API reference

Complete endpoint catalog, grouped by resource. Each row lists the route, method, minimum role, and a cross-link to the feature page that describes the semantics + request / response bodies. For the auth + conventions, see Overview and Authentication.

Canonical schemas in OpenAPI

The authoritative request / response schemas live in /api/v1/openapi.json. Generate a client SDK with openapi-generator or feed the spec into your favourite API tool. This page is a human-readable index; the OpenAPI file is the wire contract.

01Authentication & user

Method	Path	Role	See
POST	`/auth/login`	anonymous	Login
POST	`/auth/logout`	any	Logout
POST	`/auth/refresh`	any	Refresh flow
GET	`/auth/me`	any	Who am I
POST/GET	`/auth/me/otp/*`	any (self)	2FA

02Organisation / admin

Method	Path	Role	See
GET/POST/PATCH/DELETE	`/users` (& `/users/{id}`)	admin	Users
GET/PUT	`/settings/ldap`	admin	LDAP
GET/POST/DELETE	`/api-keys` (& `/api-keys/{id}`)	admin	API keys
GET/PUT	`/settings/syslog`	admin	Syslog
GET/PUT	`/settings/general`	admin	—
GET/PUT	`/license`	owner	License
GET	`/license/status`	any	License status
GET	`/audit-logs`	viewer	Audit logs
GET	`/audit-logs/export`	admin	Audit export
GET/POST/PATCH/DELETE	`/organizations` (& `/organizations/{id}`)	owner	—
GET/POST/PATCH/DELETE	`/projects` (& `/projects/{id}`)	admin	—
GET	`/ca-providers`	viewer	catalogue of ACME CAs the backend knows by default

03Project — CA providers

Method	Path	Role	See
GET/POST/PATCH/DELETE	`/projects/{projectId}/acme-accounts`	operator	ACME accounts
POST	`/projects/{projectId}/acme-accounts/{id}/validate`	operator	re-check CA connection
GET	`/projects/{projectId}/acme-accounts/{id}/usage`	viewer	certs referencing this account
GET/POST/PATCH/DELETE	`/projects/{projectId}/msca-connections`	operator	MSCA
POST	`/projects/{projectId}/msca-connections/{id}/sync-templates`	operator	refresh the template catalogue
POST	`/projects/{projectId}/msca-connections/{id}/test`	operator	probe CES / CEP

04Project — DNS

Method	Path	Role	See
GET/POST/PATCH/DELETE	`/projects/{projectId}/dns-credentials`	operator	DNS providers
POST	`/projects/{projectId}/dns-credentials/{id}/test`	operator	smoke-test the credential
GET/POST/PATCH/DELETE	`/projects/{projectId}/zones`	operator	Zones
GET	`/projects/{projectId}/zones/{id}/rate-limit-status`	viewer	weekly budget + projection

05Project — certificates

Method	Path	Role	See
GET/POST/PATCH/DELETE	`/projects/{projectId}/certificates`	viewer (list) / operator (mutate)	Issue
POST	`/projects/{projectId}/certificates/{id}/renew`	operator	Renew
POST	`/projects/{projectId}/certificates/{id}/reissue`	operator	Reissue
POST	`/projects/{projectId}/certificates/{id}/revoke`	operator	Revoke
POST/GET	`/projects/{projectId}/certificates/{id}/downloads`	operator	Download
POST	`/projects/{projectId}/certificates/{id}/validate-manual-dns`	operator	Manual DNS
GET	`/projects/{projectId}/certificates/{id}/events`	viewer	Timeline
GET	`/projects/{projectId}/certificates/{id}/jobs`	viewer	jobs scoped to this cert
GET	`/projects/{projectId}/certificates/{id}/dependencies`	viewer	Dependencies
GET	`/projects/{projectId}/certificates/{id}/risk`	viewer	Risk
GET/PUT/DELETE	`/projects/{projectId}/certificate-policy`	admin	Policy

