REST API
Everything the frontend does goes through the JSON API under /api.
There is no separate integration surface: what the UI can do, the API
can do.
Authentication
Section titled “Authentication”The API uses cookie sessions, not API keys. Obtain a session by posting credentials, then send its cookie with every request:
curl -c cookies.txt -H 'Content-Type: application/json' \ -d '{"email":"you@example.com","password":"..."}' \ https://your-domain/api/auth/login
curl -b cookies.txt https://your-domain/api/auth/sessionPOST /api/auth/logout ends the session. Failed logins are rate-limited
per client address, 10 per minute, answered with 429 and a
Retry-After header when exceeded.
Shape of the API
Section titled “Shape of the API”- Requests and responses are JSON. Errors are
{"error": "<message>"}with a matching HTTP status. - Every route except login, logout, and plugin webhooks requires a session.
- Plugin endpoints live under
/api/plugins/<id>/, for example/api/plugins/whatsapp/conversations. GET /api/versionreports the running version.