When to use an API source
Reach for a REST API source when there is no MCP server for a service, when you control the backend, or when you simply want the agent to hit specific endpoints with your credentials attached. For a comparison across all three source kinds, see Sources.Configuration
An API source is defined by aconfig.json with type set to "api" and an api block describing the connection.
config.json
Authentication methods
Setapi.authType to match how the service expects credentials. Synti supports:
The token, key, or username/password you supply is encrypted on disk—never stored in
config.json. See MCP authentication for how Synti scopes and secures credentials across all source kinds.
OAuth 2.0
Synti runs the full OAuth 2.0 authorization-code flow with PKCE in two modes:- Auto-discovery (recommended). Synti reads the service’s
WWW-Authenticateresponse header, discovers the OAuth endpoints per RFC 9728, and registers a client automatically—no manual endpoint entry. - Explicit configuration. Provide the authorization URL, token URL, client ID and secret, and the scopes you need.
Authorization: Bearer {token}. Built-in provider presets for Google, Microsoft, and Slack pre-fill their OAuth endpoints and common scopes to save setup time.
Renewing non-OAuth tokens
Some APIs issue a bearer token that expires but is refreshed through a plain endpoint rather than OAuth. For these, add arenewEndpoint to the api block specifying the renewal path, HTTP method, and the JSON fields that carry the new token and its expiry. Synti then refreshes the token on its own, so the agent keeps working without you re-authenticating.
How the agent calls the API
Once the source is connected, the agent can call any endpoint underbaseUrl. Through the HTTP tool it chooses the method (GET, POST, PUT, DELETE, PATCH), the path, query parameters, and a request body. Bodies are sent as JSON by default; the tool also supports raw bodies for plain text, XML, and other content types.
The agent works best when it knows the shape of the API. Add a
guide.md next to config.json describing the key endpoints, or paste the service’s documentation into the conversation. For concrete, copy-ready setups, see cURL examples.Permissions
API calls that change state are gated by Permissions—the agent asks before running them unless you’ve granted broader access. To constrain what an API source may do, add apermissions.json scoped to that source.