anonymousland-synapse/docs/usage/administration/admin_api/README.md

# The Admin API

## Authenticate as a server admin

Many of the API calls in the admin api will require an `access_token` for a
server admin. (Note that a server admin is distinct from a room admin.)

An existing user can be marked as a server admin by updating the database directly.

Check your [database settings](config_documentation.md#database) in the configuration file, connect to the correct database using either `psql [database name]` (if using PostgreSQL) or `sqlite3 path/to/your/database.db` (if using SQLite) and elevate the user `@foo:bar.com` to administrator.
```sql
UPDATE users SET admin = 1 WHERE name = '@foo:bar.com';
```

A new server admin user can also be created using the `register_new_matrix_user`
command. This is a script that is distributed as part of synapse. It is possibly
already on your `$PATH` depending on how Synapse was installed.

Finding your user's `access_token` is client-dependent, but will usually be shown in the client's settings.

## Making an Admin API request
For security reasons, we [recommend](reverse_proxy.md#synapse-administration-endpoints)
that the Admin API (`/_synapse/admin/...`) should be hidden from public view using a
reverse proxy. This means you should typically query the Admin API from a terminal on
the machine which runs Synapse.

Once you have your `access_token`, you will need to authenticate each request to an Admin API endpoint by
providing the token as either a query parameter or a request header. To add it as a request header in cURL:

```sh
curl --header "Authorization: Bearer <access_token>" <the_rest_of_your_API_request>
```

For example, suppose we want to
[query the account](user_admin_api.md#query-user-account) of the user
`@foo:bar.com`. We need an admin access token (e.g.
`syt_AjfVef2_L33JNpafeif_0feKJfeaf0CQpoZk`), and we need to know which port
Synapse's [`client` listener](config_documentation.md#listeners) is listening
on (e.g. `8008`). Then we can use the following command to request the account
information from the Admin API.

```sh
curl --header "Authorization: Bearer syt_AjfVef2_L33JNpafeif_0feKJfeaf0CQpoZk" -X GET http://127.0.0.1:8008/_synapse/admin/v2/users/@foo:bar.com
```

For more details on access tokens in Matrix, please refer to the complete
[matrix spec documentation](https://matrix.org/docs/spec/client_server/r0.6.1#using-access-tokens).
Compile and render Synapse's docs into a browsable, mobile-friendly and searchable website (#10086) 2021-06-03 12:20:40 -04:00			`# The Admin API`

			`## Authenticate as a server admin`

			Many of the API calls in the admin api will require an `access_token` for a
			`server admin. (Note that a server admin is distinct from a room admin.)`

