API Reference — Sync2Sys

Overview

The Sync2Sys API is a RESTful API that accepts and returns JSON. All requests are made over HTTPS.

Base URL

https://panel.sync2sys.com/api

Content Type

All requests should include the following header:

Content-Type: application/json

Rate Limiting

Public endpoints (e.g., published feeds) are rate-limited to 30 requests per minute per IP address. Authenticated endpoints have higher limits.

Authentication

Most API endpoints require a valid JWT (JSON Web Token) passed as a Bearer token in the Authorization header:

Authorization: Bearer <your_jwt_token>

You can obtain a JWT token via the login endpoint or through the WooCommerce plugin's automatic account creation flow.

Note: Tokens are issued during login and plugin connection. Store the token securely — it identifies your account and organization.

WooCommerce Plugin Endpoints

These endpoints are used by the Sync2Sys WooCommerce plugin to connect stores, manage accounts, and check sync status.

POST /api/auth/register-from-plugin Public

Silent account registration initiated by the WooCommerce plugin. Creates a Sync2Sys account (or returns existing) and provides a JWT token for subsequent API calls.

Request Body

{ "email": "admin@yourstore.com", "storeUrl": "https://yourstore.com", "source": "woo-plugin" }

Response 200

{ "token": "eyJhbGciOiJIUzI1...", "user": { "id": "uuid", "email": "admin@yourstore.com" }, "isNewAccount": true }

POST /api/stores/connect Public

Connect a WooCommerce store to Sync2Sys. The plugin sends WooCommerce REST API credentials so Sync2Sys Cloud can manage products through the WC REST API.

Request Body

{ "storeUrl": "https://yourstore.com", "consumerKey": "ck_xxxxxxxxxxxxxxxxxxxxxxxx", "consumerSecret": "cs_xxxxxxxxxxxxxxxxxxxxxxxx", "email": "admin@yourstore.com", "platform": "woocommerce", "pluginVersion": "1.1.0" }

Response 200 / 201

{ "success": true, "token": "eyJhbGciOiJIUzI1...", "channelId": "uuid", "message": "Store connected successfully" }

Important: The consumerKey and consumerSecret are WooCommerce REST API keys generated from WooCommerce → Settings → Advanced → REST API. They require read/write access.

POST /api/stores/disconnect 🔒 JWT

Disconnect a WooCommerce store from Sync2Sys. Removes the stored API credentials and deactivates the sales channel.

Headers

Authorization: Bearer <your_jwt_token>

Response 200

{ "success": true, "message": "Store disconnected" }

GET /api/auth/account-status 🔒 JWT

Check the current account status. Used by the WooCommerce plugin to verify the connection is active and show plan information.

Headers

Authorization: Bearer <your_jwt_token>

Response 200

{ "connected": true, "email": "admin@yourstore.com", "plan": "starter", "organizationName": "My Store" }

GET /api/sync/status 🔒 JWT

Get the current synchronization status for the connected store. Shows supplier count, feed count, products synced, and last activity timestamp.

Headers

Authorization: Bearer <your_jwt_token>

Response 200

{ "suppliers": 3, "feeds": 5, "products_synced": 1247, "last_sync": "2024-03-15T14:30:00Z", "last_activity": "2024-03-15T15:00:00Z" }

Shopify OAuth

Shopify stores connect to Sync2Sys via OAuth 2.0. The flow is initiated from the Sync2Sys panel.

POST /api/shopify/oauth/init 🔒 JWT

Start the Shopify OAuth authorization flow. Returns a URL to redirect the user to Shopify's consent screen.

Request Body

{ "shopDomain": "mystore.myshopify.com", "channelId": "uuid" // optional, to link to existing channel }

Response 200

{ "authUrl": "https://mystore.myshopify.com/admin/oauth/authorize?..." }

Tip: You can pass just the store name (e.g., mystore) — the API will automatically append .myshopify.com.

GET /api/shopify/oauth/callback Public

Shopify redirects the user to this URL after authorization. This endpoint exchanges the authorization code for an access token and creates/updates the sales channel. You do not call this directly — Shopify handles the redirect.

Query Parameters

code — Authorization code from Shopify shop — Shop domain (e.g., mystore.myshopify.com) state — State parameter for CSRF validation hmac — HMAC signature for verification

Behavior

On success, redirects to /sales-channels/:channelId?oauth=success. On error, redirects with ?oauth=error&message=....

GET /api/shopify/oauth/status 🔒 JWT

Check if Shopify OAuth is configured on the server.

Response 200

{ "configured": true }

Public Feeds

Published export feeds are accessible via a public URL without authentication. These feeds are used by third-party platforms like Google Shopping, Facebook Ads, and price comparison sites.

GET /api/public/feeds/:slug Public

Retrieve a published feed by its slug. Returns XML, CSV, or JSON depending on the feed's configured output format.

URL Parameters

:slug — Feed slug (e.g., "google-shopping-feed")

Response Headers

Content-Type: application/xml; charset=utf-8 (or text/csv, application/json) Content-Disposition: inline; filename="google-shopping-feed.xml" Cache-Control: public, max-age=300 X-Feed-Products: 1247 X-Feed-Generated: 2024-03-15T14:30:00Z X-Cache: HIT (or MISS)

Response Body

The feed content in the configured format (XML, CSV, or JSON).

Rate limit: 30 requests per 60 seconds per IP address. Responses are cached on the server for 5 minutes.

Errors

404 — Feed not found or not published 429 — Rate limit exceeded

Error Handling

The API uses standard HTTP status codes to indicate the success or failure of a request.

Status Codes

200 — OK, request succeeded
201 — Created, resource successfully created
400 — Bad Request, invalid or missing parameters
401 — Unauthorized, missing or invalid JWT token
403 — Forbidden, insufficient permissions or plan limits reached
404 — Not Found, resource doesn't exist
429 — Too Many Requests, rate limit exceeded
500 — Internal Server Error

Error Response Format

{ "statusCode": 400, "message": "Description of what went wrong", "error": "Bad Request" }

Some endpoints may return additional fields in the error response (e.g., error: "PIM_PRODUCT_LIMIT") for more specific error handling.