1. Guides
Synci API
  • Overview
  • Guides
    • Authentication
    • Building OAuth apps
    • Webhooks
    • Pagination, filtering, and sorting
    • Errors
    • Rate limits
    • MCP: Connect AI assistants
  • API Reference
    • Finance
      • Connections
        • List all financial connections
        • Create a new financial connection
        • Get financial connection
        • Delete financial connection
        • Disable financial connection
        • Reconfirm the consent of a financial connection
      • Accounts
        • List all financial accounts
        • Get financial account
        • Update financial account
        • Delete financial account
        • Sync financial account data
        • Reset financial account config to defaults
        • List all account balance entries
        • Get account balance entry
        • List account holdings
        • Get account holding
      • Transactions
        • List all transactions
        • Create a new transaction
        • Get transaction
        • Update transaction
        • Delete transaction
        • Bulk delete transactions
      • Institutions
        • Get supported countries
        • List all supported institutions
        • Get supported institution
    • Destinations
      • YNAB Connections
        • YNAB Budgets
          • YNAB Budget Accounts
            • List all YNAB budget accounts
            • Get YNAB budget account
            • Delete YNAB budget account
          • List all YNAB budgets
          • Get YNAB budget
          • Delete YNAB budget
          • Update YNAB budget
        • List all YNAB connections
        • Create new YNAB connection
        • Get YNAB connection
        • Delete YNAB connection
        • Update YNAB connection
        • Refresh YNAB connection
      • Lunch Money Connections
        • Lunch Money Accounts
          • List all Lunch Money accounts
          • Get Lunch Money account
          • Delete Lunch Money account
        • List all Lunch Money connections
        • Create new Lunch Money connection
        • Get Lunch Money connection
        • Delete Lunch Money connection
        • Update Lunch Money connection
        • Refresh Lunch Money connection
      • Google Sheets Connections
        • Sheets
          • List destination spreadsheets for a connection
          • Register a destination spreadsheet
          • Get a destination spreadsheet
          • Update a destination spreadsheet
          • Delete a destination spreadsheet
          • List the worksheets (tabs) of a spreadsheet
          • Create a new worksheet (tab) in a spreadsheet
        • List all Google Sheets connections
        • Create new Google Sheets connection
        • Get Google Sheets connection
        • Delete Google Sheets connection
        • Update Google Sheets connection
        • Refresh Google Sheets connection
    • Transfer Links
      • List all transfer links
      • Create a new transfer link
      • Get transfer link
      • Update transfer link
      • Delete transfer link
      • Retry transfers for all transfer links
      • Retry transfers for a specific transfer link
    • Transfer Logs
      • List all transfer logs
      • Get transfer log
      • Undo a transfer
      • Undo multiple transfers
    • Rules
      • Create a new rule
      • List all rules
      • Get rule
      • Update rule
      • Delete rule
      • Attach rule to transfer link
      • Detach rule from transfer link
      • Reorder rules for a transfer link
      • Attach rule to a financial account
      • Detach rule from financial account
      • Reorder rules for a financial account
      • Preview a rule against transactions (dry-run)
    • Rule Logs
      • List all rule logs
      • Get rule log
      • Undo multiple rule actions
      • Undo a rule action
    • Webhooks
      • List all webhook events
      • List all webhook endpoints
      • Create new webhook endpoint
      • Get webhook endpoint
      • Update webhook endpoint
      • Delete webhook endpoint
      • Test webhook endpoint
      • Rotate webhook secret
  • ActualBudgetConnections
    • List all Actual Budget connections
      GET
    • Create new Actual Budget connection
      POST
    • Get Actual Budget connection
      GET
    • Update Actual Budget connection
      PUT
    • Delete Actual Budget connection
      DELETE
    • Regenerate setup token
      POST
    • Revoke access credentials
      POST
    • List accounts linked in Actual
      GET
  • Schemas
    • AccountHoldingResource
    • ActualBudgetAccountResource
    • ActualBudgetConnectionResource
    • BalanceTypeEnum
    • BulkDeleteTransactionsRequest
    • BulkUndoRuleLogsRequest
    • BulkUndoTransferLogsRequest
    • CreateFinancialConnectionRequest
    • CreateGoogleSheetTabRequest
    • CreateGoogleSheetsConnectionRequest
    • CreateLunchMoneyConnectionRequest
    • CreateRuleRequest
    • CreateTransactionRequest
    • CreateTransferLinkRequest
    • CreateWebhookEndpointRequest
    • CreateYnabConnectionRequest
    • DestinationTypeEnum
    • EnrichmentProviderEnum
    • FinancialAccount
    • FinancialAccountBalanceResource
    • FinancialAccountResource
    • FinancialConnectionResource
    • GoogleSheetResource
    • GoogleSheetsConnectionResource
    • HealthResource
    • HealthStatusEnum
    • InstitutionConfigMappedDateEnum
    • InstitutionConfigMappedTextEnum
    • InstitutionConfigResource
    • InstitutionResource
    • IntegratorEnum
    • LunchMoneyAccountResource
    • LunchMoneyConnectionResource
    • PreviewRuleRequest
    • ReauthorizeFinancialConnectionRequest
    • RetryTransfersAllLinksRequest
    • RetryTransfersRequest
    • RuleActionResource
    • RuleActionTypeEnum
    • RuleConditionResource
    • RuleLogResource
    • RuleOperatorEnum
    • RuleResource
    • RuleTypeEnum
    • StoreActualBudgetConnectionRequest
    • StoreGoogleSheetRequest
    • SyncFinancialAccountRequest
    • TestWebhookRequest
    • TransactionResource
    • TransactionTypeEnum
    • TransferLink
    • TransferLinkResource
    • TransferLinkSyncModeEnum
    • TransferLogResource
    • TransferLogStatusEnum
    • UpdateActualBudgetConnectionRequest
    • UpdateFinancialAccountRequest
    • UpdateGoogleSheetRequest
    • UpdateGoogleSheetsConnectionRequest
    • UpdateLunchMoneyConnectionRequest
    • UpdateRuleRequest
    • UpdateTransactionRequest
    • UpdateTransferLinkRequest
    • UpdateWebhookEndpointRequest
    • UpdateYnabBudgetRequest
    • UpdateYnabConnectionRequest
    • WebhookEndpointPayloadVersion
    • WebhookEndpointResource
    • WebhookEventResource
    • WebhookEventTypeEnum
    • WebhookTypeEnum
    • YnabBudgetAccountResource
    • YnabBudgetAccountTypeEnum
    • YnabBudgetResource
    • YnabConnectionResource
  1. Guides

