API reference
Every endpoint AxisSynapse exposes for tenant integration. Every entry below has copy-paste curl, parameter docs, and a link to the playground.
Total: 25 endpoints across 9 groups.
Discovery
GET/api/developers/openapi.jsonPublic — no auth
OpenAPI 3.1 specification
Machine-readable spec covering every endpoint in this registry. Download once and feed to your code generator (oapi-codegen, openapi-typescript, etc.) — re-pull when the X-AxisSynapse-Spec-Version response header changes.
curl https://app.axissynapse.com/api/developers/openapi.json > axissynapse.openapi.jsonGET/api/developers/events.jsonPublic — no auth
Webhook event catalog
Every event type your tenant can subscribe a webhook to, with example payloads. Generated from the live audit-code constants — never out of date.
curl https://app.axissynapse.com/api/developers/events.json | jq '.events[].type'Sessions
GET/api/me/sessionsSession cookie
List my active sessions
Returns every UserSession row for the calling user, with device label + IP prefix + location, plus a `current` flag on the row matching the request's session cookie.
curl -X GET https://app.axissynapse.com/api/me/sessions \
-H "Cookie: $YOUR_SESSION_COOKIE"DELETE/api/me/sessions/{id}Session cookie
Revoke a session
Soft-deletes a UserSession row. Self-revoking the current session returns `signOut: true` — the client should immediately bounce to /auth/login.
| id | path | required | UserSession.id |
curl -X DELETE https://app.axissynapse.com/api/me/sessions/sess_xxx \
-H "Cookie: $YOUR_SESSION_COOKIE"POST/api/me/sessions/heartbeatSession cookie
Mirror + touch the current session
Heartbeat endpoint called by the dashboard layout every ~5 minutes. Refreshes the as_sid cookie, persists device + geo info, returns 401 SESSION_REVOKED if the admin has revoked the row.
curl -X POST https://app.axissynapse.com/api/me/sessions/heartbeat \
-H "Cookie: $YOUR_SESSION_COOKIE"Step-Up Authentication
POST/api/auth/step-up/challenge-optionsSession cookie
Begin a step-up ceremony
Issues a WebAuthn AuthnRequest challenge for the given purpose. Returns the factors the viewer can use (WebAuthn-only when the purpose requires phishing-resistant).
curl -X POST https://app.axissynapse.com/api/auth/step-up/challenge-options \
-H "Cookie: $YOUR_SESSION_COOKIE" \
-H "Content-Type: application/json" \
-d '{"purpose":"PAYROLL_TRANSMIT_ACH"}'GET/api/auth/step-up/statusSession cookie
Check whether a step-up token is still valid
Read-only inspection of the freshest unused step-up token for the (viewer, purpose). Drives UI button labels.
| purpose | query | required | Closed STEP_UP_PURPOSES enum value. |
curl -X GET https://app.axissynapse.com/api/auth/step-up/status?purpose=PAYROLL_SEAL \
-H "Cookie: $YOUR_SESSION_COOKIE"SAML 2.0 SSO
GET/api/saml/{providerId}/metadataPublic — no auth
SP metadata XML
Returns the AxisSynapse SP metadata XML the IdP administrator pastes into their wizard (Okta, Entra, ADFS, Ping). entityID and ACS URL embedded.
| providerId | path | required | Tenant SAML provider id. |
curl https://app.axissynapse.com/api/saml/prov_xxx/metadata > axissynapse-sp-metadata.xmlGET/api/saml/{providerId}/loginPublic — no auth
Initiate SP-initiated sign-in
Builds an AuthnRequest, persists the InResponseTo state, and renders an auto-submitting form that POSTs the SAMLRequest to the IdP. Optional `relayState` param routes the user to a specific URL post-login.
| providerId | path | required | Provider id. |
| relayState | query | optional | Post-login redirect URL. |
curl -L "https://app.axissynapse.com/api/saml/prov_xxx/login?relayState=/dashboard"SCIM 2.0 Provisioning
GET/api/scim/v2/ServiceProviderConfigPublic — no auth
Capability discovery
RFC 7644 §4. Returns what we support: PATCH yes, filter yes (maxResults 200), bulk no, sort no, etag no. IdPs (Okta / Entra / JumpCloud) fetch this before provisioning.
