresh endpoint before the current token expires.

You can also verify your JWT signature by using the public key:

API consumer types

Synerise defines different types of API consumers that can receive their own authorization tokens. Each method within our API Reference indicates which types of API Consumers can use them.


This is the end user of your website or application - the one who browses pages, purchases items, and so on. In our APIs, the customer is usually called a “client” in endpoint URLs and JSON entity names. The Customer can register and maintain their own account with following methods:

  • Synerise RaaS
  • Facebook authentication
  • OAuth-based authorization
  • Sign in with Apple

They can also perform other customer actions, such as redeeming vouchers.

Note: The customer can access and modify only their own data.


The workspace is assigned to a particular company as explained in these articles.

This consumer can use methods that, for example, create Customer accounts, record Customer actions, or manage promotions. When working with the API, you will usually authorize as the workspace.


This is the user who logs in to the Synerise Application.

A User is an actual person who performs actions in the Synerise Application interface, but many of those actions can be automated using the API.
Users have access to Workspaces and different levels of permissions within those profiles.

Access control

Access permissions

Each endpoint requires a permission to access it. These permissions can be defined granularly for users, roles, or API keys, so you have strict control over access to each endpoint. You can also assign groups of permissions.

To find which permission is needed for an endpoint, read the endpoint’s description in the API Reference.

For more information on managing permissions, read this article.

IP allowlisting

You can limit access to Synerise to certain IP addresses. For more information, see IP access control.


We are sorry to hear that

Thank you for helping improve out documentation. If you need help or have any questions, please consider contacting support.



Thank you for helping improve out documentation. If you need help or have any questions, please consider contacting support.

Close modal icon Placeholder alt for modal to satisfy link checker