Gateway
This document describes the HTTP API available in the Spokes server, currently in beta. Use this API alongside the webhooks to dynamically monitor and manage tunnels and requests processed by the system.
The API allows external systems to manage critical authentication keys, such as registration tokens. You can query tunnels to monitor their state, traffic rules, client configurations, and bandwidth statistics. Additionally, users can be imported, enabling Spokes administrators to create and link tunnels with users from different domains.
Request Header Requirements
All API requests must include the following headers:
Content-Type: application/json
Accept: application/json
The admin API only accepts requests and returns responses in JSON format.
Authentication
Before using any other APIs outlined in this document, clients must authenticate. This process occurs only once. Upon successful authentication, the Spokes server upgrades the client’s web session. Future API calls that maintain cookies will remain authenticated.
Please note that cookies expire after 24 hours or when the client calls the logout endpoint.
Auth
To authenticate, you’ll need to use an administrative token, which must be included in the key parameter. Admin tokens can be created in the Spokes dashboard.
HTTP Method
POST
URL
/api/admin/v1.0/auth
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
key |
string | Yes | The API key, which can be created in the Spokes dashboard under the API section. |
Example Request Body
{
"key": "34a7fb347ef9dc7238788eaa3e1bd954ca3dd7ffc0dfd42901de90f9a52ed663"
}
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates the success of the operation. Returns true if authenticated; otherwise, false. |
message |
string | Yes | Status message about the authentication operation. |
error |
string | Yes | Contains error details if status is false. |
Example Response Body
{
"status": true,
"message": "User authenticated",
"error": ""
}
Logout
This endpoint destroys the web session for the client.
HTTP Method
GET
URL
/api/admin/v1.0/logout
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates the success of the operation. Returns true if the session is successfully closed; otherwise, false. |
message |
string | Yes | More information about the logout operation. |
Example Response Body
{
"status": true,
"message": "Session closed"
}
Licenses
This section provides endpoints for monitoring and managing software licenses. Clients can request information about the current license, including the maximum number of tunnels allowed and its expiration date.
Info
Retrieve details about the current license. If the status value is false, it indicates that no valid license is available on the server. In this case, new tunnels cannot be created, and existing tunnels will be unable to reconnect to the server.
When a valid license is present, you will receive the maximum number of active tunnels allowed and the license’s expiration time.
HTTP Method
GET
URL
/api/admin/v1.0/license/info
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal errors. |
error |
string | Yes | Error message provided by the server when status is false. |
maxTunnels |
integer | Yes | The maximum number of tunnels that can be active at any given time. |
expires |
string | Yes | Timestamp indicating when the license will expire. |
Example Response Body
{
"status": true,
"error": "",
"maxTunnels": 1000,
"expires": "2021-01-26T22:16:08.899460303Z"
}
Tokens
Spokes manages several types of tokens in the backend, including API tokens, registration tokens, and authentication tokens.
- API Tokens: Used to authenticate administrators through the admin HTTP API.
- Registration Tokens: Acts as a secret key for clients to register new tunnels, resulting in the creation of a tunnel and an associated authentication token.
- Authentication Tokens: These tokens authenticate and identify tunnels during their operation.
The API endpoints in this section specifically focus on the management of registration tokens.
Create
Clients can use registration tokens to create tunnels and request authentication tokens. By default, registration tokens are inactive but can be set to active in the request.
The resulting token is returned upon a successful operation.
HTTP Method
POST
URL
/api/admin/v1.0/token/registration/create
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
description |
string | Yes | A description for the registration token. |
active |
boolean | No | Tokens are inactive by default; specify this flag to activate them. |
Example Request Body
{
"description": "smart refrigerator factory token",
"active": true
}
Example Response Body
{
"status": true,
"error": "",
"token": {
"id": "d6c52563f18f47ae9714b3a5a972fe0e",
"created": "2021-01-26T22:16:08.899460303Z",
"modified": "2021-01-26T22:16:08.899460388Z",
"active": true,
"description": "smart refrigerator factory token",
"value": "..."
}
}
List
Retrieve a list of all registration tokens in the system. A detailed description of the token data type can be found at the end of this document.
HTTP Method
GET
URL
/api/admin/v1.0/token/registration/list
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any errors. |
error |
string | Yes | Error message provided by the server when status is false. |
tokens |
array | Yes | A list of registration tokens. |
Example Response Body
{
"status": true,
"error": "",
"tokens": [
{
"id": "814df88c3c664d4e90425c065057faa3",
"created": "2020-10-28T22:51:58.485820183Z",
"modified": "2020-10-28T22:51:58.485820289Z",
"active": true,
"description": "shorter token",
"value": "..."