curl https://app.axissynapse.com/api/scim/v2/ServiceProviderConfigGET/api/scim/v2/UsersSCIM bearer
List users (filtered)
RFC 7644 query language. Supports filter operators eq, ne, co, sw, ew, gt, ge, lt, le, pr with and/or/not + parens + dotted paths.
| filter | query | optional | SCIM filter e.g. `userName eq "alice@axis.com"`. |
| startIndex | query | optional | 1-based pagination cursor. |
| count | query | optional | Page size (default 100, max 200). |
curl -X GET https://app.axissynapse.com/api/scim/v2/Users?filter=userName%20eq%20"alice@axis.com" \
-H "Authorization: Bearer $AXISSYNAPSE_SCIM_TOKEN" \
-H "Accept: application/scim+json"curl -X GET https://app.axissynapse.com/api/scim/v2/Users?filter=active%20eq%20true&startIndex=1&count=100 \
-H "Authorization: Bearer $AXISSYNAPSE_SCIM_TOKEN" \
-H "Accept: application/scim+json"POST/api/scim/v2/UsersSCIM bearer
Create a user (provisioning push)
Idempotent: an existing (tenant, userName) returns 200 with the existing row instead of 409. New rows return 201.
curl -X POST https://app.axissynapse.com/api/scim/v2/Users \
-H "Authorization: Bearer $AXISSYNAPSE_SCIM_TOKEN" \
-H "Accept: application/scim+json" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"userName": "alice@axis.com",
"name": {
"givenName": "Alice",
"familyName": "Adams"
},
"active": true,
"emails": [
{
"value": "alice@axis.com",
"primary": true,
"type": "work"
}
]
}'GET/api/scim/v2/Users/{id}SCIM bearer
Read a user by id
| id | path | required | TenantUser.id |
curl -X GET https://app.axissynapse.com/api/scim/v2/Users/u_xxx \
-H "Authorization: Bearer $AXISSYNAPSE_SCIM_TOKEN" \
-H "Accept: application/scim+json"PUT/api/scim/v2/Users/{id}SCIM bearer
Replace a user (full update)
RFC 7644 §3.5.1. Whole-resource replace. Most IdPs prefer PATCH (next endpoint) because PUT requires sending the entire resource.
| id | path | required | User id. |
PATCH/api/scim/v2/Users/{id}SCIM bearer
Patch a user (partial update)
RFC 7644 §3.5.2 PatchOp. Supports add / replace / remove on top-level + dotted paths + filtered sub-paths (`emails[type eq "work"].value`).
| id | path | required | User id. |
curl -X PATCH https://app.axissynapse.com/api/scim/v2/Users/u_xxx \
-H "Authorization: Bearer $AXISSYNAPSE_SCIM_TOKEN" \
-H "Accept: application/scim+json" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "replace",
"path": "active",
"value": false
}
]
}'curl -X PATCH https://app.axissynapse.com/api/scim/v2/Users/u_xxx \
-H "Authorization: Bearer $AXISSYNAPSE_SCIM_TOKEN" \
-H "Accept: application/scim+json" \
-H "Content-Type: application/scim+json" \
-d '{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "replace",
"path": "emails[type eq \"work\"].value",
"value": "new@axis.com"
}
]
}'Webhooks (Subscriptions)
GET/api/settings/webhooksSession cookie
List webhook subscriptions
Tenant-admin only. Returns all subscriptions WITHOUT the signing secret — secrets are only shown once at create time.
curl -X GET https://app.axissynapse.com/api/settings/webhooks \
-H "Cookie: $YOUR_SESSION_COOKIE"POST/api/settings/webhooksSession cookie
Create a webhook subscription
Response includes the raw `secret` ONCE (whsec_…). The DB stores only the hashed form; we can't surface it again. Filters are glob patterns (`ACCOUNT_STEPUP_*`, `*`).
