API reference
Complete endpoint catalog, grouped by resource. Each row lists the route, method, minimum role, and a cross-link to the feature page that describes the semantics + request / response bodies. For the auth + conventions, see Overview and Authentication.
The running application ships an interactive API reference at /api-docs (in the
web UI, under Help) with request/response examples for every endpoint. This page is a
human-readable index of the same surface.
Authentication & user
| Method | Path | Role | See |
|---|---|---|---|
| POST | /auth/login | anonymous | Login |
| POST | /auth/logout | any | Logout |
| POST | /auth/refresh | any | Refresh flow |
| GET | /auth/me | any | Who am I |
| POST/GET | /auth/me/otp/* | any (self) | 2FA |
Organisation / admin
| Method | Path | Role | See |
|---|---|---|---|
| GET/POST/PATCH/DELETE | /users (& /users/{id}) | admin | Users |
| GET/PUT | /settings/ldap | admin | LDAP |
| GET/PUT | /settings/syslog | admin | Syslog |
| GET/PUT | /settings/general | admin | — |
| GET/PUT | /license | owner | License |
| GET | /license/status | any | License status |
| GET | /audit-logs | viewer | Audit logs |
| GET | /audit-logs/export | admin | Audit export |
| GET/POST/PATCH/DELETE | /organizations (& /organizations/{id}) | owner | — |
| GET/POST/PATCH/DELETE | /projects (& /projects/{id}) | admin | — |
| GET | /ca-providers | viewer | catalogue of ACME CAs the backend knows by default |
Project — CA providers
| Method | Path | Role | See |
|---|---|---|---|
| GET/POST/PATCH/DELETE | /projects/{projectId}/acme-accounts | operator | ACME accounts |
| POST | /projects/{projectId}/acme-accounts/{id}/validate | operator | re-check CA connection |
| GET | /projects/{projectId}/acme-accounts/{id}/usage | viewer | certs referencing this account |
| GET/POST/PATCH/DELETE | /projects/{projectId}/msca-connections | operator | MSCA |
| POST | /projects/{projectId}/msca-connections/{id}/sync-templates | operator | refresh the template catalogue |
| POST | /projects/{projectId}/msca-connections/{id}/test | operator | probe CES / CEP |
Project — DNS
| Method | Path | Role | See |
|---|---|---|---|
| GET/POST/PATCH/DELETE | /projects/{projectId}/dns-credentials | operator | DNS providers |
| POST | /projects/{projectId}/dns-credentials/{id}/test | operator | smoke-test the credential |
| GET/POST/PATCH/DELETE | /projects/{projectId}/zones | operator | Zones |
| GET | /projects/{projectId}/zones/{id}/rate-limit-status | viewer | weekly budget + projection |
Project — certificates
| Method | Path | Role | See |
|---|---|---|---|
| GET/POST/PATCH/DELETE | /projects/{projectId}/certificates | viewer (list) / operator (mutate) | Issue |
| POST | /projects/{projectId}/certificates/{id}/renew | operator | Renew |
| POST | /projects/{projectId}/certificates/{id}/reissue | operator | Reissue |
| POST | /projects/{projectId}/certificates/{id}/revoke | operator | Revoke |
| POST/GET | /projects/{projectId}/certificates/{id}/downloads | operator | Download |
| POST | /projects/{projectId}/certificates/{id}/validate-manual-dns | operator | Manual DNS |
| GET | /projects/{projectId}/certificates/{id}/events | viewer | Timeline |
| GET | /projects/{projectId}/certificates/{id}/jobs | viewer | jobs scoped to this cert |
| GET | /projects/{projectId}/certificates/{id}/dependencies | viewer | Dependencies |
| GET | /projects/{projectId}/certificates/{id}/risk | viewer | Risk |
| GET/PUT/DELETE | /projects/{projectId}/certificate-policy | admin | Policy |
Project — distribution
| Method | Path | Role | See |
|---|---|---|---|
| GET/POST/PATCH/DELETE | /projects/{projectId}/modules | operator | Modules |