},
{
"id": "d6c52563f18f47ae9714b3a5a972fe0e",
"created": "2021-01-26T22:16:08.899460303Z",
"modified": "2021-01-26T22:16:08.899460388Z",
"active": true,
"description": "this tunnel is a test",
"value": "..."
}
]
}
Delete
This operation deletes the specified registration token from the backend.
HTTP Method
POST
URL
/api/admin/v1.0/token/registration/delete
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
tokenID |
string | Yes | The unique ID for the registration token. |
Example Request Body
{
"tokenID": "d6c52563f18f47ae9714b3a5a972fe0e"
}
Example Response Body
{
"status": true,
"error": ""
}
Edit
This operation allows for updating the description and active state of a registration token. Existing values, such as the description, must be retained even if only modifying the active property.
HTTP Method
POST
URL
/api/admin/v1.0/token/registration/edit
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
tokenID |
string | Yes | The unique ID for the registration token. |
description |
string | Yes | An updated description for the token. |
active |
boolean | No | Boolean flag to set the token as active or inactive. |
Example Request Body
{
"tokenID": "d6c52563f18f47ae9714b3a5a972fe0e",
"description": "updated description",
"active": true
}
Example Response Body
{
"status": true,
"error": ""
}
Tunnels
In this section we describe the various endpoints for retrieving information about the tunnels that are being managed by the Spokes server. These operations include retrieving basic tunnel information, detailed information about individual tunnels, and shutting tunnels down.
Tunnel objects via the active, online, search or list-all endpoints will be paginated when there are more than 50 objects results. Page objects are stored in the links property of tunnel responses and include the page number, number of objects in the page, and the URL that can be used to retrieve the listing of objects for the page.
The tunnel and page objects are both described in more detail in data types section of this document.
Active Tunnels
Active tunnels are those that are in use but not necessarily online. Effectively these are tunnels that have not been shut down (deleted).
HTTP Method
GET
URL
/api/admin/v1.0/tunnel/list/active
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal system errors |
error |
string | Yes | Error message set by server when status is set to false |
total |
integer | Yes | Total number of links across paginated results. |
tunnels |
array | Yes | List of active tunnels. |
links |
array | Yes | 1-n objects returned with URL to retrieve paginated responses. |
Example Response Body
{
"status": true,
"error": "",
"tunnels": [
{
"id": "669462bbfd344addba295215e25bea46",
"userID": "eebd6a453f454420b4bbd11ae037d5b8",
"created": "2020-10-30T01:19:38.001079502Z",
"lastActive": "2021-01-27T20:09:29.272137844Z",
"state": 2,
"uptime": 11609,
"bandwidth": {
"daily": 0,
"monthly": 103014490
},
"name": "unnamed",
"hostname": "windows-10-01.packetdemo.com",
"address": "123.4.5.6",
"version": "v0.10.5",
"os": "windows",
"arch": "amd64"
},
{
"id": "d5ce2469fe56458aa796f209980a13e4",
"userID": "0ad89e85d46844d08c3b63e4550a96f1",
"created": "2021-01-15T20:30:54.344469319Z",
"lastActive": "2021-01-27T20:09:43.118743093Z",
"state": 2,
"uptime": 11655,
"bandwidth": {
"daily": 4348,
"monthly": 1832554220
},
"name": "unnamed",
"hostname": "rasp-pi-123.packetdemo.com",
"address": "123.4.5.7",
"version": "v0.10.7",
"os": "linux",
"arch": "amd64"
}
]
}
Online Tunnels
Online tunnels are currently connected to the Spokes server.
HTTP Method
GET
URL
/api/admin/v1.0/tunnel/list/online
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal system errors |
error |
string | Yes | Error message set by server when status is set to false |
total |
integer | Yes | Total number of links across paginated results. |
tunnels |
array | Yes | List of tunnels that are currently online and connected to the Spokes server. |
links |
array | Yes | 1-n objects returned with URL to retrieve paginated responses. |
Example Response Body
{
"status": true,
"error": "",
"totals": 2,
"tunnels": [
{
"id": "669462bbfd344addba295215e25bea46",
"userID": "eebd6a453f454420b4bbd11ae037d5b8",
"created": "2020-10-30T01:19:38.001079502Z",
"lastActive": "2021-01-27T20:09:29.272137844Z",
"state": 2,
"uptime": 11609,
"bandwidth": {
"daily": 0,
"monthly": 103014490
},
"name": "unnamed",
"hostname": "windows-10-01.packetdemo.com",
"address": "123.4.5.6",
"version": "v0.10.5",
"os": "windows",
"arch": "amd64"
},
{
"id": "d5ce2469fe56458aa796f209980a13e4",
"userID": "0ad89e85d46844d08c3b63e4550a96f1",
"created": "2021-01-15T20:30:54.344469319Z",
"lastActive": "2021-01-27T20:09:43.118743093Z",
"state": 2,
"uptime": 11655,
"bandwidth": {
"daily": 4348,
"monthly": 1832554220
},
"name": "unnamed",
"hostname": "rasp-pi-123.packetdemo.com",
"address": "123.4.5.7",
"version": "v0.10.7",
"os": "linux",
"arch": "amd64"
}
]
}
List All
This operation will return all tunnels that Spokes has stored in its database. It will include tunnels that have been shut down.
