Authenticated User

The /api/v1/user/* endpoints operate on the currently authenticated user identified by the request token. All paths on this page are relative to the API root /api/v1 (for example, /user/emails is https://<akp-host>/api/v1/user/emails).

Unless noted otherwise:

  • Auth: Token — send Authorization: token <YOUR_TOKEN>.

A few endpoints require additional privileges (site admin) or are only registered on AppsCode-hosted deployments; this is called out per endpoint.


Current user & session

GET /user

Get the authenticated user.

  • Auth: Token.

Query parameters:

NameTypeRequiredDescription
check_client_orgstringnoWhen "true", populate the clientOrgUser field on the response.

Response: 200 OK — a User object.

{
  "id": 2,
  "login": "someuser",
  "username": "someuser",
  "full_name": "Some User",
  "email": "user@example.com",
  "avatar_url": "https://secure.gravatar.com/avatar/<hash>?d=identicon",
  "language": "en-US",
  "is_admin": true,
  "last_login": "2026-07-13T18:23:53Z",
  "created": "2026-07-05T06:46:29Z",
  "type": 0,
  "active": true,
  "prohibit_login": false,
  "orgAdmin": false,
  "clientOrgUser": false
}

The User fields are documented in the Public & Basic-auth User APIs page.

Verified: GET /user returned 200 against appscode on 2026-07-14.

Example:

curl -H "Authorization: token $AKP_TOKEN" \
  https://<akp-host>/api/v1/user

GET /user/signout

Sign out the authenticated user (clears session and auth cookies).

  • Auth: Token.

Response: 200 OK with no body.

GET /user/firebase-token

Get a Firebase custom auth token for the authenticated user. Only registered on AppsCode-hosted deployments.

  • Auth: Token. AppsCode-hosted deployments only.

Response: 200 OK — a FirebaseToken.

{
  "firebaseToken": "<firebase-custom-token>"
}

Verified: GET /user/firebase-token returned 404 against appscode on 2026-07-14 — the route is not registered on this (self-hosted) deployment.


NATS credentials

GET /user/nats/credentials

Get the authenticated user’s NATS credentials (endpoints plus credential bytes for the primary NATS user).

  • Auth: Token.

Response: 200 OK — a NatsCredentialsResponse.

{
  "natsEndpoints": ["nats://nats.example.com:4222"],
  "credentials": "<base64-encoded-creds>"
}
FieldTypeDescription
natsEndpointsarray of stringNATS server URLs.
credentialsstring (byte)Base64-encoded NATS credentials file contents.

Verified: GET /user/nats/credentials returned 200 against appscode on 2026-07-14. (Credential bytes redacted above.)

GET /user/nats/admin_credentials

Get NATS admin credentials. The response body is deployment-specific and modeled as an opaque JSON object.

  • Auth: Token + site admin.

Response: 200 OK — an opaque object.

Verified: GET /user/nats/admin_credentials returned 200 against appscode on 2026-07-14 (called with a site-admin token).

GET /user/nats/user_credentials

Get NATS user credentials. Deployment-specific opaque object.

  • Auth: Token + site admin.

Response: 200 OK — an opaque object.

Verified: GET /user/nats/user_credentials returned 302 against appscode on 2026-07-14 — the request was redirected (missing required NATS user context on this deployment).

GET /user/nats/cluster-resource-history

Get cluster resource history from NATS. Deployment-specific opaque object.

  • Auth: Token + site admin.

Response: 200 OK — an opaque object.

Verified: GET /user/nats/cluster-resource-history returned 400 against appscode on 2026-07-14 — required query parameters (cluster context) were not supplied.


Emails

GET /user/emails

List the authenticated user’s email addresses.

  • Auth: Token.

Response: 200 OK — an array of Email objects.

[
  { "email": "user@example.com", "verified": true, "primary": true }
]
FieldTypeDescription
emailstringThe email address.
verifiedbooleanWhether the address is verified.
primarybooleanWhether it is the primary address.

