Endpoint Inventory
Programmatic endpoints currently exposed.
Authentication values below are checked against current route and middleware behavior.
Detailed request/response examples live on the dedicated endpoint pages.
Session endpoints also support API-key authentication through middleware:
Authorization: Bearer <api_key>X-API-Key: <api_key>
Plain Credential Endpoints
For request/response examples and credential flow, see Plain Endpoints (Scripts).
| Method |
Path |
Auth Required (as implemented) |
Notes |
| POST |
/api/getMe |
Credential auth handled in route logic (see Plain Endpoints page) |
Credential validation + mode (+ secondary scope + permissions metadata when applicable) |
| POST |
/api/cliCheckCredentials |
Credential auth handled in route logic (see Plain Endpoints page) |
Plain credential check |
| POST |
/api/initChunkedUploadPlain |
Credential auth handled in route logic (see Plain Endpoints page) |
Plain chunked init |
| POST |
/api/uploadChunkPlain |
No explicit auth middleware; valid upload id required |
Plain chunk upload |
| GET |
/api/chunkedUploadStatusPlain |
No explicit auth middleware; valid upload id required |
Plain status |
| POST |
/api/finishChunkedUploadPlain |
Credential auth handled in route logic (see Plain Endpoints page) |
Plain finalize |
| POST |
/api/basicHTMLUpload |
Credential auth handled in route logic (see Plain Endpoints page) |
Plain multipart upload |
| POST |
/api/secondaryPasswords/createFromPrimary |
Credential auth handled in route logic; requires primary password (not secondary) |
Create secondary password from scripts/installers |
Chunked and Upload (Session/Token Paths)
| Method |
Path |
Auth Required (as implemented) |
Notes |
| GET |
/api |
None |
Health string (Hello World) |
| POST |
/api/initChunkedUpload |
Cookie session or API key auth |
Session-backed chunked init |
| POST |
/api/uploadChunk |
No explicit auth middleware; valid upload id required |
Session/token chunk upload |
| GET |
/api/chunkedUploadStatus |
No explicit auth middleware; valid upload id required |
JSON status |
| POST |
/api/finishChunkedUpload |
No explicit auth middleware; requires finalize body fields (id, filename, manager value source) |
JSON finalize |
| POST |
/api/replaceFile |
Cookie session or API key auth + ownership checks; secondary session must have edit permission and match upload/file token + folder scope |
Replace file content from chunked upload |
| POST |
/api/html/paste |
Session pasteCSRF match + manager token (session or body) |
Create/overwrite text paste; secondary scope applied when configured |
| POST |
/api/shorten |
No explicit auth middleware; requires token + manager values (body or session) |
Short-link creation; secondary scope applied when configured |
| PATCH |
/api/files/:id/folder |
Cookie session or API key auth + application/json |
Move one file to folder; secondary requires edit permission + token + folder scope |
| POST |
/api/files/move |
Cookie session or API key auth + application/json |
Batch move files; secondary requires edit permission + token + folder scope |
| POST |
/api/edit/:hname/:path |
Owner proof via body manager token or owner cookie session; secondary session must have edit permission and match file token + folder scope |
Update/delete metadata |
| GET |
/api/editPaste/:hname/:path |
Owner cookie session required (otherwise redirect) |
Render paste editor page; secondary requires edit permission + token + folder scope |
Folder APIs
| Method |
Path |
Auth Required (as implemented) |
Notes |
| GET |
/api/folders/tree |
Cookie session or API key auth |
Returns full tree for primary, scoped subtree for secondary |
| POST |
/api/folders |
Primary cookie session + application/json (secondary/API-key credentials not allowed) |
Create folder |
| PATCH |
/api/folders/:id |
Primary cookie session + application/json (secondary/API-key credentials not allowed) |
Rename folder |
| DELETE |
/api/folders/:id |
Primary cookie session (secondary/API-key credentials not allowed) |
Delete folder |
File Access
| Method |
Path |
Auth Required (as implemented) |
Notes |
| GET |
/s/:file |
Public unless file has password; then requires accepted password mechanism |
Raw file stream |
| GET |
/d/:file |
Public unless file has password; then requires accepted password mechanism |
Forced download |
| GET |
/:file |
Public unless file has password; then requires accepted password mechanism |
File view / redirect / embedded page |
| HEAD |
/s/:file |
Same as GET auth behavior |
HEAD raw |
| HEAD |
/d/:file |
Same as GET auth behavior |
HEAD download |
| HEAD |
/:file |
Same as GET auth behavior |
HEAD file view |
| OPTIONS |
/s/:path and /d/:path |
None |
CORS preflight |
| OPTIONS |
/:file |
None |
CORS preflight |
E2E Browser Flow
See E2E Client Integration for full wire-format and third-party implementation notes.