HTTP Method
GET
URL
/api/admin/v1.0/tunnel/list
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal system errors |
error |
string | Yes | Error message set by server when status is set to false |
total |
integer | Yes | Total number of links across paginated results. |
tunnels |
array | Yes | List of all tunnels in the database. |
links |
array | Yes | 1-n objects returned with URL to retrieve paginated responses. |
Example Response Body
{
"status": true,
"error": "",
"totals": 10,
"tunnels": [
...
]
}
Search Tunnels
This operation will use the term and filters for OS, architecture, and version to search across all active tunnels. The term will be compared as a string and sub-string against the tunnel name, hostname, and IP address. The OS, architecture, and version will be applied as filtering criteria and are used in conjunction with each other.
HTTP Method
POST
URL
/api/admin/v1.0/tunnel/search
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
term |
string | No | A search term that is used for string and sub-string search for tunnel name, hostname, or host IP address. |
os |
string | No | Filter based on operating system: windows, macos, linux, freebsd. |
arch |
string | No | Filter based on architecture: amd64, i386, arm32, arm64. |
version |
string | No | Filter based on client version, examples: v0.10.3, v1.0.22. |
Example Requests
Search for a hostname.
{
"term": "host-123.spokes.example.com"
}
Search for v1.0.0 Linux clients running on amd64 architecture.
{
"os": "linux",
"version": "v1.0.0",
"arch": "amd64"
}
Search clients with host IP address of 1.2.3.4.
{
"term": "1.2.3.4"
}
Search clients with the substring testing in the name of the tunnel.
{
"term": "testing"
}
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal system errors. |
error |
string | Yes | Error message set by server when status is set to false. |
total |
integer | Yes | Total number of links across paginated results. |
tunnels |
array | Yes | List of all tunnels in the database. |
links |
array | Yes | 1-n objects returned with URL to retrieve paginated responses. |
Example Response Body
{
"status": true,
"error": "",
"totals": 10,
"tunnels": [
...
]
}
Paginated Tunnel Results
This operation will return a paginated tunnel result. When a tunnel listing: active, online, search, or list-all, is performed the results will be broken up into pages of no more than 50 objects and cached for 720 seconds. A UID is created for each page and passed as a parameter to this request.
The result will be an object identical to other tunnel listing endpoints. It will not include any values in the links property since it is part of a set of paged tunnel objects.
HTTP Method
GET
URL
/api/admin/v1.0/tunnel/page/:UID
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal system errors. |
error |
string | Yes | Error message set by server when status is set to false. |
total |
integer | Yes | Total number of links across paginated results. |
tunnels |
array | Yes | List of all tunnels in the database. |
links |
array | Yes | 1-n objects returned with URL to retrieve paginated responses. |
Example Response Body
{
"status": true,
"error": "",
"totals": 10,
"tunnels": [
...
]
}
Detailed Information
This endpoint requires an ID to identify the tunnel and will return all of the information associated with the tunnel and the active HTTP/S and TCP traffic rules that were last active when the tunnel connected.
Each time a tunnel requests traffic relays, it will record valid relays in the database. These relays will be updated each time a tunnel connects. This API will only return the last set of active traffic relays.