Verified: GET /user/emails returned 200 against appscode on 2026-07-14.

POST /user/emails

Add one or more email addresses.

  • Auth: Token.

Request body: CreateEmailOption.

{
  "emails": ["user@example.com"]
}
FieldTypeRequiredDescription
emailsarray of stringyesEmail addresses to add.

Response: 201 Created — the updated array of Email objects.

DELETE /user/emails

Delete one or more email addresses.

  • Auth: Token.

Request body: DeleteEmailOption.

{
  "emails": ["user@example.com"]
}
FieldTypeRequiredDescription
emailsarray of stringyesEmail addresses to remove.

Response: 204 No Content.


Social follow

GET /user/followers

List the authenticated user’s followers.

  • Auth: Token.

Query parameters:

NameTypeRequiredDescription
pageintegernoPage number of results (1-based).

Response: 200 OK — an array of User objects.

Verified: GET /user/followers returned 200 against appscode on 2026-07-14.

GET /user/following

List the users the authenticated user is following.

  • Auth: Token.

Query parameters:

NameTypeRequiredDescription
pageintegernoPage number of results (1-based).

Response: 200 OK — an array of User objects.

Verified: GET /user/following returned 200 against appscode on 2026-07-14.

GET /user/following/{username}

Check whether the authenticated user follows the given user.

  • Auth: Token.

Path parameters:

NameTypeDescription
usernamestringUsername to check.

Response: 204 No Content if following; 404 otherwise.

PUT /user/following/{username}

Follow a user.

  • Auth: Token.

Path parameters:

NameTypeDescription
usernamestringUsername to follow.

Response: 204 No Content.

DELETE /user/following/{username}

Unfollow a user.

  • Auth: Token.

Path parameters:

NameTypeDescription
usernamestringUsername to unfollow.

Response: 204 No Content.


Organizations & teams

GET /user/teams

List all teams the authenticated user belongs to.

  • Auth: Token.

Response: 200 OK — an array of Team objects.

[
  {
    "id": 5,
    "name": "developers",
    "description": "Application developers",
    "permission": "write",
    "type": "",
    "units": [],
    "role_ids": []
  }
]
FieldTypeDescription
idinteger (int64)Team ID.
namestringTeam name.
descriptionstringFree-form description.
organizationOrganizationThe owning organization.
permissionstringOne of none, read, write, admin, owner.
unitsarray of stringEnabled feature units.
typestringTeam type.
role_idsarray of integerAssigned custom-role IDs.

Verified: GET /user/teams returned 200 against appscode on 2026-07-14.

Organization list endpoints for the authenticated user live under settings — see GET /user/settings/organizations.


Clusters

GET /user/clusters

List clusters the authenticated user owns or can access.

  • Auth: Token.

Query parameters:

NameTypeRequiredDescription
allstringnoWhen "true", include clusters the user has access to, not just owned clusters.

Response: 200 OK — an array of ClusterInfo objects.

[
  {
    "id": 1,
    "displayName": "KubeDB Platform Hub",
    "name": "ace",
    "uid": "<uid>",
    "ownerName": "appscode",
    "provider": "generic",
    "kubernetesVersion": "1.29.0",
    "nodeCount": 3,
    "createdAt": "2026-07-05T06:46:29Z"
  }
]

Key ClusterInfo fields: id, displayName, name, uid, ownerID/ownerName, provider, vendor, kubernetesVersion, nodeCount, endpoint, location, hubClusterName, clusterSetName, isMonitoringCluster, createdAt, age, and a status (a Kubernetes-style object).

Verified: GET /user/clusters returned 200 against appscode on 2026-07-14. GET /user/clusters?all=true returned 302 on 2026-07-14 (redirected — the all variant requires session/org context).


Cloud credentials

GET /user/credentials

List the authenticated user’s cloud credentials.

