📋 Free Download: 2026 HIPAA Compliance Checklist — updated for the latest OCR enforcement priorities. Get it free →

Administrator Guide 12 min read

API Access

The AXIS CloudSync API gives developers programmatic access to all platform functionality -- reading and writing files, managing accounts and organizations, viewing activity logs, and more. This guide covers authentication and common API operations.

API Overview

The AXIS CloudSync API (v1) allows you to securely interact with the platform programmatically. All API functionality mirrors what is available through the web portal and admin console:

  • Read and write files and folders.
  • Create, edit, and delete user accounts and organizations.
  • Update and view activity logs.
  • Access and create roots (sync folders, backups, Team Shares).
  • Retrieve machine (agent) information.
  • Create and manage share links.

Note

API access is scoped to the permissions of the token requester. A system admin token has full access; a regular user token is limited to that user's own data and cannot create organizations or set policies.

Authentication and API Tokens

All API requests require a session token. To obtain a token, POST your username and password to the auth endpoint. The token is then passed as a query parameter on all subsequent requests.

Endpoint: POST /1/auth/

Required POST parameters: username, password

Successful response:

{
  "success": true,
  "session_token": "GWObmeSrkWxGtCje0Mv27Pc..."
}
  • Omitting username or password returns: You must provide a username and password.
  • An incorrect credential pair returns: Invalid username or password.
  • API tokens are valid for the current session only. A new token is required for each session.
  • By default, tokens expire after 30 days. This can be changed via the Policies settings in the admin portal.

Two-Step Authentication

If Two-Step Authentication (2FA) is enabled for the account, the auth endpoint returns an intermediate response after a correct username/password:

{
  "message": "Missing auth_code parameter",
  "two_step_mode": "email|sms|authenticator",
  "success": false
}

The system sends an authentication code to the user. Repeat the auth request with the auth_code parameter:

POST /1/auth/
username=x&password=y&auth_code=z

Note

An incorrect auth code returns: Invalid authentication code. A correct code returns the session token in the standard success response.

Get Account Info

Retrieve account information for the current token requester:

GET /1/account/info/?session_token=<token>

The response includes the user's ID, name, email, storage usage, quota, and a list of all roots (sync folders, backups, Team Shares) with their types and space usage.

List Files and Folders

List all files and folders in a root (the top-level sync folder):

GET /1/metadata/<root_id>/?session_token=<token>

List files and folders in a specific subdirectory:

GET /1/metadata/<root_id>/<path>/?session_token=<token>

The response is a JSON object containing file metadata: path, size, modification time, whether it is a directory, and whether it has been deleted.

Share Links

Create, delete, and list share links via the API:

  • Create share link for a root: GET /1/shares/create_link/<root_id>/?session_token=<token>
  • Create share link for a folder: GET /1/shares/create_link/<root_id>/<folder>/?session_token=<token>
  • Create share link for a file: GET /1/shares/create_link/<root_id>/<folder>/<file>?session_token=<token>
  • Create download link: GET /1/sharelink/<root_id>/<folder>/<file>?download_notify=1&download_limit=5&subscribers=email1,email2&session_token=<token>
  • Delete share link: Replace create_link with delete_link in the URL.
  • List share links: Replace create_link with list_links in the URL.

Activity Logs

Retrieve activity logs for roots, folders, files, users, organizations, or all organizations:

  • Activity for a root: GET /1/activity/<root_id>/?session_token=<token>
  • Activity for a folder: GET /1/activity/<root_id>/<folder>/?session_token=<token>
  • Activity for a file: GET /1/activity/<root_id>/<folder>/<file>?session_token=<token>
  • Activity for a user: GET /1/activity/user/<user_id>/?session_token=<token>
  • Activity for an organization: GET /1/activity/organization/<org_id>/?session_token=<token>
  • Activity for all organizations: GET /1/activity/all/?session_token=<token>

User Management

Create, update, and delete users via the API (requires admin-level token):

  • Create user: GET /1/user/create/?session_token=<token>
  • Update user: GET /1/user/update/<user_id>/?session_token=<token>
  • Delete user: GET /1/user/delete/<user_id>/?session_token=<token>

Important

User deletion is permanent and cannot be undone via the API. Ensure you have confirmed the correct user ID before calling the delete endpoint.

Organization Management

Create, update, and delete organizations (requires system admin token):

  • Create organization: GET /1/organization/create/?session_token=<token>
  • Update organization: GET /1/organization/update/<org_id>/?session_token=<token>
  • Delete organization: GET /1/organization/delete/<org_id>/?session_token=<token>

Token Expiration Policy

By default, API tokens expire after 30 days. Administrators can change this policy in the admin portal:

  1. 1In the administrative web portal, click the Settings tab.
  2. 2Click the Policies button.
  3. 3Scroll down to the API Token Settings section.
  4. 4Enter the number of hours after which API tokens should be deactivated.
  5. 5Click Save to apply the new policy.

Note

For enhanced security in HIPAA environments, consider setting a shorter token expiration period (e.g., 8 hours) to limit the window of exposure if a token is compromised.
Back to All Tutorials
Schedule a Demo