HTTP Method
GET
URL
/api/admin/v1.0/tunnel/info/:ID
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal system errors. |
error |
string | Yes | Error message set by server when status is set to false. |
tunnel |
object | Yes | The tunnel specified by ID. |
Example Response Body
{
"status": true,
"error": "",
"tunnel": {
"id": "669462bbfd344addba295215e25bea46",
"userID": "eebd6a453f454420b4bbd11ae037d5b8",
"created": "2020-10-30T01:19:38.001079502Z",
"lastActive": "2021-01-27T16:56:41.50859125Z",
"state": 2,
"uptime": 45,
"bandwidth": {
"daily": 0,
"monthly": 103014490
},
"name": "unnamed",
"hostname": "windows.spokes.borak.co",
"address": "100.1.17.138",
"version": "v0.10.5",
"os": "windows",
"arch": "amd64",
"https": [
{
"id": "3ef7ab59c41c453cbee46b0ce4f7f6d3",
"userID": "eebd6a453f454420b4bbd11ae037d5b8",
"tunID": "669462bbfd344addba295215e25bea46",
"active": true,
"available": true,
"secure": true,
"domainName": "windows-10-01.packetdemo.com",
"bandwidth": {
"daily": 0,
"monthly": 102993728
}
}
],
"ports": [
{
"id": "ceaf246c08884d69b61acccaf004ee27",
"userID": "eebd6a453f454420b4bbd11ae037d5b8",
"tunID": "669462bbfd344addba295215e25bea46",
"active": true,
"available": false,
"protocol": 1,
"port": 22262,
"bandwidth": {
"daily": 0,
"monthly": 0
},
"label": ""
}
]
}
}
Shutdown Tunnel
This endpoint requires an ID to identify the tunnel and will shut down the tunnel. If the tunnel is online, its session will be terminated as well.
HTTP Method
GET
URL
/api/admin/v1.0/tunnel/shutdown/:ID
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal system errors. |
error |
string | Yes | Error message set by server when status is set to false. |
Example Response Body
{
"status": true,
"error": ""
}
Authentication Token
This endpoint requires an ID to identify the tunnel and will return the authentication token for the tunnel.
One example for the case of this endpoint is to recover this value for a tunnel.
HTTP Method
GET
URL
/api/admin/v1.0/tunnel/auth/:ID
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal system errors. |
error |
string | Yes | Error message set by server when status is set to false. |
token |
object | Yes | The authentication token associated with the tunnel. |
Example Response Body
{
"status": true,
"error": "",
"token": {
"id": "d6c52563f18f47ae9714b3a5a972fe0e",
"created": "2021-01-26T22:16:08.899460303Z",
"modified": "2021-01-26T22:16:08.899460388Z",
"active": true,
"description": "",
"value": "..."
}
}
Configuration
This endpoint requires an ID to identify the tunnel. The tunnel will need to be online; if it’s not, this endpoint will return a failure, e.g. status set to false.
The configuration is fetched from the client over the tunnel. This configuration reflects how the client is configured and includes attributes such as the operating system, client version, and architecture, in addition to traffic rules.
HTTP Method
GET
URL
/api/admin/v1.0/tunnel/config/:ID
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without any internal system errors. |
error |
string | Yes | Error message set by server when status is set to false. |
config |
object | Yes | The remote client configuration. |
Example Response Body
{
"status": true,
"error": "",
"config": {
"version": "v0.10.5",
"os": "windows",
"arch": "amd64",
"https": [
{
"domain": "windows-10-01.packetdemo.com",
"secure": true,
"webRoot": "C:\\Packetriot\\www",
"useLetsEnc": true,
"redirect": true
}
],
"ports": [
{
"port": 22262,
"destination": "",
"dstPort": 0
}
]
}
}
Create / Update HTTP Site
This endpoint requires an ID to identify the tunnel and must be online; if it is not, the endpoint will return an error.
This operation will overwrite an existing traffic rule that shares the same domain (e.g., sub.example.com). If no existing rule exists, it will create a new site with the provided traffic forwarding options.
The request can include various parameters, but certain parameters cannot be mixed; for instance, destination, http, and tls parameters must be distinct from upstreamURL, which defines a URL-formatted destination.
For TLS setups, you can enable (set true) letsEncrypt and provide a custom certificate with the ca and privateKey fields.
You may also use password for passphrase logins and basicHttpAuth for user/password authentication.
These HTTP site changes are sent to the client and negotiated between it and the Spokes server. If the server rejects the request to relay the specified HTTP traffic, the API will return an error status.
HTTP Method
POST
URL
/api/admin/v1.0/tunnel/traffic/http/update/:ID
Request Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
domain |
string | Yes | Domain for HTTP/S traffic requested, e.g., example.com |
secure |
boolean | No | Indicates if HTTPS (443) traffic is also requested. |
upstreamURL |
string | No | URL of the upstream destination server. |
webroot |
string | No | Local file system path for serving static content. |
destination |
string | Yes | Host or IP address to forward traffic to. |
port |
integer | Yes | Destination port for forwarding HTTP (plain-text) traffic. |
tls |
integer | No | Port for forwarding TLS traffic. |
useLetsEnc |
boolean | No | Boolean flag indicating the use of Let’s Encrypt for TLS certificates. |
ca |
string | No | Base64 encoded value of a custom certificate authority. |
privateKey |
string | No | Base64 encoded value of the private key. |
redirect |
boolean | No | Flag to indicate whether HTTP traffic should be redirected to HTTPS. |
password |
string | No | Salted-hash of password to permit traffic. |
basicHttpAuth |
string | No | Salted-hash of user:password (HTTP basic auth). |
rewriteHost |
string | No | Value to rewrite the Host header. |
redirectURL |
string | No | URL to which all incoming requests should be redirected. |
insecureUpstream |
boolean | No | Flag indicating if an insecure TLS certificate is accepted. |
firewall |
array | No | List of firewall rules applied to incoming traffic. |
Example Request Body
{
"sites": [{
"domain": "host-123.spokes.example.com",
"destination": "127.0.0.1",
"port": 8080,
"redirect": false
}]
}
Example Response Body
{
"status": true
}
Remove HTTP Site
This endpoint requires an ID to identify the tunnel. The tunnel must be online; otherwise, the request will return an error.
