Admin API

TL;DR — Everything AuthPlane exposes on :9001 — the operator surface. CRUD for OAuth clients, users, resources, broker providers, grants, issuances, signing keys, XAA IdPs and policies, plus the audit log query API. Same endpoints power the built-in Admin UI at /admin/ui/. Authenticate with Authorization: Bearer $AUTHPLANE_ADMIN_API_KEY. Never expose :9001 to the public internet.

Authentication

Every admin request needs the API key you set at boot (admin.api_key in YAML or AUTHPLANE_ADMIN_API_KEY env var). Present it as a Bearer token:

curl -H "Authorization: Bearer $AUTHPLANE_ADMIN_API_KEY" \
     https://auth-admin.internal.example.com/admin/clients

The Admin UI at /admin/ui/ uses the same key — the user pastes it once and it’s stored in sessionStorage.

Never expose port 9001 publicly. Front with:

  • Internal network only, or
  • IP allowlist via ingress annotations (nginx.ingress.kubernetes.io/whitelist-source-range), or
  • Loopback bind (admin.address: "127.0.0.1:9001") + SSH tunnel / bastion access

Boot validation enforces that admin.api_key is set when server.issuer is not localhost.

Endpoints at a glance

PathPurpose
/admin/clientsOAuth clients — list, get, create (DCR + manual), update, suspend, delete
/admin/usersLocal users — list, get, create, disable, delete; password reset
/admin/resourcesMint and Broker resources — CRUD, per-resource policy.* config
/admin/broker-providersUpstream OAuth providers — CRUD
/admin/users/{id}/grantsList consent + broker grants for a specific user
/admin/grants/consent/{id}Revoke a consent grant (DELETE)
/admin/grants/broker/{id}Revoke a broker grant (DELETE) — does not cascade to upstream tokens
/admin/issuancesPer-token forensic audit — list, filter by user/client/resource
/admin/keysSigning keys — list, rotate
/admin/auditStructured audit log — query with filters
/admin/idpsXAA trusted IdPs — CRUD, refresh JWKS
/admin/xaa/policiesXAA authorization policies
/admin/xaa/subject-mappingsXAA subject mapping rules
/admin/system/configEffective configuration snapshot (read-only)
/admin/system/statusRuntime status, feature-enabled flags, version
/admin/settings/dcrDCR mode config (runtime toggle between open/approved_redirects/admin_only)

The /admin/ui/* route serves the React SPA — not part of the API.

The CLI mirrors the API

Every admin API endpoint has a CLI equivalent under authserver admin <resource> <verb>. Example equivalents:

RESTCLI
POST /admin/clientsauthserver admin client create --grant-types … --scopes 'name|upstream|desc'
GET /admin/resourcesauthserver admin resource list
POST /admin/broker-providersauthserver admin provider create --slug … --protocol oauth
POST /admin/keys/rotateauthserver admin key rotate
GET /admin/users/{id}/grantsauthserver admin grant list-user-grants --user …
DELETE /admin/grants/consent/{id}authserver admin grant revoke-consent --id …
DELETE /admin/grants/broker/{id}authserver admin grant revoke-broker --id …

Full CLI reference in Reference: Metrics & CLI.

Live spec (Rapidoc)

The spec below is the exact YAML that ships with the AuthPlane binary. Search operations, inspect request/response schemas, try requests inline against a running instance.