  • Auth: Token.

Query parameters:

NameTypeRequiredDescription
credential_typearray of stringnoFilter by one or more credential types.
rancher_endpointstringnoFor Rancher credentials, only return those matching this endpoint.

Response: 200 OK — an array of CloudCredentialApiForm objects. Each embeds a cloudv1alpha1.CredentialSpec (a Kubernetes-style object) plus a creationTimestamp field; the credential fields themselves are free-form (provider-specific).

Verified: GET /user/credentials returned 200 against appscode on 2026-07-14.

GET /user/credentials/{credName}

Get a single cloud credential by name.

  • Auth: Token.

Path parameters:

NameTypeDescription
credNamestringName of the cloud credential.

Response: 200 OK — a CloudCredentialApiForm object; 404 if not found.

POST /user/credentials

Create a cloud credential for the authenticated user.

  • Auth: Token.

Request body: a cloudv1alpha1.CredentialSpec — a Kubernetes-style object. The exact fields are provider-specific; the API passes the object through as an arbitrary Kubernetes object rather than a fixed schema.

Response: 201 Created with no body.

PUT /user/credentials

Update a cloud credential for the authenticated user. Registered at the path /user/credentials/ (with a trailing slash).

  • Auth: Token.

Request body: a cloudv1alpha1.CredentialSpec — a Kubernetes-style object (see POST above).

Response: 204 No Content.

DELETE /user/credentials/{credName}

Delete a cloud credential by name.

  • Auth: Token.

Path parameters:

NameTypeDescription
credNamestringName of the cloud credential.

Response: 204 No Content; 404 if not found.

GET /user/clouds/{cloud}/buckets

List storage buckets for a cloud provider.

  • Auth: Token.

Note: Despite being a GET, this endpoint is bound to a JSON request body (BucketListOptions). Either a cloud credential or a secret namespace + name must be provided, plus a cluster UID. Because it requires a body it was not exercised as part of live GET verification.

Path parameters:

NameTypeDescription
cloudstringCloud provider identifier.

Request body: BucketListOptions.

{
  "credential": "my-gcs-cred",
  "gce_project": "my-project",
  "cluster_uid": "<uid>",
  "secret_namespace": "",
  "secret_name": "",
  "provider": "gcs"
}
FieldTypeRequiredDescription
credentialstringone of credential / secretCloud credential name.
gce_projectstringnoGCE project (for GCS).
cluster_uidstringyesCluster UID for context.
secret_namespacestringone of credential / secretSecret namespace.
secret_namestringone of credential / secretSecret name.
providerstringnoProvider identifier.

Response: 200 OK — a BucketListResponse.

{
  "names": ["bucket-a", "bucket-b"]
}

Name & email validation

Each validation endpoint returns a Validation object whose Status is one of VALID, USER_EXISTS, RESERVED, INVALID, or NOT_ALLOWED.

POST /user/validate/username

Validate username availability.

  • Auth: Token.

Query parameters:

NameTypeRequiredDescription
user_namestringnoUsername to validate.

Response: 200 OK — a Validation object.

{ "Status": "VALID" }

POST /user/validate/orgname

Validate organization-name availability.

  • Auth: Token.

Query parameters:

NameTypeRequiredDescription
orgstringnoExisting organization name (when renaming).
user_namestringnoProposed organization name to validate.

Response: 200 OK — a Validation object.

POST /user/validate/email

Validate email availability.

  • Auth: Token.

Query parameters:

NameTypeRequiredDescription
emailstringnoEmail address to validate.

Response: 200 OK — a Validation object.


Deployment orders

The high-level design also lists deployment-order endpoints under the authenticated user (POST /user/deploy/orders and the /user/deploy/orders/{id}/render/* preview routes). These are not part of the machine-readable OpenAPI specification for this group and are therefore not documented in detail here; consult the KubeDB Platform API Server source (routers/api/v1) for their current request/response shapes.