Back to Home

API Reference

REST API for SyncBooks — Base URL: https://api.yourdomain.com/api/v1

REST / JSON API Key Auth 100–2,000 req / 15 min

Authentication

All API requests require an API key passed as a Bearer token in the Authorization header. Generate keys from Settings → Developer → API Keys in your dashboard.

API Key Format
sk_live_<64 hex chars>

First 16 chars used as lookup prefix. Full key is bcrypt-hashed at rest.

Rate Limits (per API key)

Starter: 100 req / 15 min

Professional: 500 req / 15 min

Enterprise: 2,000 req / 15 min

Headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Tier

Scopes & Permissions

Keys can be scoped to specific resources and actions. Pass scopes when generating a key. Default: ["*"] (full access).

Format: resource:action — e.g. invoices:read, payments:write

:read — allows GET / HEAD requests. :write — allows POST / PUT / DELETE requests.

A 403 is returned if the key lacks the required scope.

Request

curl https://api.yourdomain.com/api/v1/invoices \
  -H "Authorization: Bearer sk_live_your_api_key_here"

Generate Key — POST /keys/generate

{
  "key": "sk_live_a1b2c3d4e5f6...",
  "prefix": "a1b2c3d4e5f6",
  "name": "Production Key",
  "tier": "starter",
  "scopes": ["invoices:read", "invoices:write", "payments:read"]
}

Invoices

Payments

Estimates

Credit Notes

Customers

Vendors

Bills

Expenses

Products

Chart of Accounts

Journal Entries

General Ledger

Purchase Orders

Employees

Payroll

Fixed Assets

Bank Transactions

Budgets

Reports

Webhooks

Register webhook endpoints to receive real-time event notifications. Events are delivered as POST requests with a JSON body signed with HMAC-SHA256 using your webhook secret.

Signature Header

X-SyncBooks-Signature

HMAC-SHA256 of the raw JSON body using your webhook secret. Verify with: sha256=hex_digest

Retry Policy

5 attempts with exponential backoff: 1m → 5m → 30m → 2h → 8h. Retries run every 2 minutes via cron for crash resilience.

Payload Format

{"event": "invoice.paid", "data": {...}, "timestamp": "ISO"}

10s timeout per delivery. 2xx = success.

Available Events

invoice.createdinvoice.updatedinvoice.deletedinvoice.sentinvoice.paidinvoice.overdueexpense.createdexpense.updatedexpense.deletedexpense.approvedexpense.rejectedexpense.paidbill.createdbill.updatedbill.deletedbill.approvedbill.paidbill.overduepayment.createdpayment.deletedcustomer.createdcustomer.updatedcustomer.deletedvendor.createdvendor.updatedvendor.deletedproduct.createdproduct.updatedproduct.deletedproduct.low_stockasset.createdasset.updatedasset.depreciatedaccount.createdaccount.updatedaccount.deletedbank_transaction.createdbank_transaction.updatedbank_transaction.deletedbudget.createdbudget.updatedbudget.activatedbudget.deletedloan.createdloan.payment_madeloan.paid_offpayroll.run_createdpayroll.run_approvedpayroll.run_paidjournal_entry.createdjournal_entry.postedsubscription.activatedsubscription.expiredsubscription.cancelledtest*

Use "*" to subscribe to all events.

Errors

All errors return a JSON body with an error field. HTTP status codes follow REST conventions.

StatusMeaningExample
401UnauthorizedMissing or invalid API key
403ForbiddenKey does not belong to this organization
404Not FoundResource not found or soft-deleted
400Bad RequestValidation error or missing required field
429Too Many RequestsRate limit exceeded
500Server ErrorUnexpected internal error
{
  "error": "Invoice not found"
}