This operation removes the specified HTTP site rule, meaning that future traffic to the designated domains will not be routed to the tunnel.
These changes are communicated to the client and negotiated between the client and the Spokes server. If the server successfully drops the traffic relays, it will update the client to reflect this change and respond with a success status.
HTTP Method
POST
URL
/api/admin/v1.0/tunnel/traffic/http/remove/:ID
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
domains |
array | Yes | A list of domain names to be removed from the allowed list. |
Example Request Body
{
"domains": [
"host-123.spokes.example.com"
]
}
Example Response Body
{
"status": true
}
Ports
This section describes the HTTP API endpoints for managing ports, which includes the range of ports available for allocation and a list of currently allocated ports.
A pool of ports is configured on the host and Spokes server, which can be utilized for listening and forwarding to tunnels. Port allocations are requested by tunnels during their configuration and upon establishing new sessions.
Port Range
Fetch the configured port range on the server. Note that port allocations requested by clients are served from this pool of available ports.
HTTP Method
GET
URL
/api/admin/v1.0/port/range
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without internal errors. |
error |
string | Yes | Error message provided by the server when status is false. |
range |
object | Yes | Contains the start and end values for the allocatable ports. |
Example Response Body
{
"status": true,
"error": "",
"range": {
"begin": 22000,
"end": 22999
}
}
List Allocated Ports
Retrieve the list of all ports that have been allocated, including the tunnels associated with each port. The tunnel IDs returned can be used to fetch additional information about the tunnels using the /api/v1.0/admin/tunnel endpoints.
HTTP Method
GET
URL
/api/admin/v1.0/port/list
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without internal errors. |
error |
string | Yes | Error message provided by the server when status is false. |
ports |
array | Yes | List of port allocations along with their associated tunnel IDs. |
Example Response Body
{
"status": true,
"error": "",
"ports": [
{
"port": 22407,
"tunID": "302a12f268074b6990820e7db09c3a04"
},
{
"port": 22618,
"tunID": "de5e60fa29fc44adb40f38f3fbd92bf9"
}
]
}
User Management
This section describes the functionality for managing users on the Spokes server. Spokes has its own administrative users used for logging in; however, instances of Spokes can also manage tunnels for users existing in a broader software ecosystem.
Users can be imported into the Spokes server, allowing tunnels to be instantiated with attributes set by the caller. Restrictions can be placed on tunnels to limit the domains from which a user (client) can request traffic.
Tunnels associated with users can also be managed. For instance, a tunnel session can be terminated, temporarily knocking the user offline. Users can be marked in a state that drops incoming tunnel connections, which can be used to pause without deleting the user.
Other tunnel operations, such as retrieving detailed information, remote client configuration, or shutting tunnels down, can be performed using the /api/v1.0/admin/tunnel endpoints.
List Users
This endpoint lists all users imported or created on the system, including deactivated users. Administrative users created via the CLI will not be included.
HTTP Method
GET
URL
/api/admin/v1.0/user/list
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without errors. |
error |
string | Yes | Error message provided by the server when status is false. |
users |
array | Yes | A list of (basic) users. Administrative users are excluded. |
Example Response Body
{
"status": true,
"error": "",
"users": [
...
]
}
Create User
This endpoint adds a new user to the system. Parameters such as email, full name, and phone number are optional.
A user object is returned upon success, and the unique ID can be used for tracking or management outside of the Spokes server.
HTTP Method
POST
URL
/api/admin/v1.0/user/create
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
email |
string | No | Unique email address for the user, if valid. |
fullname |
string | No | Full name for the user. |
phone |
string | No | Contact number for the user. |
Example Request Body
{
"email": "user@example.com",
"fullname": "Jane Doe",
"phone": "+1-888-876-5309"
}
Example Response Body
{
"status": true,
"error": "",
"user": {
...
}
}
Edit User
This endpoint allows editing of an existing user’s attributes. All fields in the request, including empty values, will be processed.
