API Documentation

Automate your panel over HTTPS.

Every PanelConfig installation exposes a token-authenticated JSON API. Tokens are stored as SHA-256 hashes, restricted by scopes, rate limited per token, and every request is logged.

16v1 endpoints

14Token scopes

120/minDefault rate window

100%Requests logged

Authentication

Bearer tokens with scopes.

Create a token in PCAdmin under API, or from the terminal. The plain token is shown once; only its hash is stored. Send it on every request:

curl -s https://panel.example.com/api/v1/me.php \
  -H "Authorization: Bearer pc_YOUR_TOKEN"

{
  "success": true,
  "message": "PanelConfig API resource loaded.",
  "data": { "...": "..." },
  "timestamp": "2026-06-12T00:00:00+00:00"
}

Scopes

Each token carries explicit scopes such as domains.read or *. Requests outside a token's scopes are rejected with 403 before any data is read.

Rate limits

Endpoints are rate limited per token (typically 120 requests per 60 seconds). Exceeding the window returns 429 with a retry message in the standard envelope.

Lifecycle

Tokens can expire automatically, be revoked instantly in PCAdmin, and record their last-used timestamp. Creation and revocation are written to the audit log.

Available scopes

profile.read accounts.read domains.read websites.read email.read databases.read ssl.read backups.read cron.read jobs.read services.read settings.read platform.read *

Reference

v1 endpoints by area.

All endpoints return the standard JSON envelope and require a bearer token.

Accounts and users

Who exists on the server and what they own.

GET /api/v1/me.php profile.read

GET /api/v1/accounts.php accounts.read

Domains and websites

The web surface of every hosting account.

GET /api/v1/domains.php domains.read

GET /api/v1/websites.php websites.read

Email and databases

Mailboxes and data stores per account.

GET /api/v1/email.php email.read

GET /api/v1/databases.php databases.read

SSL and security

Certificate orders and protective state.

GET /api/v1/ssl.php ssl.read

GET /api/v1/backups.php backups.read

Jobs and scheduling

Background work and recurring tasks.

GET /api/v1/jobs.php jobs.read

GET /api/v1/cron.php cron.read

Platform and health

Monitor the installation itself.

GET /api/v1/health.php platform.read

GET /api/v1/server-health.php platform.read

GET /api/v1/services.php services.read

GET /api/v1/settings.php settings.read

GET /api/v1/openapi.php platform.read

GET /api/v1/release-audit.php platform.read

Worked example

List domains, scoped and rate limited.

curl -s https://panel.example.com/api/v1/domains.php \
  -H "Authorization: Bearer pc_YOUR_TOKEN"

{
  "success": true,
  "data": {
    "resource": "domains",
    "items": [
      {
        "id": 31,
        "domain": "acme-studio.com",
        "type": "primary",
        "ssl_status": "active",
        "status": "active"
      }
    ]
  }
}

Errors

Predictable failures.

Error responses keep the same envelope with success: false and an explanation.

401 Unauthorized

Missing, expired, revoked, or unrecognized bearer token.

403 Forbidden

The token is valid but does not carry the scope the endpoint requires.

429 Too Many Requests

The per-token rate limit window was exceeded; retry after the window resets.

Pair the API with PCCLI.

Use the API for remote integrations and PCCLI for on-server automation — both write to the same audit trail.

Read the API guide