Skip to main content

/v1 API reference

The management API is versioned under /v1 and protected by a bearer token (see Authentication & RBAC). Roles below are the minimum required; the super-admin bypasses project membership. Handlers live under src/api/; this page groups the surface by resource.

note

The route table is enforced in code (src/api/* + src/app.rs) and summarized in ADR-008. If you build from a newer revision, treat the handlers as authoritative over this page.

Health & node

MethodPathAuthDescription
GET/healthzpublicLiveness — {"status":"ok"}
GET/v1/nodeViewerNode metadata, host CPU/mem, disk usage, control_domain

Auth, users & tokens

MethodPathAuthDescription
POST/v1/auth/loginpublic (credentials)Username + password → session token
GET/v1/meany tokenCurrent principal + memberships
POST/v1/bootstrapadmin tokenOne-time admin account creation
GET / POST/v1/usersAdminList / create users
DELETE/v1/users/{user_id}AdminDelete a user
GET / POST/v1/api-tokensany tokenList / mint API tokens
DELETE/v1/api-tokens/{token_id}ownerRevoke an API token

Projects & members

MethodPathAuthDescription
GET/v1/projectsViewerList projects you belong to
POST/v1/projectssuper-adminCreate a project
GET/v1/projects/{id}ViewerProject details
PUT/v1/projects/{id}AdminUpdate shared env / limits
DELETE/v1/projects/{id}AdminDelete (must be empty)
GET/v1/projects/{id}/membersViewerList members + roles
POST/v1/projects/{id}/membersAdminAdd member with role
DELETE/v1/projects/{id}/members/{user_id}AdminRemove member

Services

MethodPathAuthDescription
GET / POST/v1/servicesViewer / OperatorList / create services
GET/v1/services/{id}ViewerService config (env redacted for Viewer)
PUT / DELETE/v1/services/{id}OperatorUpdate / delete
GET/v1/services/{id}/logsOperatorRecent logs
GET/v1/services/{id}/logs/streamOperatorLive SSE log tail
GET/v1/services/{id}/metricsViewercgroup v2 + procfs metrics
GET/v1/services/{id}/requestsViewerRecent ingress access-log entries
POST/v1/services/{id}/uploadsOperatorStream a tar.zst build context → upload_id

Domains

MethodPathAuthDescription
GET / POST/v1/services/{id}/domainsViewer / OperatorList / attach domains
GET/v1/services/{id}/domains/{domain_id}ViewerDomain details
POST/v1/services/{id}/domains/{domain_id}/verifyOperatorVerify ownership (HTTP-01 challenge)
DELETE/v1/services/{id}/domains/{domain_id}OperatorDetach domain
GET/.well-known/denia-challenge/{token}publicVerification token (returned only when request Host matches)

Deployments

MethodPathAuthDescription
POST/v1/deploymentsOperatorCreate deployment (Git / ExternalImage / Upload)
GET/v1/deployments/{id}ViewerDeployment status + artifact
GET/v1/deployments/{id}/logs/streamOperatorSSE build/deploy log
GET/v1/services/{id}/deploymentsViewerList a service's deployments

Jobs

MethodPathAuthDescription
GET / POST/v1/jobsViewer / OperatorList / create jobs
GET/v1/jobs/{id}ViewerJob config
PUT / DELETE/v1/jobs/{id}OperatorUpdate / delete
POST/v1/jobs/{id}/runOperatorTrigger a run now
GET/v1/jobs/{id}/runsViewerList runs

Console

MethodPathAuthDescription
GET/v1/services/{id}/console/replicasOperatorList attachable replicas
POST/v1/services/{id}/console/ticketsOperatorMint a single-use 30s ticket
GET/v1/services/{id}/console/wsticketWebSocket upgrade (ticket in query, outside bearer)

Registries & credentials

MethodPathAuthDescription
GET / POST/v1/projects/{id}/registriesViewer / OperatorList / add external registry (payload SOPS-encrypted)
GET/v1/projects/{id}/registries/{registry_id}ViewerRegistry metadata (no credential payload)
PUT / DELETE/v1/projects/{id}/registries/{registry_id}OperatorUpdate / delete
POST / DELETE/v1/projects/{id}/credentials/gitOperatorStore / remove a Git deploy key

Hosted registry control & OCI cache

MethodPathAuthDescription
GET/v1/registry/repositoriesViewerList hosted-registry repositories (project-filtered)
GET/v1/registry/statusViewerDisk usage, blob count, last GC
POST/v1/registry/gcsuper-adminTrigger hosted-registry GC
GET/v1/oci/cache/statusViewerExternal-pull layer-cache stats
POST/v1/oci/cache/gcOperatorTrigger layer-cache GC

The OCI Distribution /v2 endpoints are documented separately: /v2 registry API.