API reference
Auto-generated from docs/openapi.snapshot.json. Each endpoint has
a dedicated page with parameters, request body, response shapes, and
code samples in TypeScript, Python, and curl.
account_ssh_keys
admin_agent_conversations
admin_matrix
GET/v1/admin/matrixPATCH/v1/admin/plans/{slug}/features/{key}DELETE/v1/admin/plans/{slug}/features/{key}
admin_org_detail
GET/v1/admin/orgs/{id}GET/v1/admin/orgs/{id}/auditGET/v1/admin/orgs/{id}/billingGET/v1/admin/orgs/{id}/credits-ledgerGET/v1/admin/orgs/{id}/instancesGET/v1/admin/orgs/{id}/plan-historyGET/v1/admin/orgs/{id}/usage
admin_orgs
admin_overview
admin_parallel_runs
admin_seeds
admin_simulations
POST/v1/admin/simulations/cache-dry-runPOST/v1/admin/simulations/fake-clockPOST/v1/admin/simulations/replay-user
admin_stripe
admin_system
agent
GET/v1/agent/conversationsPOST/v1/agent/conversationsGET/v1/agent/conversations/{id}GET/v1/agent/conversations/{id}/messagesPOST/v1/agent/conversations/{id}/messagesGET/v1/agent/conversations/{id}/stream
api_keys
audit
auth
POST/v1/auth/forgot-passwordPOST/v1/auth/loginGET/v1/auth/login/magic-link/consume —GET /v1/auth/login/magic-link/consume?token=…— consume a magic link and finish signing in.POST/v1/auth/login/magic-link/request —POST /v1/auth/login/magic-link/request— request a sign-in email.POST/v1/auth/login/mfaPOST/v1/auth/login/mfa/send-codeGET/v1/auth/login/mfa/state —GET /v1/auth/login/mfa/state?challenge_token=…— read the factor list and expiry for a pending login challenge.POST/v1/auth/login/mfa/webauthn/begin —POST /v1/auth/login/mfa/webauthn/begin— challenge-token authenticated. Returns theRequestChallengeResponsefornavigator.credentials.get.POST/v1/auth/login/mfa/webauthn/finish —POST /v1/auth/login/mfa/webauthn/finish— complete the authentication ceremony. Sets session cookies on success (mirrorsverify_loginfor the code-based factors).POST/v1/auth/logoutGET/v1/auth/mePATCH/v1/auth/meDELETE/v1/auth/me — Soft-delete the calling user's account. Seeaccount_deletionmodule docs for the full cascade. Always returns 204 No Content on success and clears both auth cookies on the response — the next request from the (now-deleted) browser will be unauthenticated.POST/v1/auth/me/email —POST /v1/auth/me/email— request email change. Sudo-gated. The response is a constant message regardless of conflict outcome (we silently no-op when the new address is already in use, so this endpoint cannot enumerate accounts).POST/v1/auth/me/email/confirm —POST /v1/auth/me/email/confirm— consume the emailed confirmation token. The link is the proof; no sudo required (the user proved control of the new address by clicking the link). On success, all sessions are revoked — the user re-signs-in with the new email.POST/v1/auth/me/export — Returns every record the platform stores about the calling user as a single JSON document. Seedata_exportmodule docs for scope, caps, and sensitive-field redaction rationale.POST/v1/auth/me/passwordPOST/v1/auth/me/phone —POST /v1/auth/me/phone— change phone in one shot: the body carries the new phone AND the 6-digit OTP the user just received at that number viaPOST /v1/auth/phone/send-code. Sudo-gated.GET/v1/auth/me/sessions —GET /v1/auth/sessions— list this user's active sessions.DELETE/v1/auth/me/sessions/{id} —DELETE /v1/auth/sessions/:id— revoke a single session.POST/v1/auth/me/sessions/revoke-others —POST /v1/auth/me/sessions/revoke-others— sign out every device except the one making this request. The current session is identified by hashing the