SynergyFlow Pro / API Docs
v1.0

API Documentation

Everything you need to integrate with the SynergyFlow Pro API using OAuth2.

Base URL

All API requests should be made to:

https://testapp2.glances.com

Authentication

SynergyFlow Pro uses OAuth 2.0 Authorization Code flow to authenticate API requests. All API endpoints require a valid Bearer token.

1 Register an OAuth Client

Before you can authenticate users, you need an OAuth client. Log in to create one from your dashboard.

You'll receive a client_id and client_secret. Keep the secret safe—treat it like a password.

2 Redirect User to Authorize

Redirect the user's browser to the authorization endpoint. They will be shown a consent screen and asked to approve your application.

GET https://testapp2.glances.com/oauth/authorize

Query Parameters

Parameter Required Description
client_id Required Your OAuth client ID
redirect_uri Required URL to redirect back to after authorization. Must match the URI registered with your client.
response_type Required Must be code
scope Optional Space-separated list of scopes. Defaults to user:read
state Recommended A random string to protect against CSRF attacks. Verify it matches when the user is redirected back.

Example

https://testapp2.glances.com/oauth/authorize?client_id=YOUR_CLIENT_ID&redirect_uri=http://localhost:3000/callback&response_type=code&scope=user:read&state=RANDOM_STATE_STRING

After the user approves, they'll be redirected to your redirect_uri with a code parameter:

http://localhost:3000/callback?code=AUTHORIZATION_CODE&state=RANDOM_STATE_STRING

3 Exchange Code for Access Token

Make a server-side POST request to exchange the authorization code for an access token.

POST https://testapp2.glances.com/oauth/token

Request Body (application/x-www-form-urlencoded or JSON)

Parameter Value
grant_type authorization_code
client_id Your client ID
client_secret Your client secret
redirect_uri Same redirect URI used in step 2
code The authorization code from step 2

Example (cURL)

curl -X POST https://testapp2.glances.com/oauth/token \ -H "Content-Type: application/json" \ -d '{ "grant_type": "authorization_code", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "redirect_uri": "http://localhost:3000/callback", "code": "AUTHORIZATION_CODE" }'

Response

{ "token_type": "Bearer", "expires_in": 1296000, "access_token": "eyJ0eXAiOiJKV1Qi...", "refresh_token": "def50200a1b2c3d4..." }

Access tokens expire after 15 days. Store the refresh token securely to obtain new access tokens.

4 Refresh an Access Token

When an access token expires, use the refresh token to get a new one without requiring the user to re-authorize.

POST https://testapp2.glances.com/oauth/token

Request Body

Parameter Value
grant_type refresh_token
client_id Your client ID
client_secret Your client secret
refresh_token The refresh token from the previous token response

Example (cURL)

curl -X POST https://testapp2.glances.com/oauth/token \ -H "Content-Type: application/json" \ -d '{ "grant_type": "refresh_token", "client_id": "YOUR_CLIENT_ID", "client_secret": "YOUR_CLIENT_SECRET", "refresh_token": "YOUR_REFRESH_TOKEN" }'

Refresh tokens expire after 30 days. After that, the user must re-authorize your application.

Making Authenticated Requests

Include the access token in the Authorization header of every API request:

curl https://testapp2.glances.com/api/user \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -H "Accept: application/json"

Scopes

Scopes let you specify exactly what type of access your application needs. Request only the scopes you need.

Scope Description Default
user:read Read profile information (name, email) Yes

If no scope is specified during authorization, user:read is granted by default.

API Endpoints

GET /api/user

Returns the authenticated user's profile information. Requires a valid access token with the user:read scope.

Headers

Authorization Bearer YOUR_ACCESS_TOKEN
Accept application/json

Example Request

curl https://testapp2.glances.com/api/user \ -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ -H "Accept: application/json"

Response 200 OK

{ "id": 1, "name": "Test User", "email": "test@example.com", "email_verified_at": "2025-01-15T12:00:00.000000Z", "created_at": "2025-01-01T00:00:00.000000Z", "updated_at": "2025-01-15T12:00:00.000000Z" }

Response Fields

Field Type Description
id integer Unique user identifier
name string User's display name
email string User's email address
email_verified_at string|null ISO 8601 timestamp of email verification, or null
created_at string ISO 8601 timestamp of account creation
updated_at string ISO 8601 timestamp of last profile update

Error Handling

The API returns standard HTTP status codes. Errors include a JSON body with details.

Status Meaning
200 Success
401 Unauthorized — missing or invalid access token
403 Forbidden — token lacks required scope
404 Not Found — endpoint does not exist
429 Too Many Requests — rate limit exceeded
500 Internal Server Error

Example Error Response

{ "message": "Unauthenticated." }

Rate Limits

API requests are rate limited to protect service stability. The default limit is 60 requests per minute per access token. Rate limit information is included in response headers:

Header Description
X-RateLimit-Limit Maximum requests allowed per window
X-RateLimit-Remaining Requests remaining in current window
Retry-After Seconds to wait before retrying (only on 429 responses)