Ensure to include existing values if you intend only to modify one attribute; otherwise, empty values will overwrite the existing data.
HTTP Method
POST
URL
/api/admin/v1.0/user/edit
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
ID |
string | Yes | Unique ID in UUIDv4 format (hyphens removed). |
email |
string | No | Updated email address for the user, if valid. |
fullname |
string | No | Updated full name for the user. |
phone |
string | No | Updated contact number for the user. |
active |
boolean | No | Boolean flag to activate or deactivate the user. |
Example Request Body
{
"userID": "34a7fb347ef9dc7238788eaa3e1bd954ca",
"email": "user@example.com",
"fullname": "Jane Doe",
"phone": "+1-888-876-5309",
"active": true
}
Example Response Body
{
"status": true,
"error": ""
}
Import User
This endpoint imports an existing user into the system and allows the caller to specify the unique 16-byte UUIDv4 ID (without hyphens).
It assumes the user already exists in an external system, providing more control over the ID for external applications.
HTTP Method
POST
URL
/api/admin/v1.0/user/import
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
ID |
string | Yes | Unique ID in UUIDv4 format (hyphens removed). |
email |
string | No | Unique email address for the user, if valid. |
fullname |
string | No | Full name for the user. |
phone |
string | No | Contact number for the user. |
Example Request Body
{
"userID": "34a7fb347ef9dc7238788eaa3e1bd954ca",
"email": "user@example.com",
"fullname": "Jane Doe",
"phone": "+1-888-876-5309"
}
Example Response Body
{
"status": true,
"error": "",
"user": {
...
}
}
Activate/Deactivate User
This endpoint activates or deactivates a user. A deactivated user is not deleted but cannot establish future tunnel sessions.
If a user’s tunnel(s) attempt to authenticate when deactivated, they will receive an error indicating that their account is disabled.
This functionality can be coupled with stopping tunnels to immediately prevent reconnections.
HTTP Method
POST
URL
/api/admin/v1.0/user/activate
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
userID |
string | Yes | Unique ID identifying the user |
active |
boolean | Yes | Boolean flag indicating whether to activate or deactivate the user |
Example Request Body
{
"userID": "34a7fb347ef9dc7238788eaa3e1bd954ca",
"active": false
}
Example Response Body
{
"status": true,
"error": ""
}
Create Tunnel
Create a tunnel associated with the user. This operation generates a tunnel instance in the backend and an associated authentication token.
The authentication token will be returned alongside the tunnel object. The caller can specify a human-readable name for the tunnel and may also provide a hostname, which can be functional if DNS records exist for the Spokes server.
HTTP Method
POST
URL
/api/admin/v1.0/user/tunnel/create
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
userID |
string | Yes | Unique ID that identifies the user |
name |
string | Yes | Human-readable name for the tunnel |
hostname |
string | No | Hostname for the tunnel. |
Example Request Body
{
"userID": "34a7fb347ef9dc7238788eaa3e1bd954ca",
"name": "hello-world tunnel",
"hostname": "hello-world.packetdemo.com"
}
Example Response Body
{
"status": true,
"error": "",
"tunnel": {
...
},
"token": {
...
}
}
Stop Tunnel
Stop a specific tunnel for the user. This action will terminate the tunnel session on the server.
The default behavior for the Packetriot client is to reconnect. If you want to prevent the client from reconnecting, consider temporarily deactivating the user before stopping the tunnel.
HTTP Method
GET
URL
/api/admin/v1.0/user/tunnel/stop/:ID
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was successfully completed without errors. |
error |
string | Yes | Error message provided by the server when status is false. |
Example Response Body
{
"status": true,
"error": ""
}
List User’s Tunnels
Retrieve all active tunnels associated with the user’s unique ID. The returned tunnel objects are shallow and do not include detailed information such as the HTTP or Port traffic relays active at the time.
More detailed information can be fetched using the /api/v1.0/admin/tunnel endpoints.
HTTP Method
GET
URL
/api/admin/v1.0/user/tunnel/list/:ID
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was completed successfully without errors. |
error |
string | Yes | Error message provided by the server when status is false. |
tunnels |
array | Yes | List of active tunnels associated with the user. |
Example Response Body
{
"status": true,
"error": "",
"tunnels": [
...
]
}
Set Bandwidth Cap
This endpoint allows setting a monthly bandwidth cap for users. Once a user reaches their cap, their tunnels will be stopped, and future authentication attempts will fail with a bandwidth-related error.
You can also remove the cap by setting this value to zero. Bandwidth statistics reset on the first of each month at 00:00:00 UTC.
