1. Syncode
Syncode
  • Syncode
    • Conventions
    • Response Schemas
    • Error Taxonomy
    • Resource Model
    • Permission Model
    • Cross-Cutting Concerns
    • Security
    • Collab-Plane
    • Execution-Plane
    • AI-Plane
  • SynCode Control Plane API
    • Auth
      • Create a new account
      • Authenticate and get tokens
      • Refresh access token
      • Invalidate refresh token
      • Change current user's password
      • Request password reset email
      • Reset password with token
    • Users
      • Get current user profile
      • Update current user profile
      • Soft-delete account
      • Get public profile of another user
      • Upload avatar (presigned URL)
      • Get usage quotas and limits
      • Get current active room (for reconnection)
      • Get time-series training statistics
    • Rooms
      • Participants
        • List all participants in a room
        • Update participant (role, mute)
        • Kick a participant from the room
      • Control
        • Advance room phase
        • Select or change the problem
        • Update room settings
        • Lock code editor, run, and submit
        • Unlock code editor, run, and submit
        • Pause the coding timer
        • Resume the coding timer
        • Request a role swap (peer mode)
        • Accept or decline a role swap request
      • Media
        • Generate LiveKit access token
        • Record participant's recording consent
        • Start session recording
        • Stop session recording
      • AI
        • Send a message to AI interviewer
        • Poll AI message result
        • Get AI conversation history
        • Request a targeted hint
        • Get hint result
        • Request code review
        • Get review result
        • Get cross-session weakness tracking
      • StaticAnalysis
        • Request static analysis
        • Get analysis result
      • Feedback
        • Submit peer evaluation
        • Get all feedback for this room
        • Get my submitted feedback
      • Create a new room
      • List rooms for current user
      • Get room details
      • Destroy a room (host only)
      • Join a room via room code
      • Leave a room
      • Lookup room by invite code
      • Execute code (interactive run)
      • Submit code against test cases
      • List past runs in this room
      • List past submissions in this room
    • Problems
      • List and search problems
      • Create a problem (admin)
      • List all available tags
      • Get problem details
      • Update a problem (admin)
      • Delete a problem (admin)
    • Bookmarks
      • List bookmarked problems
      • Bookmark a problem
      • Remove bookmark
    • Execution
      • Get execution result (single run)
      • Get submission status and aggregated results
    • Sessions
      • List my session history
      • Get session details
      • Soft-delete a session
      • Get training report
      • Get session event timeline
      • Get code snapshots
      • Get recording download URL
      • Get peer feedback for this session
      • Get whiteboard export
      • Get AI conversation history
      • Compare multiple session reports
    • Matchmaking
      • Enter the matchmaking queue
      • Cancel matchmaking
      • Get current match status
      • Accept a proposed match
      • Decline a proposed match
    • Admin
      • System overview stats
      • List all users
      • Get user details (admin view)
      • Update user (ban, role change)
      • List all rooms
      • Force-close a room
      • Query audit logs
    • Health
      • Deep health check
    • Schemas
      • RoomStatus
      • CreateDocumentRequest
      • RoomRole
      • CreateDocumentResponse
      • RoomMode
      • DestroyDocumentResponse
      • SupportedLanguage
      • KickUserRequest
      • Difficulty
      • KickUserResponse
      • UserRole
      • LockEditorRequest
      • ErrorResponse
      • LockEditorResponse
      • Pagination
      • SnapshotReadyPayload
      • UserProfile
      • UserDisconnectedPayload
      • PublicProfile
      • CallbackAckResponse
      • RoomConfig
      • RoomParticipantSummary
      • RoomSummary
      • RoomDetail
      • RoomPreview
      • ProblemSummary
      • ProblemDetail
      • ProblemExample
      • TestCase
      • TagInfo
      • AiMessage
      • WeaknessEntry
      • PeerFeedbackRatings
      • PeerFeedbackEntry
      • SessionSummary
      • SessionDetail
      • SessionParticipant
      • SessionEvent
      • CodeSnapshot
      • Evidence
      • ReportDimension
      • AdminDashboard
      • AdminUserEntry
      • AdminUserDetail
      • AdminRoomEntry
      • AuditLogEntry
      • HealthResponse
      • MatchOpponent
  • SynCode Collab Plane API
    • Documents
      • Create a Yjs document
      • Destroy a Yjs document
      • Kick a user from the document
      • Toggle editor lock
    • Health
      • Health check
    • Callbacks
      • [Callback] Snapshot ready
      • [Callback] User disconnected
    • Schemas
      • CreateDocumentRequest
      • CreateDocumentResponse
      • DestroyDocumentResponse
      • KickUserRequest
      • KickUserResponse
      • SnapshotReadyPayload
      • LockEditorRequest
      • UserDisconnectedPayload
      • LockEditorResponse
      • CallbackAckResponse
      • ErrorResponse
  1. Syncode

Security

Response Headers#

HeaderValueNotes
X-Content-Type-OptionsnosniffPrevents MIME-type sniffing
X-Frame-OptionsDENYPrevents clickjacking
X-Request-IdUUIDUnique per request
Strict-Transport-Securitymax-age=31536000; includeSubDomainsProduction only

Rate Limit Headers#

HeaderDescription
X-RateLimit-LimitMax requests in current window
X-RateLimit-RemainingRequests remaining
X-RateLimit-ResetUnix epoch when window resets
Retry-AfterSeconds until retry (on 429 only)

Authentication Security#

Passwords hashed with argon2id (RFC 9106, memory=64MB, iterations=3, parallelism=1)
JWT access tokens: 15m, stored in JavaScript memory only (immune to CSRF)
Refresh tokens: HTTP-only cookie (SameSite=Strict; Secure; Path=/auth), immune to XSS
Token rotation on every refresh
Server-side refresh token storage (Redis) for revocation
Banning immediately invalidates all refresh tokens
Login rate limiting: 5/min/IP

Four Token Types#

TokenLifetimeStoragePurpose
Access15mJS memoryAPI authentication
Refresh7dHTTP-only cookie + RedisSilent token renewal
CollabSessionReturned on room joinYjs WebSocket auth
Media1hReturned by /media/tokenLiveKit WebSocket auth

Input Validation#

All request bodies validated via Zod schemas
Path parameters (UUIDs, room codes) validated at controller level
Query parameters coerced and validated (invalid → 400)
File uploads via presigned S3 URLs (API never handles raw bytes)
Modified at 2026-03-12 05:26:10
Previous
Cross-Cutting Concerns
Next
Collab-Plane
Built with