Skip to content

Use Management API

The Control-Plane REST API is served by the API service on port 3000. Management routes are registered under /v1 and are protected by admin authentication.

MethodPathPurpose
GET/healthLiveness check.
GET/readyDependency and service readiness.
GET/metricsService metrics.
GET/docsOptional API docs when enabled.
ResourceCollectionItemExtra
ZonesGET, POST /v1/zonesGET, PATCH, DELETE /v1/zones/:idGET /v1/zones/:id/dcr-status
ApplicationsGET, POST /v1/zones/:zoneId/applicationsGET, PATCH, DELETE /v1/zones/:zoneId/applications/:idPOST /v1/zones/:zoneId/applications/dcr
ProvidersGET, POST /v1/zones/:zoneId/providersGET, PATCH, DELETE /v1/zones/:zoneId/providers/:id
ResourcesGET, POST /v1/zones/:zoneId/resourcesGET, PATCH, DELETE /v1/zones/:zoneId/resources/:id
AreaReadWrite
Policy validationPOST /v1/policies/validate
PoliciesGET /v1/zones/:zoneId/policies, GET /v1/zones/:zoneId/policies/:idPOST /v1/zones/:zoneId/policies, POST /v1/zones/:zoneId/policies/:id/versions, DELETE /v1/zones/:zoneId/policies/:id
Policy setsGET /v1/zones/:zoneId/policy-sets, GET /v1/zones/:zoneId/policy-sets/:id, GET /v1/zones/:zoneId/policy-sets/:id/versions/:versionId, GET /v1/zones/:zoneId/policy-sets/:id/activation-statusPOST /v1/zones/:zoneId/policy-sets, POST /v1/zones/:zoneId/policy-sets/:id/versions, POST /v1/zones/:zoneId/policy-sets/:id/activate, POST /v1/zones/:zoneId/policy-sets/:id/simulate, DELETE /v1/zones/:zoneId/policy-sets/:id
Policy templatesGET /v1/policy-templates
GrantsGET /v1/zones/:zoneId/grants, GET /v1/zones/:zoneId/grants/:idPOST /v1/zones/:zoneId/grants, DELETE /v1/zones/:zoneId/grants/:id
Provider grantsPOST /v1/zones/:zoneId/provider-grants, POST /v1/zones/:zoneId/provider-grants/oauth/authorize, POST /v1/zones/:zoneId/provider-grants/revoke

Use Console when you are performing these operations interactively. Use the Admin SDK or Control API when automation needs the same management behavior.

ResourceMethods and paths
AuditGET /v1/zones/:zoneId/audit, GET /v1/zones/:zoneId/audit/by-request/:requestId, GET /v1/zones/:zoneId/audit/by-request/:requestId/explain
Admin auditGET /v1/zones/:zoneId/admin-audit
SessionsGET /v1/zones/:zoneId/sessions
Agent sessionsGET /v1/zones/:zoneId/agent-sessions (filter by status, lifecycle, label, parent_id, application_id; format=csv to export)
Step-up challengesGET /v1/zones/:zoneId/step-up-challenges, GET /v1/zones/:zoneId/step-up-challenges/:id, POST /v1/zones/:zoneId/step-up-challenges/:id/satisfy
Zone eventsZone-scoped event routes under /v1/zones/:zoneId/...
  • Use Console for human workflows and Admin SDK or Control API for automation.
  • For scoped, non-interactive provisioning, drive the Control API with a control key. See Automate Management and the controlBootstrap example.
  • Prefer declarative reconciliation over scripting individual writes: Declarative Management converges a zone from a desired-state document with idempotent apply, dry-run plan, and CI-friendly verify.
  • Policy activation and simulation are API operations, but top-level caracal runtime commands do not expose them.
  • Writes that produce downstream state changes enqueue signed Redis stream events through the API outbox.

Continue to Use Coordinator API when automation needs agent session, invocation, or delegation endpoints.