REST API
The HTTP API is implemented in apps/api (NestJS). Treat Swagger UI as the authoritative contract for request/response bodies.
In this page
Base path and docs
- Global prefix:
/api/v1(all controllers below are relative to this prefix). - Swagger UI (local):
http://127.0.0.1:4000/api/docs - OpenAPI JSON:
http://127.0.0.1:4000/api/docs-json
Export example (from monorepo README):
curl -s http://127.0.0.1:4000/api/docs-json -o openapi.json
Authentication
- JWT bearer on protected routes:
Authorization: Bearer <access_token>. - Auth tag (
/auth):POST login,POST refresh,POST logout(bearer),POST forgot-password,POST reset-password,POST me(bearer).
Bootstrap (no bearer for first admin): POST /bootstrap/register-admin registers the first superadmin when onboarding allows it.
Roles
Access is enforced with @Roles() and Prisma UserRole enum values:
SUPERADMIN, ADMIN, RESELLER, CLIENT, DEVELOPER, VIEWER
Each controller method declares which roles may call it. Swagger shows operations per tag; cross-check *.controller.ts under apps/api/src/modules/ if in doubt.
Controllers and routes
Paths are relative to /api/v1.
| Tag / area | Controller prefix | Highlights |
|---|---|---|
| Health | health | GET /health — public liveness (full URL …/api/v1/health). |
| Auth | auth | Login, refresh, logout, password flows, me. |
| Bootstrap | bootstrap | GET /bootstrap/status, GET /bootstrap/health, POST /bootstrap/register-admin, PATCH /bootstrap/panel (JWT; panel display name). |
| Servers | servers | GET, GET :id, POST, POST bootstrap/local, DELETE :id. |
| Applications | applications | GET, GET :id, GET :id/deployments, POST, POST :id/deploy, POST :id/stop, POST :id/restart, DELETE :id. |
| Domains | domains | GET, POST, POST :id/ssl (records intent; automated ACME issuance is not wired—see response body). |
| Databases | databases | GET, GET :id, GET :id/users, POST, POST :id/users, DELETE :id. |
| Backups | backups | GET, POST. |
| Runtimes | runtimes | GET. |
| Monitoring | monitoring | GET summary. |
| Activity | activity | GET logs — audit log derived list (see Using the panel: logs). |
| Security | security | GET firewall, POST firewall, DELETE firewall/:id, GET ssh-keys, POST ssh-keys, DELETE ssh-keys/:id. |
| Users | users | GET, POST (create), PATCH :id (name/role; admin-guarded). |
| Templates | templates | GET, POST :id/instantiate (creates an application from template defaults). |
| Files | files | GET list?path=, POST mkdir, POST delete, POST rename — sandboxed under PANEL_FILES_ROOT. |
Webhooks: no webhook receivers are implemented under apps/api today; see Webhooks.
Do not duplicate every schema field here—use Swagger or the exported OpenAPI JSON.