06Project — distribution

Method	Path	Role	See
GET/POST/PATCH/DELETE	`/projects/{projectId}/modules`	operator	Modules
POST	`/projects/{projectId}/modules/{id}/health`	operator	live health check
GET/POST/PATCH/DELETE	`/projects/{projectId}/credentials`	operator	Module creds
GET/POST/PATCH/DELETE	`/projects/{projectId}/targets`	operator	Targets
GET/POST/PATCH/DELETE	`/projects/{projectId}/target-groups`	operator	Target groups
GET/POST/PATCH/DELETE	`/projects/{projectId}/path-sets`	operator	Path sets
GET/POST/PATCH/DELETE	`/projects/{projectId}/action-sets`	operator	Action sets
POST	`/projects/{projectId}/action-sets/lint`	operator	template-variable lint
GET/POST/PATCH/DELETE	`/projects/{projectId}/variables`	operator	Variables
GET/POST/PATCH/DELETE	`/projects/{projectId}/certificates/{id}/distributions`	operator	attach / edit
POST	`.../distributions/{id}/execute`	operator	run now
POST	`.../distributions/{id}/dry-run`	operator	preview actions
POST	`.../distributions/{id}/rollback`	operator	Rollback

07Project — discovery

Method	Path	Role	See
GET/POST/PATCH/DELETE	`/projects/{projectId}/discovery-sources`	operator	Sources
POST	`.../discovery-sources/{id}/scan`	operator	trigger immediate scan
GET	`/projects/{projectId}/discovery/certificates`	viewer	Inventory
GET	`/projects/{projectId}/discovery/endpoints`	viewer	endpoint-level list
GET/PATCH	`/projects/{projectId}/discovery/findings` (& `/{id}`)	viewer (list) / operator (status)	Findings
POST	`.../discovery/certificates/{fingerprint}/manage`	operator	Manage
GET	`/projects/{projectId}/discovery/summary`	viewer	dashboard numbers

08Project — notifications

Method	Path	Role	See
GET/POST/PATCH/DELETE	`/projects/{projectId}/notification-channels`	admin	Channels
POST	`.../notification-channels/{id}/test`	admin	delivery probe
GET/POST/PATCH/DELETE	`/projects/{projectId}/notification-rules`	admin	Rules
GET/POST/PATCH/DELETE	`/projects/{projectId}/notification-templates`	admin	Templates
GET	`/projects/{projectId}/notification-history`	viewer	History

09Project — operations

Method	Path	Role	See
GET	`/projects/{projectId}/jobs`	viewer	Jobs
GET	`/projects/{projectId}/jobs/{id}`	viewer	job detail
GET	`/projects/{projectId}/jobs/{id}/logs`	viewer	stream logs
POST	`/projects/{projectId}/jobs/{id}/retry`	operator	retry a failed job
POST	`/projects/{projectId}/jobs/{id}/cancel`	operator	cancel a pending / in-progress job
GET/POST/PATCH/DELETE	`/projects/{projectId}/domain-trackings`	operator	Domain tracking
POST	`.../domain-trackings/{id}/check`	operator	trigger WHOIS refresh
GET/POST	`/projects/{projectId}/bulk-actions`	operator	Bulk
GET/POST/PATCH/DELETE	`/projects/{projectId}/approval-requests`	scoped by action	Approvals

10Project — dashboards

Method	Path	Role	See
GET	`/projects/{projectId}/dashboard/summary`	viewer	Summary
GET	`/projects/{projectId}/dashboard/trends`	viewer	time-series renewals / distributions
GET	`/projects/{projectId}/dashboard/readiness-47day`	viewer	47-Day

11Encryption & KEK

KEK lifecycle is CLI-first, not REST (operational safety). See CLI → kek.

12Fetch the OpenAPI

curl https://cap.example.com/api/v1/openapi.json -o openapi.json
# Generate Go client:
openapi-generator generate -i openapi.json -g go -o ./cap-client
# Generate TS client:
openapi-generator generate -i openapi.json -g typescript-axios -o ./cap-client-ts