Authentication API
Authentication and session management
API Guide
REST API reference and integration examples
You're viewing a development version of manager,
the latest released version is v1.4.1
Go to the latest released versionOverview
The CDN Manager exposes versioned HTTP APIs under /api (v1 and v2), using JSON payloads by default. When sending request bodies, set Content-Type: application/json. Server errors typically respond with { "message": "..." } where available, or an empty body with the relevant status code.
Authentication uses a two-step flow:
- Create a session
- Exchange that session for an access token with
grant_type=session
Use the access token in Authorization: Bearer <token> when calling bearer-protected routes. CORS preflight (OPTIONS) is supported and wildcard origins are accepted by default.
Durations such as TTLs use humantime strings (for example, 60s, 5m, 1h).
Base URL
All API endpoints are relative to:
https://<manager-host>/api
API Reference Guides
The API documentation is organized by functional area:
| Guide | Description |
|---|---|
| Authentication API | Login, token exchange, logout, and session management |
| Health API | Liveness and readiness probes |
| Selection Input API | Key-value and list storage with search capabilities |
| Data Store API | Generic JSON key/value storage |
| Subnets API | CIDR-to-value mappings for routing decisions |
| Routing API | GeoIP lookups and IP validation |
| Discovery API | Host and namespace discovery |
| Metrics API | Metrics submission and aggregation |
| Configuration API | Configuration document management |
| Operator UI API | Blocked tokens, user agents, and referrers |
| OpenAPI Specification | Complete OpenAPI 3.0 specification |
Authentication Flow
All authenticated API calls follow the same authentication flow. For detailed instructions, see the Authentication API Guide.
Quick Start:
# Step 1: Login to get session
curl -s -X POST "https://cdn-manager/api/v1/auth/login" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "Password1!"
}' | tee /tmp/session.json
SESSION_ID=$(jq -r '.session_id' /tmp/session.json)
SESSION_TOKEN=$(jq -r '.session_token' /tmp/session.json)
# Step 2: Exchange session for access token
curl -s -X POST "https://cdn-manager/api/v1/auth/token" \
-H "Content-Type: application/json" \
-d "$(jq -nc --arg sid "$SESSION_ID" --arg st "$SESSION_TOKEN" \
'{session_id:$sid,session_token:$st,grant_type:"session",scope:"openid"}')" \
| tee /tmp/token.json
ACCESS_TOKEN=$(jq -r '.access_token' /tmp/token.json)
# Step 3: Call a protected endpoint
curl -s "https://cdn-manager/api/v1/metrics" \
-H "Authorization: Bearer ${ACCESS_TOKEN}"
Error Responses
The API uses standard HTTP response codes to indicate the success or failure of an API request.
Most errors return an empty response body with the relevant HTTP status code (e.g., 404 Not Found or 409 Conflict).
In some cases, the server may return a JSON body containing a user-facing error message:
{
"message": "Human-readable error message"
}
Next Steps
After learning the API:
- Operations Guide - Day-to-day operational procedures
- Troubleshooting Guide - Resolve API issues
- Configuration Guide - Full configuration reference
Health API
Liveness and readiness probe endpoints
Selection Input API
Key-value and list storage with search capabilities
Data Store API
Generic JSON key/value storage
Subnets API
CIDR-to-value mappings for routing decisions
Routing API
GeoIP lookups and IP validation
Discovery API
Host and namespace discovery
Metrics API
Metrics submission and aggregation
Configuration API
Configuration document management
Operator UI API
Blocked tokens, user agents, and referrers
OpenAPI Specification
Complete OpenAPI 3.0 specification