Improve documentation on becoming server admin (#13230) * Improved section regarding server admin Added steps describing how to elevate an existing user to administrator by manipulating a `postgres` database. Signed-off-by: jejo86 28619134+jejo86@users.noreply.github.com * Improved section regarding server admin * Reference database settings Add instructions to check database settings to find out the database name, instead of listing all available PostgreSQL databases. * Add suggestions from PR conversation Replace config filename `homeserver.yaml`. with "config file". Remove instructions to switch to `postgres` user. Add instructions how to connect to SQLite database. * Update changelog.d/13230.doc Co-authored-by: reivilibre <olivier@librepush.net> 2022-08-03 06:15:23 -04:00			`An existing user can be marked as a server admin by updating the database directly.`
Compile and render Synapse's docs into a browsable, mobile-friendly and searchable website (#10086) 2021-06-03 12:20:40 -04:00
Improve documentation on becoming server admin (#13230) * Improved section regarding server admin Added steps describing how to elevate an existing user to administrator by manipulating a `postgres` database. Signed-off-by: jejo86 28619134+jejo86@users.noreply.github.com * Improved section regarding server admin * Reference database settings Add instructions to check database settings to find out the database name, instead of listing all available PostgreSQL databases. * Add suggestions from PR conversation Replace config filename `homeserver.yaml`. with "config file". Remove instructions to switch to `postgres` user. Add instructions how to connect to SQLite database. * Update changelog.d/13230.doc Co-authored-by: reivilibre <olivier@librepush.net> 2022-08-03 06:15:23 -04:00			Check your [database settings](config_documentation.md#database) in the configuration file, connect to the correct database using either `psql [database name]` (if using PostgreSQL) or `sqlite3 path/to/your/database.db` (if using SQLite) and elevate the user `@foo:bar.com` to administrator.
Compile and render Synapse's docs into a browsable, mobile-friendly and searchable website (#10086) 2021-06-03 12:20:40 -04:00			```sql
			`UPDATE users SET admin = 1 WHERE name = '@foo:bar.com';`
			```

			A new server admin user can also be created using the `register_new_matrix_user`
Move scripts directory inside synapse, exposing as setuptools entry_points (#12118) * Two scripts are basically entry_points already * Move and rename scripts/* to synapse/_scripts/.py Delete sync_room_to_group.pl * Expose entry points in setup.py * Update linter script and config * Fixup scripts & docs mentioning scripts that moved Co-authored-by: Andrew Morgan <1342360+anoadragon453@users.noreply.github.com> 2022-03-02 08:00:16 -05:00			`command. This is a script that is distributed as part of synapse. It is possibly`
Compile and render Synapse's docs into a browsable, mobile-friendly and searchable website (#10086) 2021-06-03 12:20:40 -04:00			already on your `$PATH` depending on how Synapse was installed.

			Finding your user's `access_token` is client-dependent, but will usually be shown in the client's settings.

			`## Making an Admin API request`
Document advising against publicly exposing the Admin API and provide a usage example (#13231) * Admin API request explanation improved Pointed out, that the Admin API is not accessible by default from any remote computer, but only from the PC `matrix-synapse` is running on. Added a full, working example, making sure to include the cURL flag `-X`, which needs to be prepended to `GET`, `POST`, `PUT` etc. and listing the full query string including protocol, IP address and port. * Admin API request explanation improved * Apply suggestions from code review Update changelog. Reword prose. Co-authored-by: David Robertson <david.m.robertson1@gmail.com> 2022-07-13 14:33:33 -04:00			`For security reasons, we [recommend](reverse_proxy.md#synapse-administration-endpoints)`
			that the Admin API (`/_synapse/admin/...`) should be hidden from public view using a
			`reverse proxy. This means you should typically query the Admin API from a terminal on`
			`the machine which runs Synapse.`

Compile and render Synapse's docs into a browsable, mobile-friendly and searchable website (#10086) 2021-06-03 12:20:40 -04:00			Once you have your `access_token`, you will need to authenticate each request to an Admin API endpoint by
			`providing the token as either a query parameter or a request header. To add it as a request header in cURL:`

			```sh
			`curl --header "Authorization: Bearer <access_token>" <the_rest_of_your_API_request>`
			```

Document advising against publicly exposing the Admin API and provide a usage example (#13231) * Admin API request explanation improved Pointed out, that the Admin API is not accessible by default from any remote computer, but only from the PC `matrix-synapse` is running on. Added a full, working example, making sure to include the cURL flag `-X`, which needs to be prepended to `GET`, `POST`, `PUT` etc. and listing the full query string including protocol, IP address and port. * Admin API request explanation improved * Apply suggestions from code review Update changelog. Reword prose. Co-authored-by: David Robertson <david.m.robertson1@gmail.com> 2022-07-13 14:33:33 -04:00			`For example, suppose we want to`
			`[query the account](user_admin_api.md#query-user-account) of the user`
			`@foo:bar.com`. We need an admin access token (e.g.
			`syt_AjfVef2_L33JNpafeif_0feKJfeaf0CQpoZk`), and we need to know which port
			Synapse's [`client` listener](config_documentation.md#listeners) is listening
			on (e.g. `8008`). Then we can use the following command to request the account
			`information from the Admin API.`

			```sh
			`curl --header "Authorization: Bearer syt_AjfVef2_L33JNpafeif_0feKJfeaf0CQpoZk" -X GET http://127.0.0.1:8008/_synapse/admin/v2/users/@foo:bar.com`
			```

Compile and render Synapse's docs into a browsable, mobile-friendly and searchable website (#10086) 2021-06-03 12:20:40 -04:00			`For more details on access tokens in Matrix, please refer to the complete`
			`[matrix spec documentation](https://matrix.org/docs/spec/client_server/r0.6.1#using-access-tokens).`