Skip to main content

Users Management

This page explains how to manage users, groups, and API tokens in SyncNow to maintain a secure and well-organized environment.


➕ Creating a User

To create a new user in SyncNow:

  1. Navigate to the Users Page
    From the main menu, select Users to access the user management interface.

    Creating User
  2. Press the Add User Button
    Click the Add User button to start creating a new user.

  3. Input Required Information
    Fill in the necessary details:

    • Username: Unique identifier for the user.
    • Email Address: For communication and password recovery.
    • First Name and Last Name
    • Role: Assign a role to determine access level and permissions.
  4. Create the User
    Click Save to create the new user account. The user will now appear in the users list.

    Adding User


🔑 Resetting a User Password

Only SyncNow Admins can reset user passwords:

  1. Go to the Users section.
  2. Click the Reset Password button next to the user.
  3. Fill out the reset form:
    • New Password
    • Confirm New Password
    • Click Submit to finalize.

🔒 Account Lockout

SyncNow uses account lockout to protect against unauthorized access:

  • Lockout Trigger: After a set number of failed sign-in attempts, a non-admin account is locked.
  • Unlocking Accounts:
    • Users with the Configuration Editor privilege can unlock accounts from the Users page.
    • For admin accounts, lockout is temporary and auto-unlocks after a set duration (configurable in Service Settings).

⚙️ Lockout Settings

Configure lockout settings for security and usability:

  1. Set Allowed Failed Attempts

    • Go to Service Settings.
    • Set the maximum failed sign-in attempts.
    • Save changes.
    Security Settings
  2. Set Admin Lockout Duration

    • In Service Settings, set the lockout duration for admin accounts.
    • Save changes.

👥 Adding a Group to a User

Assign users to groups for effective permission management:

  1. Go to the Users page.
  2. Click Edit next to the user.
  3. Select groups from the available list.
  4. Click Save to update group memberships.

🔐 Personal Access Tokens (PAT)

Personal Access Tokens are self-service credentials that authenticate API and MCP requests on behalf of a user — without using a password. Each user manages their own tokens independently from their Profile → Access Tokens tab. Administrators cannot create or view tokens on behalf of other users.

For full details see the Security Overview — Personal Access Tokens page.

What Are Personal Access Tokens?

  • Named tokens: Each token has a user-given label (e.g. VS Code, CI Pipeline) so you can identify and revoke individual ones without disrupting others.
  • Optional expiry: Set a specific expiry date and time, or leave blank for a token that never expires.
  • Primary token: One token per user is designated primary — it supplies the HMAC secret used by webhook integrations (GitHub, GitLab, Zendesk, etc.).
  • Multiple tokens: Create as many tokens as you need for different tools or environments.

Creating a Personal Access Token

  1. Click your avatar in the top-right corner and go to Profile.
  2. Open the Access Tokens tab.
  3. Click + New Token.
  4. Enter a descriptive name and an optional expiry date and time.
  5. Click Create Token — the token is displayed once only. Copy it immediately and store it securely.

Token format: syncnow_mcp_<32-character-hex>

Using a Token

Use the token as a Bearer credential in the Authorization header of any API or MCP request:

Authorization: Bearer syncnow_mcp_<your-token>

Tokens authenticate on all /api/* and /mcp/* endpoints.

Managing Tokens

ActionWhoNotes
CreateToken ownerFrom Profile → Access Tokens
RevokeToken ownerNon-primary tokens only; promote another to primary first
Set PrimaryToken ownerAtomically swaps the primary designation
View historyToken ownerSwitch to the All filter to see expired and revoked tokens

📝 Example: Authenticating a Webhook with a PAT

  1. Create a token
    In your Profile → Access Tokens, create a token named Webhook with no expiry. Copy the token value immediately.

  2. Set it as primary (if webhook integration is required)
    Click Set Primary on the token. The primary token's value is used as the HMAC signing secret by SyncNow connector webhook subscriptions.

  3. Configure your webhook source
    Pass the token in the Authorization header of incoming webhook requests:

    Authorization: Bearer syncnow_mcp_<your-token>
  4. Rotate when needed
    Create a new token, set it as primary, then revoke the old one. Webhook sources must be updated to use the new token value.


By following these procedures, administrators can effectively manage users and groups, while each user maintains full control over their own access tokens.