caller's access cookie; if the caller is using an API key (no access cookie), thekeepset is empty and ALL the user's sessions are revoked. Returns the count of revoked sessions.POST/v1/auth/mfa/backup-codes/regeneratePOST/v1/auth/mfa/email/enrollPOST/v1/auth/mfa/email/verifyGET/v1/auth/mfa/factorsPOST/v1/auth/mfa/factors/{id}/removePOST/v1/auth/mfa/sms/enrollPOST/v1/auth/mfa/sms/verifyPOST/v1/auth/mfa/totp/enroll/beginPOST/v1/auth/mfa/totp/enroll/finishPOST/v1/auth/mfa/webauthn/register/begin —POST /v1/auth/mfa/webauthn/register/begin— start a passkey registration ceremony. Auth-required (the user is already signed in; passkeys are a step-up factor enrollment).POST/v1/auth/mfa/webauthn/register/finish —POST /v1/auth/mfa/webauthn/register/finish— complete the registration ceremony. The new passkey is persisted as a confirmedmfa_factorsrow.GET/v1/auth/oauth/{provider}GET/v1/auth/oauth/{provider}/callbackGET/v1/auth/oauth/providersPOST/v1/auth/phone/send-codePOST/v1/auth/phone/verifyPOST/v1/auth/recovery/complete —POST /v1/auth/recovery/complete— consume a recovery token after the cooldown elapses. Removes ALL MFA factors and revokes every session. The user re-signs-in fresh and re-enrolls factors.POST/v1/auth/recovery/request —POST /v1/auth/recovery/request— request a recovery email. Always 200 with a constant message. The 24h cooldown means even a successful request can't bypass MFA in real time.POST/v1/auth/refreshPOST/v1/auth/reset-passwordPOST/v1/auth/set-passwordPOST/v1/auth/signupPOST/v1/auth/sudo —POST /v1/auth/sudo— re-verify the user's password and mint a 5-minute sudo-grant cookie. Subsequent calls to destructive routes (account deletion, MFA factor removal, billing-email change, API-key rotation) succeed only when the request also carries the sudo cookie. The cookie isHttpOnly + Secure + SameSite=Strict(NOT Lax — sudo never rides on cross-origin nav) and path-scoped to/v1.GET/v1/auth/verify-email
base_images
GET/v1/base-imagesGET/v1/base-images/{id}DELETE/v1/base-images/{id}GET/v1/base-images/defaultGET/v1/base-images/family/{family}POST/v1/base-images/family/{family}/rollbackGET/v1/base-images/family/{family}/versionsPOST/v1/images/abortPOST/v1/images/preparePOST/v1/images/promote
billing
POST/v1/admin/plans/{slug}/sync-stripeGET/v1/billingGET/v1/billing/auto-rechargePUT/v1/billing/auto-rechargePOST/v1/billing/cancelPOST/v1/billing/checkoutPOST/v1/billing/confirm-from-tokenGET/v1/billing/credits/balanceGET/v1/billing/credits/ledgerPOST/v1/billing/customer-sessionsGET/v1/billing/invoicesGET/v1/billing/payment-methodsDELETE/v1/billing/payment-methods/{id}POST/v1/billing/payment-methods/{id}/defaultPOST/v1/billing/portalPOST/v1/billing/setup-intentsPOST/v1/billing/topupGET/v1/billing/upcoming
checkpoints
GET/v1/instances/{id}/checkpointsPOST/v1/instances/{id}/checkpointsPOST/v1/instances/{id}/rollbackGET/v1/instances/{instance_id}/checkpoints/{checkpoint_id}DELETE/v1/instances/{instance_id}/checkpoints/{checkpoint_id}
compute_servers
GET/v1/admin/serversGET/v1/admin/servers/{id}POST/v1/admin/servers/{id}/drainGET/v1/admin/servers/{id}/metricsPATCH/v1/admin/servers/{id}/statusGET/v1/admin/servers/{id}/vm-storage
credit_grants
GET/v1/admin/credits-grants/{id}POST/v1/admin/credits-grants/{id}/revokeGET/v1/admin/orgs/{org_id}/credits/grantsPOST/v1/admin/orgs/{org_id}/credits/grants
entitlements
events
exec
GET/v1/instances/{id}/execPOST/v1/instances/{id}/execPOST/v1/instances/{id}/exec/stream — SSE stream of exec frames. Seeservice::streamfor frame shapes.