HTTP Method
POST
URL
/api/admin/v1.0/user/bandwidth/cap
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
userID |
string | Yes | Unique ID identifying the user |
max |
integer | Yes | Maximum allowable traffic (MB) for the user monthly |
Example Request Body
{
"userID": "34a7fb347ef9dc7238788eaa3e1bd954ca",
"max": 1000
}
Example Response Body
{
"status": true,
"error": ""
}
Domain Management
This section describes the management of domains associated with users. Domains are used to restrict the HTTP/S traffic that a user can request.
When no domains are associated with a user, they can request any hostname for HTTP traffic. With associated domains, the user will only be able to request traffic for hosts in the whitelist.
Allow Domains
This endpoint allows you to add domains or subdomains that the client can request. Traffic directed at allowed domains or subdomains will be accepted by the Spokes server.
Requests for any domains not included in the allow-list will be rejected.
HTTP Method
POST
URL
/api/admin/v1.0/user/domain/allow
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
userID |
string | Yes | Unique ID identifying the user |
domains |
array | Yes | List of domains or subdomains to allow |
Example Request Body
{
"userID": "34a7fb347ef9dc7238788eaa3e1bd954ca",
"domains": [
"example.com",
"packetdemo.com"
]
}
Example Response Body
{
"status": true,
"error": ""
}
Remove Domains
This endpoint allows you to remove domains from a user’s allowed list. No errors will occur if specified domains are not found in the user’s list.
HTTP Method
POST
URL
/api/admin/v1.0/user/domain/remove
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
userID |
string | Yes | Unique ID identifying the user |
domains |
array | Yes | List of domains or subdomains to remove |
Example Request Body
{
"userID": "34a7fb347ef9dc7238788eaa3e1bd954ca",
"domains": [
"example.com",
"packetdemo.com"
]
}
Example Response Body
{
"status": true,
"error": ""
}
List Allowed Domains
Retrieve the list of domains associated with a user. These are the domains that can be requested in HTTP/S traffic rules by tunnels linked to the user.
Requests for domains not in this list will be rejected by the Spokes server.
HTTP Method
GET
URL
/api/admin/v1.0/user/domain/list/:ID
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was successfully completed without errors. |
error |
string | Yes | Error message provided by the server when status is false. |
domains |
array | Yes | List of domains or subdomains associated with the user. |
Example Response Body
{
"status": true,
"error": "",
"domains": [
"example.com",
"packetdemo.com"
]
}
Reset Domain Restrictions
This endpoint removes all domain restrictions applied to a user’s tunnels when making HTTP/S traffic requests.
HTTP Method
GET
URL
/api/admin/v1.0/user/domain/reset/:ID
Response Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
status |
boolean | Yes | Indicates if the request was successfully completed without errors. |
error |
string | Yes | Error message provided by the server when status is false. |
Example Response Body
{
"status": true,
"error": ""
}
Data Types
This section defines and describes the objects returned in the responses of various HTTP API endpoints. Each subsection details the properties of the data types, their meanings, and potential use cases, ensuring clarity for users interacting with the API.
Token
The token object represents registration tokens utilized by the Packetriot client to configure new tunnels. A registration token enables the client to request the creation of an authentication token for itself.
This structure also represents other token types used in the system, such as authentication tokens and API tokens. Note that authentication tokens are not exposed through this API; they are used for authentication and leveraging the API described in this documentation.
The value of the token is essential for identification and authentication by external applications.
| Property | Description |
|---|---|
id |
Unique ID for the token. |
created |
Timestamp indicating when the token was created. |
modified |
Timestamp indicating when the token was last modified. |
active |
Indicates whether the token is active. |
description |
Description of the token. |
value |
The token value used for authentication. |
Tunnel
The tunnel object provides information about tunnels maintained dynamically by the system. These attributes are updated periodically, for example, bandwidth statistics may be slightly delayed, while HTTP and port traffic statistics are aggregated every 5 minutes.
| Property | Description |
|---|---|
id |
Unique ID for the tunnel, useful for obtaining detailed information about the tunnel and its client configuration. |
userID |
ID of the associated user; this ID relates to the user if the tunnel was created using the /api/v1.0/user APIs. When created via a registration token, it serves as a necessary artifact for the tunnel. |
created |
Timestamp of when the tunnel was created. |
lastActive |
Timestamp of the last time the tunnel was active, updated periodically during its session. |
state |
Current state of the tunnel: init (1), online (2), offline (3), shutdown (4), deleted (5). |
uptime |
The total time the tunnel has been online, measured in seconds. |
bandwidth |
Daily and monthly bandwidth statistics across all services hosted in the tunnel; monthly stats reset on the first of the month at 00:00:00 UTC. |
name |
The human-readable name assigned to the tunnel (default is unset). |
hostname |
The hostname for the tunnel, which can be functional if compatible DNS records exist; otherwise, it can be treated as a label or nickname. |
version |
Client version that the tunnel is running on. |
os |
Operating system that the client runs. |
arch |
Architecture of the system running the client (e.g., x86-64, x86-32, arm32, arm64). |
https |
List of the last active HTTP/S traffic relays associated with this tunnel. |
ports |
List of the last active port traffic relays associated with this tunnel. |
Tunnel-Link
The tunnel link object describes the pagination details created during tunnel listing operations (active, online, search, or list all). Results are paginated when more than 50 objects exist.
