- -

The Admin API

Authenticate as a server admin

Many of the API calls in the admin api will require an access_token for a -server admin. (Note that a server admin is distinct from a room admin.)

A user can be marked as a server admin by updating the database directly, e.g.:

UPDATE users SET admin = 1 WHERE name = '@foo:bar.com';
-

A new server admin user can also be created using the register_new_matrix_user -command. This is a script that is located in the scripts/ directory, or possibly -already on your $PATH depending on how Synapse was installed.

Finding your user's access_token is client-dependent, but will usually be shown in the client's settings.

Making an Admin API request

Once you have your access_token, you will need to authenticate each request to an Admin API endpoint by -providing the token as either a query parameter or a request header. To add it as a request header in cURL:

curl --header "Authorization: Bearer <access_token>" <the_rest_of_your_API_request>
-

For more details on access tokens in Matrix, please refer to the complete -matrix spec documentation.

- -

Registration Tokens

This API allows you to manage tokens which can be used to authenticate -registration requests, as proposed in -MSC3231. -To use it, you will need to enable the registration_requires_token config -option, and authenticate by providing an access_token for a server admin: -see Admin API. -Note that this API is still experimental; not all clients may support it yet.

Registration token objects

Most endpoints make use of JSON objects that contain details about tokens. -These objects have the following fields:

token: The token which can be used to authenticate registration.
uses_allowed: The number of times the token can be used to complete a -registration before it becomes invalid.
pending: The number of pending uses the token has. When someone uses -the token to authenticate themselves, the pending counter is incremented -so that the token is not used more than the permitted number of times. -When the person completes registration the pending counter is decremented, -and the completed counter is incremented.
completed: The number of times the token has been used to successfully -complete a registration.
expiry_time: The latest time the token is valid. Given as the number of -milliseconds since 1970-01-01 00:00:00 UTC (the start of the Unix epoch). -To convert this into a human-readable form you can remove the milliseconds -and use the date command. For example, date -d '@1625394937'.

List all tokens

Lists all tokens and details about them. If the request is successful, the top -level JSON object will have a registration_tokens key which is an array of -registration token objects.

GET /_synapse/admin/v1/registration_tokens
-

Optional query parameters:

valid: true or false. If true, only valid tokens are returned. -If false, only tokens that have expired or have had all uses exhausted are -returned. If omitted, all tokens are returned regardless of validity.

Example:

GET /_synapse/admin/v1/registration_tokens
-

200 OK
-
-{
-    "registration_tokens": [
-        {
-            "token": "abcd",
-            "uses_allowed": 3,
-            "pending": 0,
-            "completed": 1,
-            "expiry_time": null
-        },
-        {
-            "token": "pqrs",
-            "uses_allowed": 2,
-            "pending": 1,
-            "completed": 1,
-            "expiry_time": null
-        },
-        {
-            "token": "wxyz",
-            "uses_allowed": null,
-            "pending": 0,
-            "completed": 9,
-            "expiry_time": 1625394937000    // 2021-07-04 10:35:37 UTC
-        }
-    ]
-}
-

Example using the valid query parameter:

GET /_synapse/admin/v1/registration_tokens?valid=false
-

200 OK
-
-{
-    "registration_tokens": [
-        {
-            "token": "pqrs",
-            "uses_allowed": 2,
-            "pending": 1,
-            "completed": 1,
-            "expiry_time": null
-        },
-        {
-            "token": "wxyz",
-            "uses_allowed": null,
-            "pending": 0,
-            "completed": 9,
-            "expiry_time": 1625394937000    // 2021-07-04 10:35:37 UTC
-        }
-    ]
-}
-

Get one token

Get details about a single token. If the request is successful, the response -body will be a registration token object.

GET /_synapse/admin/v1/registration_tokens/<token>
-

Path parameters:

token: The registration token to return details of.

Example:

GET /_synapse/admin/v1/registration_tokens/abcd
-

200 OK
-
-{
-    "token": "abcd",
-    "uses_allowed": 3,
-    "pending": 0,
-    "completed": 1,
-    "expiry_time": null
-}
-

Create token

Create a new registration token. If the request is successful, the newly created -token will be returned as a registration token object in the response body.

POST /_synapse/admin/v1/registration_tokens/new
-

The request body must be a JSON object and can contain the following fields:

token: The registration token. A string of no more than 64 characters that -consists only of characters matched by the regex [A-Za-z0-9-_]. -Default: randomly generated.
uses_allowed: The integer number of times the token can be used to complete -a registration before it becomes invalid. -Default: null (unlimited uses).
expiry_time: The latest time the token is valid. Given as the number of -milliseconds since 1970-01-01 00:00:00 UTC (the start of the Unix epoch). -You could use, for example, date '+%s000' -d 'tomorrow'. -Default: null (token does not expire).
length: The length of the token randomly generated if token is not -specified. Must be between 1 and 64 inclusive. Default: 16.

If a field is omitted the default is used.

Example using defaults:

POST /_synapse/admin/v1/registration_tokens/new
-
-{}
-

200 OK
-
-{
-    "token": "0M-9jbkf2t_Tgiw1",
-    "uses_allowed": null,
-    "pending": 0,
-    "completed": 0,
-    "expiry_time": null
-}
-

Example specifying some fields:

POST /_synapse/admin/v1/registration_tokens/new
-
-{
-    "token": "defg",
-    "uses_allowed": 1
-}
-

200 OK
-
-{
-    "token": "defg",
-    "uses_allowed": 1,
-    "pending": 0,
-    "completed": 0,
-    "expiry_time": null
-}
-

Update token

Update the number of allowed uses or expiry time of a token. If the request is -successful, the updated token will be returned as a registration token object -in the response body.

PUT /_synapse/admin/v1/registration_tokens/<token>
-

Path parameters:

token: The registration token to update.

The request body must be a JSON object and can contain the following fields:

uses_allowed: The integer number of times the token can be used to complete -a registration before it becomes invalid. By setting uses_allowed to 0 -the token can be easily made invalid without deleting it. -If null the token will have an unlimited number of uses.
expiry_time: The latest time the token is valid. Given as the number of -milliseconds since 1970-01-01 00:00:00 UTC (the start of the Unix epoch). -If null the token will not expire.

If a field is omitted its value is not modified.

Example:

PUT /_synapse/admin/v1/registration_tokens/defg
-
-{
-    "expiry_time": 4781243146000    // 2121-07-06 11:05:46 UTC
-}
-

200 OK
-
-{
-    "token": "defg",
-    "uses_allowed": 1,
-    "pending": 0,
-    "completed": 0,
-    "expiry_time": 4781243146000
-}
-

Delete token

Delete a registration token. If the request is successful, the response body -will be an empty JSON object.

DELETE /_synapse/admin/v1/registration_tokens/<token>
-

Path parameters:

token: The registration token to delete.

Example:

DELETE /_synapse/admin/v1/registration_tokens/wxyz
-

200 OK
-
-{}
-

Errors

If a request fails a "standard error response" will be returned as defined in -the Matrix Client-Server API specification.

For example, if the token specified in a path parameter does not exist a -404 Not Found error will be returned.

GET /_synapse/admin/v1/registration_tokens/1234
-

404 Not Found
-
-{
-    "errcode": "M_NOT_FOUND",
-    "error": "No such registration token: 1234"
-}
-

- -