--- name: reference-syncro-rmm-api-gui-only description: Syncro asset/RMM IS API-drivable (reads, create/update, patches, installed_apps, rmm_alerts) — only policy-folder ops need a token scope our per-user keys currently lack (re-verified 2026-07-10) metadata: type: reference --- **CORRECTION (2026-07-10): most of Syncro's asset/RMM surface IS API-drivable — the earlier "RMM is GUI-only" conclusion was a token-scope symptom, not an API limitation.** Live-probed the ACG production tenant with a per-user token (howard) on 2026-07-10 and confirmed against the OpenAPI 3.0 spec (`api-docs.syncromsp.com/swagger.json`): - **Works with our current per-user token (HTTP 200):** `GET/POST /customer_assets`, `PUT /customer_assets/{id}` (name/serial/type/customer/properties — `name` required), `GET /customer_assets/{id}/patches`, `.../installed_applications`, `/rmm_alerts` (list + `{id}/mute` + DELETE clear), plus contacts, contracts, leads, vendors, purchase_orders, products, payments, wiki_pages, `/me`, `/search`. The `/syncro` skill now documents the asset-read/asset-write/rmm-alert/agent-deploy workflows; the full inventory is in `.claude/standards/syncro/api-reference.md`. - **Policy-folder move: VERIFIED WORKING with a full-scope token (2026-07-10).** Howard's token was upgraded to full scope; flip-and-restore on ACG-internal asset `12335235` (`692253 → 692278 → 692253`) succeeded, each confirmed by GET. `PUT /customer_assets/{id}` with `policy_folder_id` (+ required `name`) moves the asset. The spec: *"only policy_folder_id requires **Assets - Policy Change**; with other fields requires **Assets - Edit** AND **Assets - Policy Change**; nil/nonexistent/cross-customer folder → 422."* - **Route quirks:** `GET /policy_folders` (bare) → 404; `GET /policy_folders?customer_id=N` → 200 (enumerate a customer's folders); `GET /policy_folders/{id}` → 401 even at full scope. - **Per-user scope differs — capability-check every scope-gated write.** A token WITHOUT Policy-Change returns HTTP 200 and silently no-ops the move (the exact 2026-06-25 symptom that produced the original "GUI-only" belief); `/me` shows coarse `asset:{write:true}` and cannot detect it. The `/syncro move-asset` helper preflights `GET /policy_folders?customer_id=N` (401 = no scope) and verifies the folder actually changed after the PUT. Only Howard's token is confirmed full-scope so far; grant the scope to each per-user token for consistent behavior. - **Archive (retire) IS genuinely GUI-only** — no archive endpoint, no `archived` field, and DELETE is destructive. That part of the old note stands. **How to apply:** Build/asset-manage freely via API for everything EXCEPT policy folders. To unlock `/syncro move-asset` + policy CRUD, add **Assets - Policy Change** + policy-folder read/manage to the Syncro API token (Admin → API Tokens), re-vault, then flip-and-restore verify on ACG-internal asset `12335235` (folder `692253`). Do NOT re-assert "can't do assets via API" — that was wrong. See [[feedback-psa-default-syncro]] and the api-reference doc.