| Method |
Path |
Auth Required (as implemented) |
Notes |
| POST |
/api/finishChunkedUploadE2E |
Session/API-key finalize flow |
Finalize E2E upload (JSON flow) |
| POST |
/api/finishChunkedUploadE2EPlain |
Plain credentials (username + password) |
Finalize E2E upload for scripts/installers |
| GET |
/api/e2e/meta/:file |
No explicit auth middleware in route |
Returns E2E metadata (salt/header/chunk sizes + ciphertext URL) |
| GET |
/e2edown/:file |
None |
Browser decrypt UI for E2E files |
| GET |
/e2edown/handleFileDecryptage/:token |
Service worker interception path |
Returns 503 if SW is not controlling page |
| GET |
/e2etest |
Session auth |
E2E sandbox/debug UI |
YouTube / Direct Download
| Method |
Path |
Auth Required (as implemented) |
Notes |
| POST |
/ytapi/requestDownload |
Cookie session or API key auth |
Queue yt/invidious job; optional folderId accepted and scope-validated |
| GET |
/ytapi/downloadStatus |
Cookie session or API key auth + job owner match |
Poll job status |
| GET |
/ytapi/listJobs |
Cookie session or API key auth + job owner match |
List non-removed persisted jobs for current owner (plus active in-memory jobs) |
| POST |
/ytapi/ackJob |
Cookie session or API key auth + application/json + job owner match |
Acknowledge auto-opened finished job and hide it from list |
| POST |
/ytapi/removeJob |
Cookie session or API key auth + application/json + job owner match |
Mark a job as removed; if job is active, cancel in-progress work and discard temp data |
| POST |
/ytapi/previewDirectDownload |
Cookie session or API key auth |
HEAD-check remote file + quota |
| POST |
/ytapi/confirmDirectDownload |
Cookie session or API key auth |
Queue direct URL ingestion; optional folderId accepted and scope-validated |
Secondary Password Management
| Method |
Path |
Auth Required (as implemented) |
Notes |
| GET |
/api/secondaryPasswords |
Primary cookie session (secondary/API-key credentials not allowed) |
List password-backed secondary credentials only (api_key IS NULL) |
| POST |
/api/secondaryPasswords |
Primary cookie session + application/json (secondary/API-key credentials not allowed) |
Create secondary password; supports folderIdScope, canListFiles, canEditFiles |
| PATCH |
/api/secondaryPasswords/:id |
Primary cookie session + application/json (secondary/API-key credentials not allowed) |
Edit label/password/scope/permissions for secondary password |
| DELETE |
/api/secondaryPasswords/:id |
Primary cookie session (secondary/API-key credentials not allowed) |
Delete secondary password |
| POST |
/api/secondaryPasswords/createFromPrimary |
Credential auth in route; requires primary password |
Script/installer-friendly creation; supports folderIdScope, canListFiles, canEditFiles |
API Key Management
| Method |
Path |
Auth Required (as implemented) |
Notes |
| GET |
/api/apiKeys |
Primary cookie session (secondary/API-key credentials not allowed) |
List API-key-backed secondary credentials (api_key IS NOT NULL, masked key only) |
| POST |
/api/apiKeys |
Primary cookie session + application/json (secondary/API-key credentials not allowed) |
Create API key with secondary scope/permissions; returns full key once |
| PATCH |
/api/apiKeys/:id |
Primary cookie session + application/json (secondary/API-key credentials not allowed) |
Edit label/scope/permissions for API key entry |
| DELETE |
/api/apiKeys/:id |
Primary cookie session (secondary/API-key credentials not allowed) |
Delete API key entry |
Mail Aliases and Verification
| Method |
Path |
Auth Required (as implemented) |
Notes |
| GET |
/api/getDomainsForAlias |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
Alias domain options |
| GET |
/api/aliases |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
List aliases |
| POST |
/api/aliases |
Cookie session auth + application/json; secondary/API-key sessions blocked by global middleware on this path |
Create alias |
| DELETE |