Authentication

Every API request is authenticated with a Bearer token in the Authorization header:
GET /api/v1/finance/accounts HTTP/1.1
Host: api.synci.io
Authorization: Bearer YOUR_ACCESS_TOKEN
Accept: application/json
There are two kinds of tokens:
Personal access tokens: for your own scripts and server-to-server calls against your own Synci account. No OAuth flow needed.
OAuth access tokens: for apps that other Synci users authorize. Obtained through the OAuth 2.0 authorization code flow with PKCE. See Building OAuth apps.
Both token types are sent the same way and are subject to the same scope checks.

Personal access tokens#

Create a token in the Synci dashboard under Developers → Tokens:
1.
Click New token and give it a descriptive name (for example, "Reporting script").
2.
Optionally restrict the token to specific scopes (see the table below) and specific bank accounts. A token with no scope restriction has full access to your account.
3.
Copy the token immediately. For security it is displayed only once; if you lose it, delete the token and create a new one.
Personal access tokens are valid for 1 year. You can revoke a token at any time from the same page.
Migrating a legacy token? Tokens issued in the older {id}|{secret} format keep working for a limited deprecation window but are being retired. Regenerate the token in Developers → Tokens and update your integration.

OAuth access tokens#

If you are building something other Synci users will connect to, register an OAuth app under Developers → Apps. Users approve your app on a consent screen, choose which accounts to share, and your app receives:
An access token, valid for 1 hour.
A refresh token, valid for 30 days, which rotates on every use.
The full flow, including PKCE, token exchange, and refresh, is covered in Building OAuth apps.

Scopes#

Scopes control what a token may do. Personal access tokens can optionally be restricted to a set of scopes; OAuth apps must request them and the user must approve them.
ScopeGrants
profile:readName, email, and profile details
accounts:readView connected financial accounts and balances
accounts:writeUpdate, sync, and remove financial accounts, and change their settings
transactions:readView transactions
transactions:writeCreate, update, and delete transactions
sensitive:readFull account identifiers: IBANs, account and card numbers, and account holder names. Only meaningful together with accounts:read or transactions:read.
financial-connections:readView bank connections and their health
financial-connections:writeManage bank connections (reauthorize, disable, remove)
transfer-links:readView transfer links and transfer history
transfer-links:writeManage transfer links, retry and undo transfers
rules:readView rules and rule activity
rules:writeManage rules
webhooks:readView webhook endpoints
webhooks:writeManage webhook endpoints and rotate signing secrets
destinations:readView destination connections (YNAB, Lunch Money, Google Sheets)
destinations:writeManage destination connections
Request the least you need. Financial data is read-only by default: there are no write scopes for accounts or transactions.

Sensitive identifiers are redacted by default#

For third-party apps, sensitive identifiers (IBAN, BBAN, account and card numbers, account holder names) are always redacted unless the user granted sensitive:read. This is enforced server-side and cannot be switched off by the caller. sensitive:read on its own grants nothing; it un-redacts fields on data you can already see through accounts:read or transactions:read.

Account selection#

Some scopes are account-scoped. When a user authorizes an OAuth app with account-scoped permissions, they pick exactly which accounts the app may access. Personal access tokens can be restricted to specific accounts the same way when you create them.

How authorization failures look#

ResponseMeaning
401 UnauthorizedMissing, expired, or revoked token.
403 ForbiddenThe token is valid but lacks a scope this endpoint requires.
404 Not FoundThe resource exists but was not granted to this token (for example, an account the user did not select). Synci returns 404 rather than 403 here so tokens cannot probe for the existence of data they were not granted.
Modified at 2026-07-11 14:37:43
Previous
Overview
Next
Building OAuth apps
Built with