API Reference
Interactive API documentation for all oCore endpoints
Full interactive API documentation with request/response examples and a testing playground is planned. It will be auto-generated from the oCore OpenAPI specification. In the meantime, this page provides an overview of the available endpoints and conventions.
Endpoint Categories
oCore exposes a RESTful JSON API under the /api prefix. All endpoints require authentication unless noted otherwise. Tenant-scoped endpoints require an X-Org-Slug header to identify the organization.
| Category | Prefix | Description | Guide |
|---|---|---|---|
| Authentication | /api/auth | Login, signup, token refresh, TOTP, password reset | Security |
| User | /api/user | Current user profile, 2FA, sessions, SSH keys, passkeys | Security |
| Organizations | /api/org | Get, update, and delete the current organization | Organizations |
| Team Members | /api/members | Invite, list, update roles, and remove members | Team Management |
| Roles and Permissions | /api/roles | Manage custom roles and permission assignments | Roles and Permissions |
| Servers | /api/servers | Register, validate, list, and remove servers | Servers |
| Projects | /api/projects | Group instances into projects and environments | Projects |
| Instances | /api/instances | Provision, configure, start, stop, and delete Odoo instances | Instances |
| Deployments | /api/projects/:projectId/deployments | List deployments, trigger builds, and rollback | Deployments |
| Environments | /api/environments | Manage project environments (staging, production) | Projects |
| Databases | /api/instances/:id/database | Manage PostgreSQL databases, config, metrics, and replicas | Databases |
| Backups | /api/environments/:env_id/backups | Schedule, list, and restore backups | Backups |
| Domains | /api/instances/:id/domains | Configure custom domains and TLS certificates | Domains and DNS |
| API Keys | /api/api-keys | Create and manage programmatic API keys | API Keys |
| Webhooks | /api/webhook-endpoints | Register webhook endpoints for event notifications | Webhooks |
| Audit Logs | /api/audit-logs | Query the organization audit trail | Audit Logs |
| Admin | /api/admin | Server admin panel: users, orgs, settings, jobs | — |
Authentication
oCore supports two authentication methods:
JWT Bearer Tokens
All browser and CLI sessions use short-lived JWT access tokens obtained through the /api/auth/login endpoint. Include the token in the Authorization header:
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
-H "X-Org-Slug: my-org" \
https://ocore.example.com/api/serversAccess tokens expire after 1 hour (configurable via JWT_ACCESS_EXPIRY). Use the /api/auth/refresh endpoint with your refresh token to obtain a new access token without re-authenticating.
API Keys
For server-to-server integrations and CI/CD pipelines, create a long-lived API key from the dashboard or via the API. API keys are scoped to an organization and respect the same role-based permissions as regular users.
curl -H "Authorization: Bearer ocore_k_abc123..." \
-H "X-Org-Slug: my-org" \
https://ocore.example.com/api/serversAPI keys use the same Authorization: Bearer header as JWT tokens. The backend detects the ocore_ prefix to distinguish API keys from JWT tokens automatically.
See the API Keys guide for setup instructions and best practices.
Request and Response Conventions
Content Type
All request and response bodies use application/json. Set the Content-Type header accordingly for POST, PUT, and PATCH requests.
Pagination
List endpoints support cursor-based pagination:
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIs..." \
-H "X-Org-Slug: my-org" \
"https://ocore.example.com/api/instances?limit=20&cursor=eyJpZCI6IjEyMyJ9"Responses include a next_cursor field when more results are available:
{
"data": ["..."],
"next_cursor": "eyJpZCI6IjQ1NiJ9",
"has_more": true
}Error Responses
Errors follow a consistent structure with an HTTP status code and a machine-readable error code:
{
"error": {
"code": "validation_error",
"message": "Instance name must be between 3 and 64 characters",
"details": {
"field": "name",
"constraint": "min_length"
}
}
}Common status codes:
| Status | Meaning |
|---|---|
400 | Validation error in request body or parameters |
401 | Missing or invalid authentication credentials |
403 | Authenticated but lacking required permissions |
404 | Resource not found |
409 | Conflict, such as duplicate slug or name |
422 | Request understood but cannot be processed |
429 | Rate limit exceeded |
500 | Internal server error |
Asynchronous Operations
Long-running operations like instance provisioning and server removal return 202 Accepted with a status that can be polled:
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"status": "provisioning",
"message": "Instance creation in progress"
}Use the resource detail endpoint to check progress, or configure a webhook to receive a notification when the operation completes.