| Property | Description |
|---|---|
uid |
Unique ID for the paged object; used with the /api/admin/v1.0/tunnel/page/:uid endpoint to retrieve the tunnel objects stored in this page. |
order |
Sequential number for the pagination: 1-n. |
count |
Number of tunnel objects stored on the page. |
url |
Convenient URL that accesses the endpoint /api/admin/v1.0/tunnel/page/:uid to return the tunnel objects. |
HTTP Relay
The HTTP relay object describes the HTTP traffic requested by a Packetriot client and stored. It includes runtime data such as bandwidth.
| Property | Description |
|---|---|
id |
Unique ID of the HTTP/S traffic relay. |
userID |
Associated user ID; matches the user ID tied to the tunnel. |
tunID |
Unique ID of the related tunnel. |
active |
Indicates if this relay was active during the last session of the tunnel. |
available |
Indicates whether the target server for the traffic is reachable. |
secure |
Specifies if the relay is for HTTPS (tcp:443) traffic. |
domainName |
Domain for the HTTP traffic, e.g., example.com or subdomain.example.com. |
bandwidth |
Daily and monthly bandwidth statistics for the relay, reset monthly. |
Port
The port object describes the port traffic that was requested by a Packetriot client and stored, along with runtime data.
| Property | Description |
|---|---|
id |
Unique ID of the HTTP/S traffic relay. |
userID |
Associated user ID, correlating with the tunnel’s user ID. |
tunID |
Unique ID of the corresponding tunnel. |
active |
Indicates whether this relay was active when the tunnel last connected. |
available |
Indicates whether the destination of the traffic (i.e., upstream server) is accessible. |
protocol |
Transport protocol used: TCP (1) or UDP (2), noting that UDP tunneling isn’t supported currently. |
port |
Allocated port for the tunnel from the configured range. |
bandwidth |
Daily and monthly bandwidth data, reset monthly. |
Client Configuration
The client configuration object encompasses the structure that holds tunnel configurations, including https and ports attributes which store HTTP and TCP traffic rules.
| Property | Description |
|---|---|
version |
Version of the Packetriot client. |
os |
Operating system running on the client. |
arch |
Architecture: x86-64, x86-32, arm32, arm64. |
https |
List of HTTP/S traffic rules. |
ports |
List of TCP traffic rules. |
HTTP Traffic Rule
The HTTP traffic rule object is utilized to store details of rules created or stored by the Packetriot client and is also used by the Spokes server to send updates or new rules to the client.
| Property | Description |
|---|---|
domain |
Domain for the requested HTTP/S traffic, e.g., example.com. |
secure |
Indicates if HTTPS (port 443) traffic is also being requested. |
destination |
Host or IP address traffic should be forwarded to. |
port |
Port on the destination for plain-text (HTTP) traffic. |
tls |
Port designated for forwarding TLS traffic (transparent proxy). |
webRoot |
Local file-system path for serving static content or assets. |
useLetsEnc |
Boolean flag indicating the usage of Let’s Encrypt for TLS certificates. |
ca |
Custom certificate authority path, created by the Packetriot client. |
privateKey |
Custom private key path, created by the Packetriot client. |
redirect |
Flag indicating whether HTTP traffic should be redirected to HTTPS. |
password |
Salted-hash of the password for authentication. |
basicHttpAuth |
Salted-hash of user:password (HTTP basic auth) for authentication. |
redirectURL |
URL to which incoming requests should be redirected. |
rewriteHost |
Value to rewrite the Host header with. |
insecureUpstream |
Flag indicating acceptance of an insecure TLS certificate when proxying traffic. |
firewall |
List of firewall rules applied to incoming traffic. |
User Object
This object describes the user, returning high-level details. Only basic users created through the /api/v1.0/admin/user endpoints are returned with this object. Email, full name, and phone attributes are optional.
| Property | Description |
|---|---|
id |
Unique ID for the user. |
created |
Timestamp of when the user was created or imported. |
email |
Email address for the user. |
fullname |
User’s full name. |
phone |
User’s phone number. |
maxBandwidth |
Monthly bandwidth cap in MB for the user. |