API Reference

Base URL: http://localhost:3001 (or your deployment domain)

All management endpoints return JSON:

{ "success": true, "data": { ... } }

Errors:

{ "success": false, "error": "Error message" }

Authentication

Most endpoints require:

Authorization: Bearer <accessToken>

POST /api/auth/login

Public. Authenticate and receive tokens.

Body:

{ "login": "admin", "password": "Admin123!" }

Response:

{
  "success": true,
  "data": {
    "accessToken": "eyJ...",
    "refreshToken": "eyJ...",
    "user": { "_id": "...", "login": "admin", "name": "Admin", ... }
  }
}

POST /api/auth/refresh

Body: { "refreshToken": "..." }

POST /api/auth/logout

Requires authentication.

POST /api/auth/register

Public if registration enabled in Settings.

Body: { "login", "email", "password", "name" }

Health & CSRF

GET /api/health

{ "success": true, "status": "ok", "timestamp": "..." }

GET /api/csrf-token

Returns CSRF token (cookie-based).

Users

Permission: manage_users or view

GET /api/users

GET /api/users/:id

POST /api/users

Permission: manage_users

Body: { login, email, password, name, status?, groupIds? }

PUT /api/users/:id

Body: { login?, email?, password?, name?, status?, groupIds? }

DELETE /api/users/:id

Groups (RBAC)

GET /api/groups

Permission: view

POST /api/groups

Permission: manage_users

Body: { name, description?, permissions: string[] }

PUT /api/groups/:id

DELETE /api/groups/:id

Cannot delete system groups.

Profile

GET /api/profile

Current authenticated user.

PUT /api/profile

Update own profile (no group/status changes).

Endpoints

Permission: manage_api or view

GET /api/endpoints

GET /api/endpoints/:id

POST /api/endpoints

Body:

{
  "name": "Products",
  "description": "Product list",
  "slug": "products",
  "path": "/api/products",
  "method": "GET",
  "accessType": "authenticated",
  "groupId": "optional-group-id",
  "schema": [
    { "name": "title", "type": "string", "required": true, "order": 0 },
    { "name": "categoryId", "type": "reference", "refEndpointId": "<target-endpoint-id>", "order": 1 }
  ],
  "networkAccess": {
    "enabled": true,
    "allowedDomains": ["app.example.com", "*.example.com"],
    "allowedIpRanges": ["10.0.0.0/8", "203.0.113.50"]
  },
  "inheritGroupNetworkAccess": true,
  "enabled": true
}

See Network Access.

PUT /api/endpoints/:id

Same fields as POST (all optional).

DELETE /api/endpoints/:id

Cannot delete system endpoints.

GET /api/endpoints/:id/examples

Auto-generated request/response examples.

GET /api/endpoints/:id/docs

Auto-generated documentation object.

POST /api/endpoints/:id/test

Execute endpoint internally for testing.

Body:

{
  "body": { "name": "Test" },
  "headers": { "Origin": "https://app.example.com" },
  "clientIp": "203.0.113.10",
  "applyNetworkAccess": true
}

By default, network rules are skipped in the tester so admins can debug freely.

Endpoint Groups

GET /api/endpoints/groups

POST /api/endpoints/groups

Body:

{
  "name": "Internal",
  "description": "Internal APIs",
  "icon": "folder",
  "color": "#0891b2",
  "order": 0,
  "networkAccess": {
    "enabled": true,
    "allowedDomains": ["app.example.com"],
    "allowedIpRanges": ["10.0.0.0/8"]
  }
}

Group-level networkAccess applies to all endpoints in the group that inherit rules (default).

PUT /api/endpoints/groups/:id

DELETE /api/endpoints/groups/:id

Dashboard

GET /api/dashboard/stats

Permission: view

Returns users, endpoints, requests/errors (last 7 days), automation counts (cron, webhooks, API keys, MCP tools), 7-day charts (requests, errors, logins, webhook deliveries, cron runs, traffic by source), and automationHealth (failed cron jobs, webhook errors, unused API keys).

GET /api/dashboard/system

Permission: view

Server OS, CPU, memory, disk, network info, plus cronJobsActive and cronJobsTotal.

GET /api/dashboard/logs

Permission: view_logs

Settings

Permission: manage_users or manage_api

GET /api/settings

Returns settings object + logsCount.

PUT /api/settings

Update platform settings (auth, rate limits, pagination defaults, log retention).

DELETE /api/settings/logs

Clear all audit logs.

DELETE /api/settings/logs/old

Clear logs older than retention period.

Database API (raw MongoDB) {#database-api-raw-mongodb}

Requires manage_users. Browse whitelisted collections as JSON.

GET /api/database/collections

List collections with document counts.

GET /api/database/collections/:name

Query: page, limit, search

GET /api/database/collections/:name/:id

Single document by _id.

POST /api/database/collections/:name

Create document. Body: raw JSON object.

PUT /api/database/collections/:name/:id

Replace/update document fields. Body: JSON (without _id).

DELETE /api/database/collections/:name/:id

Delete document.

See Database Explorer for collection list and security notes.

Dynamic Endpoints (Runtime)

Any path matching a registered endpoint definition is handled by the dynamic engine.

GET /api/your-path

Returns paginated list of stored records for that resourcePath.

Query: page, limit, populate

Example: GET /api/products?populate=categoryId

GET /api/your-path/:id

Returns single record by MongoDB _id. Supports the same populate query parameters.

POST /api/your-path

Creates record. Body validated against endpoint schema.

Schema field type reference: value must be a valid record ID from the linked target endpoint. Invalid or missing references return 400.

PUT /api/your-path/:id

Updates record.

PATCH /api/your-path/:id

Partial update.

DELETE /api/your-path/:id

Deletes record.

Access types

Response format

{
  "success": true,
  "data": { ... },
  "meta": { "page": 1, "limit": 20, "total": 100 }
}