curl -X POST https://app.axissynapse.com/api/settings/webhooks \
-H "Cookie: $YOUR_SESSION_COOKIE" \
-H "Content-Type: application/json" \
-d '{"name":"Step-up audit feed","url":"https://your-app.example.com/hooks/axissynapse","eventFilters":["ACCOUNT_STEPUP_*"]}'POST/api/settings/webhooks/{id}/testSession cookie
Send a synchronous test delivery
POSTs a signed `axissynapse.webhook.test` payload to the URL and returns the receiver's status + body + elapsed time. Doesn't enqueue a real WebhookDelivery row.
| id | path | required | Webhook subscription id. |
curl -X POST https://app.axissynapse.com/api/settings/webhooks/wh_xxx/test \
-H "Cookie: $YOUR_SESSION_COOKIE"GET/api/settings/webhooks/{id}/deliveriesSession cookie
List recent deliveries
Up to 100 most-recent delivery attempts for the subscription. Useful for debugging 4xx/5xx receivers.
| id | path | required | Webhook subscription id. |
curl -X GET https://app.axissynapse.com/api/settings/webhooks/wh_xxx/deliveries \
-H "Cookie: $YOUR_SESSION_COOKIE"Network Policy
GET/api/settings/network-policySession cookie
Read tenant network policy
Returns the policy mode + per-surface enforcement toggles + admin bypass.
curl -X GET https://app.axissynapse.com/api/settings/network-policy \
-H "Cookie: $YOUR_SESSION_COOKIE"POST/api/settings/network-policy/testSession cookie
Preview a decision for an IP
Pure 'what-if' tool — runs the policy evaluator without persisting anything.
curl -X POST https://app.axissynapse.com/api/settings/network-policy/test \
-H "Cookie: $YOUR_SESSION_COOKIE" \
-H "Content-Type: application/json" \
-d '{"ip":"203.0.113.42","surface":"API"}'Attestation Policy
GET/api/settings/attestation-policySession cookie
Read WebAuthn attestation policy
Returns the policy + the curated AAGUID catalog (FIPS hardware / hardware / platform / synced).
curl -X GET https://app.axissynapse.com/api/settings/attestation-policy \
-H "Cookie: $YOUR_SESSION_COOKIE"POST/api/settings/attestation-policy/testSession cookie
Preview an AAGUID decision
Pure preview — pass an AAGUID + flags, get the decision without affecting policy.
curl -X POST https://app.axissynapse.com/api/settings/attestation-policy/test \
-H "Cookie: $YOUR_SESSION_COOKIE" \
-H "Content-Type: application/json" \
-d '{"aaguid":"ee882879-721c-4913-9775-3dfcce97072a"}'Audit Log
GET/api/settings/audit-logSession cookie
Query the audit ledger
Filter by actor, action (exact / comma-list / prefix*), resource type/id, date range, free-text. Cursor pagination. Tenant-admin only.
| userId | query | optional | Actor TenantUser.id. |
| action | query | optional | Action code or prefix* glob. |
| from | query | optional | ISO timestamp lower bound. |
| to | query | optional | ISO timestamp upper bound. |
| cursor | query | optional | Opaque cursor from a prior page. |
curl -X GET https://app.axissynapse.com/api/settings/audit-log?action=ACCOUNT_STEPUP_*&from=2026-06-09T07:53:42.626Z \
-H "Cookie: $YOUR_SESSION_COOKIE"GET/api/settings/audit-log/exportSession cookie
Stream CSV / NDJSON export
RFC 4180 CSV or NDJSON. 50k-row hard cap. Same filter params as the query endpoint. Audited as ACCOUNT_AUDIT_LOG_EXPORTED.
| format | query | optional | csv (default) or ndjson |
curl -X GET https://app.axissynapse.com/api/settings/audit-log/export?format=csv&action=ACCOUNT_STEPUP_*&from=2026-06-02T08:53:42.627Z > stepup.csv \
-H "Cookie: $YOUR_SESSION_COOKIE"