Appearance
Management API
Everything the dashboard does is a REST call you can make yourself — registration, projects, keys, usage, webhooks, billing.
| Base URL | https://api.lab.au.ro/api/v1 |
| Auth | Authorization: Bearer <JWT> from login/register |
| Spec | OpenAPI 3.0, interactive browser: https://dash.lab.au.ro/swagger/ |
| Postman | collection ships in the repo (services/control-api/postman_collection.json) |
Surface map
| Area | Endpoints |
|---|---|
| Auth | POST /auth/register · POST /auth/login · POST /auth/refresh · GET/PUT /auth/me · POST /auth/me/password · logout/logout-all |
| MFA & security | /auth/mfa/totp/* · /auth/mfa/verify · /auth/passkeys · /auth/sessions · GET /auth/audit |
| Tenants | GET /tenants · GET/PUT /tenants/{id} · GET /tenants/{id}/usage · GET /tenants/{id}/billing |
| Projects | POST/GET /tenants/{tid}/projects · GET/PUT/DELETE /projects/{id} · GET /projects/{id}/usage · usage-chart · metrics |
| API keys | POST/GET /projects/{pid}/keys · DELETE /keys/{id} |
| Webhooks | POST/GET /projects/{pid}/webhooks · DELETE /webhooks/{id} · POST/GET /webhooks/{eid}/subscriptions · DELETE /subscriptions/{id} |
| Catalog | GET /plans · GET /chains · GET /roles |
The Quickstart walks the core path (register → project → key → call) with executed examples; webhook flows are on the Webhooks page.
Conventions
- JSON in/out,
Content-Type: application/json. - IDs are UUIDs.
- Errors:
{"error": "human-readable message"}with a meaningful HTTP code (400validation,401auth,403permissions,404not found,429login rate-limit). - Login/registration are rate-limited (10/min per IP) and accounts lock temporarily after repeated failed passwords.
- List endpoints return plain arrays (no pagination envelope yet).