files
GET/v1/instances/{id}/filesPOST/v1/instances/{id}/filesPOST/v1/instances/{id}/files/editGET/v1/instances/{id}/files/list
haywire
health
GET/healthGET/health/live — Cheapest possible probe — process is up.GET/health/readyGET/health/startup
instances
GET/v1/instancesPOST/v1/instancesGET/v1/instances/{id}PATCH/v1/instances/{id}DELETE/v1/instances/{id}POST/v1/instances/{id}/fork
internal
invitations
GET/v1/auth/invitations/{token}POST/v1/auth/invitations/{token}/acceptGET/v1/orgs/{org_id}/invitationsPOST/v1/orgs/{org_id}/invitationsDELETE/v1/orgs/{org_id}/invitations/{inv_id}
lsp
members
GET/v1/orgs/{org_id}/membersPATCH/v1/orgs/{org_id}/members/{user_id}DELETE/v1/orgs/{org_id}/members/{user_id}
notifications
GET/v1/notificationsPOST/v1/notifications/{id}/readPOST/v1/notifications/read-allGET/v1/notifications/settingsPUT/v1/notifications/settings
orgs
GET/v1/orgsGET/v1/orgs/{id}GET/v1/orgs/{id}/membersGET/v1/orgs/me/ip-allowlistPOST/v1/orgs/me/ip-allowlistDELETE/v1/orgs/me/ip-allowlist/{entry_id}
parallel
GET/v1/parallel/runsPOST/v1/parallel/runsGET/v1/parallel/runs/{id}POST/v1/parallel/runs/{id}/cancelGET/v1/parallel/runs/{id}/membersGET/v1/parallel/runs/{id}/resultsGET/v1/parallel/runs/{id}/stream
port_forwards
GET/v1/instances/{id}/port-forwardsPOST/v1/instances/{id}/port-forwardsDELETE/v1/instances/{instance_id}/port-forwards/{forward_id}
probes
GET/v1/admin/probes/catalogGET/v1/admin/probes/gridGET/v1/admin/probes/runsPOST/v1/internal/probes/api-key/issue — Mint (or rotate) the probe-runner's API key.GET/v1/probes
profiles
GET/v1/profilesPOST/v1/profilesGET/v1/profiles/{id}PATCH/v1/profiles/{id}DELETE/v1/profiles/{id}
sessions
snapshots
GET/v1/instances/{id}/snapshotsPOST/v1/instances/{id}/snapshotsGET/v1/instances/{id}/snapshots/{snapshot_id}DELETE/v1/instances/{id}/snapshots/{snapshot_id}POST/v1/instances/{id}/snapshots/{snapshot_id}/restore
ssh
usage
users
vm_admin
GET/v1/admin/instancesGET/v1/admin/vmsPOST/v1/admin/vms/{id}/force-stopGET/v1/admin/vms/{id}/storage-metrics
vms
GET/v1/instances/{id}/vmPOST/v1/instances/{id}/vmDELETE/v1/instances/{id}/vmPOST/v1/instances/{id}/vm/flushPOST/v1/instances/{id}/vm/restart
webhooks
GET/v1/admin/webhooks/dlqPOST/v1/admin/webhooks/dlq/{id}/retryPOST/v1/admin/webhooks/dlq/reapPOST/v1/admin/webhooks/process-queueGET/v1/webhooksPOST/v1/webhooksGET/v1/webhooks/{id}PATCH/v1/webhooks/{id}DELETE/v1/webhooks/{id}GET/v1/webhooks/{id}/deliveriesPOST/v1/webhooks/{id}/test