| POST | /projects/{projectId}/modules/{id}/health | operator | live health check |
| GET/POST/PATCH/DELETE | /projects/{projectId}/credentials | operator | Module creds |
| GET/POST/PATCH/DELETE | /projects/{projectId}/targets | operator | Targets |
| GET/POST/PATCH/DELETE | /projects/{projectId}/target-groups | operator | Target groups |
| GET/POST/PATCH/DELETE | /projects/{projectId}/path-sets | operator | Path sets |
| GET/POST/PATCH/DELETE | /projects/{projectId}/action-sets | operator | Action sets |
| POST | /projects/{projectId}/action-sets/lint | operator | template-variable lint |
| GET/POST/PATCH/DELETE | /projects/{projectId}/variables | operator | Variables |
| GET/POST/PATCH/DELETE | /projects/{projectId}/certificates/{id}/distributions | operator | attach / edit |
| POST | .../distributions/{id}/execute | operator | run now |
| POST | .../distributions/{id}/dry-run | operator | preview actions |
| POST | .../distributions/{id}/rollback | operator | Rollback |
Project — discovery
| Method | Path | Role | See |
|---|---|---|---|
| GET/POST/PATCH/DELETE | /projects/{projectId}/discovery-sources | operator | Sources |
| POST | .../discovery-sources/{id}/scan | operator | trigger immediate scan |
| GET | /projects/{projectId}/discovery/certificates | viewer | Inventory |
| GET | /projects/{projectId}/discovery/endpoints | viewer | endpoint-level list |
| GET/PATCH | /projects/{projectId}/discovery/findings (& /{id}) | viewer (list) / operator (status) | Findings |
| POST | .../discovery/certificates/{fingerprint}/manage | operator | Manage |
| GET | /projects/{projectId}/discovery/summary | viewer | dashboard numbers |
Project — notifications
| Method | Path | Role | See |
|---|---|---|---|
| GET/POST/PATCH/DELETE | /projects/{projectId}/notification-channels | admin | Channels |
| POST | .../notification-channels/{id}/test | admin | delivery probe |
| GET/POST/PATCH/DELETE | /projects/{projectId}/notification-rules | admin | Rules |
| GET/POST/PATCH/DELETE | /projects/{projectId}/notification-templates | admin | Templates |
| GET | /projects/{projectId}/notification-history | viewer | History |
Project — operations
| Method | Path | Role | See |
|---|---|---|---|
| GET | /projects/{projectId}/jobs | viewer | Jobs |
| GET | /projects/{projectId}/jobs/{id} | viewer | job detail |
| GET | /projects/{projectId}/jobs/{id}/logs | viewer | stream logs |
| POST | /projects/{projectId}/jobs/{id}/retry | operator | retry a failed job |
| POST | /projects/{projectId}/jobs/{id}/cancel | operator | cancel a pending / in-progress job |
| GET/POST/PATCH/DELETE | /projects/{projectId}/domain-trackings | operator | Domain tracking |
| POST | .../domain-trackings/{id}/check | operator | trigger WHOIS refresh |
| GET/POST | /projects/{projectId}/bulk-actions | operator | Bulk |
| GET/POST/PATCH/DELETE | /projects/{projectId}/approval-requests | scoped by action | Approvals |
Project — dashboards
| Method | Path | Role | See |
|---|---|---|---|
| GET | /projects/{projectId}/dashboard/summary | viewer | Summary |
| GET | /projects/{projectId}/dashboard/trends | viewer | time-series renewals / distributions |
| GET | /projects/{projectId}/dashboard/readiness-47day | viewer | 47-Day |
Encryption & KEK
KEK lifecycle is CLI-first, not REST (operational safety). See CLI → kek.
In-app API docs
The web UI ships an interactive API reference at /api-docs — every endpoint with
its parameters, roles, and example payloads, always matching the running version.
There is currently no machine-readable OpenAPI export; script against the endpoint
tables above using a Bearer access token.