/api/aliases/:aliasedMail |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
Delete alias |
| POST |
/api/mailVerification/create |
Cookie session auth + application/json; secondary/API-key sessions blocked by global middleware on this path |
Start email verification |
| DELETE |
/api/mailVerification/:email |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
Remove tracked email |
| GET |
/api/mailVerification |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
List tracked emails |
| GET |
/api/verifyEmailAddress/:secret |
None |
Verify email by secret |
Mail Admin (Superuser)
| Method |
Path |
Auth Required (as implemented) |
Notes |
| POST |
/admin/deleteAllManagerAliases |
Cookie session auth + superuser + application/json |
Delete all aliases for a target manager (managerToken in body) |
| POST |
/admin/pointCoolMailsToMeAtShishCat |
Cookie session auth + superuser + application/json |
Point localpart across all allowed domains to special destination (mailToPoint in body) |
| POST |
/admin/purgeKTKCI |
Cookie session auth + superuser + application/json |
Reserved admin operation (currently returns not implemented) |
| POST |
/admin/changeMeAtShishCatMailsDestWithAdminAtFileDotAx |
Cookie session auth + superuser + application/json |
Migrate legacy alias destinations to special destination |
| POST |
/admin/reserveSpecialWords |
Cookie session auth + superuser + application/json |
Reserve special aliases in bulk |
DNS
| Method |
Path |
Auth Required (as implemented) |
Notes |
| GET |
/api/dns/domains |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
Allowed base domains (fz.mk currently) |
| GET |
/api/dns/test |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
Backend API health test |
| GET |
/api/dns/subdomains |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
List owned zones |
| POST |
/api/dns/subdomains |
Cookie session auth + application/json; secondary/API-key sessions blocked by global middleware on this path |
Claim zone |
| DELETE |
/api/dns/subdomains/:id |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
Delete zone and records |
| GET |
/api/dns/subdomains/:id/records |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
List records |
| POST |
/api/dns/subdomains/:id/records |
Cookie session auth + application/json; secondary/API-key sessions blocked by global middleware on this path |
Add record |
| POST |
/api/dns/subdomains/:id/sync |
Cookie session auth + application/json; secondary/API-key sessions blocked by global middleware on this path |
Push DB records to DNS provider |
| PATCH |
/api/dns/records/:recordId |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
Change record type |
| DELETE |
/api/dns/records/:recordId |
Cookie session auth; secondary/API-key sessions blocked by global middleware on this path |
Delete record |
SMS
| Method |
Path |
Auth Required (as implemented) |
Notes |
| GET |
/api/sms/phones/search |
Cookie session or API key auth |
Search available phone numbers |
| GET |
/api/sms/phones |
Cookie session or API key auth |
List random distributed candidates |
| GET |
/api/sms/my-phones |
Cookie session or API key auth |
List reserved phones |
| POST |
/api/sms/reserve |
Cookie session or API key auth + application/json |
Reserve phone |
| POST |
/api/sms/unreserve |
Cookie session or API key auth + application/json |
Unreserve phone |
| GET |
/api/sms/topranges |
Cookie session or API key auth |
Popular country ranges |
| POST |
/api/sms/add-countries |
Cookie session or API key auth + application/json |
Request country activation |
| GET |
/api/sms/feed |
Cookie session or API key auth |
Aggregated SMS feed |
| GET |
/api/sms/history/:number |
Cookie session or API key auth |
Number-specific history |
| GET |
/api/sms/full-history |
Cookie session or API key auth |
Full history for owned numbers |
| POST |
/api/sms/free-all |
Cookie session or API key auth + application/json |
Free all owned phones |