Admin API
TL;DR — Everything AuthPlane exposes on
:9001— the operator surface. CRUD for OAuth clients, users, resources, broker providers, grants, issuances, signing keys, XAA IdPs and policies, plus the audit log query API. Same endpoints power the built-in Admin UI at/admin/ui/. Authenticate withAuthorization: Bearer $AUTHPLANE_ADMIN_API_KEY. Never expose:9001to the public internet.
Authentication
Every admin request needs the API key you set at boot (admin.api_key in YAML or AUTHPLANE_ADMIN_API_KEY env var). Present it as a Bearer token:
curl -H "Authorization: Bearer $AUTHPLANE_ADMIN_API_KEY" \
https://auth-admin.internal.example.com/admin/clients
The Admin UI at /admin/ui/ uses the same key — the user pastes it once and it’s stored in sessionStorage.
Never expose port 9001 publicly. Front with:
- Internal network only, or
- IP allowlist via ingress annotations (
nginx.ingress.kubernetes.io/whitelist-source-range), or - Loopback bind (
admin.address: "127.0.0.1:9001") + SSH tunnel / bastion access
Boot validation enforces that admin.api_key is set when server.issuer is not localhost.
Endpoints at a glance
The /admin/ui/* route serves the React SPA — not part of the API.
The CLI mirrors the API
Every admin API endpoint has a CLI equivalent under authserver admin <resource> <verb>. Example equivalents:
Full CLI reference in Reference: Metrics & CLI.
Live spec (Rapidoc)
The spec below is the exact YAML that ships with the AuthPlane binary. Search operations, inspect request/response schemas, try requests inline against a running instance.
Related
- Reference: Public API — the OAuth surface on
:9000 - Guides: Admin API — task-focused walkthroughs (create clients, revoke tokens, inspect issuances)
- Reference: Configuration — the
admin.*config block - Reference: Metrics & CLI — CLI equivalents for every endpoint here
- Security: Threat model — admin API is threat T8; hardening notes