REST API
REST API Reference
Cloudillo provides a comprehensive REST API for building applications. All endpoints return JSON and use standard HTTP methods.
Base URL
https://your-cloudillo-server.comFor local development:
http://localhost:3000Authentication
Most endpoints require authentication via JWT tokens in the Authorization header:
Authorization: Bearer eyJhbGciOiJFUzM4NCIsInR5cCI6IkpXVCJ9...See Authentication for details on obtaining and managing tokens.
Response Format
All successful responses follow this format:
{
"data": <payload>,
"time": "2025-01-01T12:00:00Z",
"reqId": "req_abc123"
}For list endpoints, cursor-based pagination is recommended:
{
"data": [...],
"cursorPagination": {
"nextCursor": "eyJzIjoiY3JlYXRlZCIsInYiOjE3MzUwMDAwMDAsImlkIjoiYTF-YWJjMTIzIn0",
"hasMore": true
},
"time": "2025-01-01T12:00:00Z"
}Legacy offset-based pagination (deprecated):
{
"data": [...],
"pagination": {
"total": 150,
"offset": 0,
"limit": 20
},
"time": "2025-01-01T12:00:00Z"
}Error Format
Errors return this structure:
{
"error": {
"code": "E-AUTH-UNAUTH",
"message": "Unauthorized access",
"details": {...}
},
"time": 1735000000,
"reqId": "req_abc123"
}See Error Handling for all error codes.
Common Query Parameters
Many list endpoints support these parameters:
limit- Maximum number of results (default: 20)cursor- Opaque cursor for pagination (from previous response)sort- Sort field (e.g.,created,modified,name)sortDir- Sort direction (ascordesc)
Endpoint Categories
Authentication
User authentication and token management.
POST /api/auth/login- Login and get tokenPOST /api/auth/login-init- Combined login init (token + QR + WebAuthn)POST /api/auth/logout- LogoutPOST /api/auth/password- Change passwordGET /api/auth/login-token- Refresh tokenGET /api/auth/access-token- Get scoped tokenGET /api/auth/proxy-token- Get federation tokenPOST /api/auth/qr-login/init- QR login initGET /api/auth/qr-login/{session_id}/status- QR login statusGET /api/me- Get tenant profile (public)GET /.well-known/cloudillo/id-tag- Resolve identity
Profiles
User and community profiles.
POST /api/profiles/register- Register new userPOST /api/profiles/verify- Verify identity availabilityGET /api/me- Get own profilePATCH /api/me- Update own profilePUT /api/me/image- Upload profile imagePUT /api/me/cover- Upload cover imageGET /api/profiles- List profilesGET /api/profiles/:idTag- Get specific profilePATCH /api/profiles/:idTag- Update relationshipPATCH /api/admin/profiles/:idTag- Admin update profile
Actions
Social features: posts, comments, reactions, connections.
GET /api/actions- List actionsPOST /api/actions- Create actionGET /api/actions/{actionId}- Get actionPATCH /api/actions/{actionId}- Update draft actionDELETE /api/actions/{actionId}- Delete actionPOST /api/actions/{actionId}/accept- Accept actionPOST /api/actions/{actionId}/reject- Reject actionPOST /api/actions/{actionId}/dismiss- Dismiss notificationPOST /api/actions/{actionId}/publish- Publish draftPOST /api/actions/{actionId}/cancel- Cancel scheduledPOST /api/actions/{actionId}/stat- Update statisticsPOST /api/actions/{actionId}/reaction- Add reactionPOST /api/inbox- Federation inbox (async)POST /api/inbox/sync- Federation inbox (sync)
Files
File upload, download, and management.
GET /api/files- List filesPOST /api/files- Create file metadata (CRDT/RTDB)POST /api/files/{preset}/{file_name}- Upload file (BLOB)GET /api/files/{fileId}- Download fileGET /api/files/{fileId}/descriptor- Get file infoGET /api/files/{fileId}/metadata- Get file metadataPATCH /api/files/{fileId}- Update fileDELETE /api/files/{fileId}- Delete filePOST /api/files/{fileId}/duplicate- Duplicate CRDT/RTDB filePOST /api/files/{fileId}/restore- Restore from trashPUT /api/files/{fileId}/tag/{tag}- Add tagDELETE /api/files/{fileId}/tag/{tag}- Remove tagGET /api/files/variant/{variantId}- Get variant
Apps
App package management.
GET /api/apps- List available appsPOST /api/apps/install- Install appGET /api/apps/installed- List installed appsDELETE /api/apps/@{publisher}/{name}- Uninstall app
Shares
File sharing and access grants.
GET /api/shares- List shares by subjectGET /api/files/{fileId}/shares- List file sharesPOST /api/files/{fileId}/shares- Create shareDELETE /api/files/{fileId}/shares/{shareId}- Delete share
Settings
User preferences and configuration.
GET /api/settings- List all settingsGET /api/settings/:name- Get settingPUT /api/settings/:name- Update setting
References
Bookmarks and shortcuts.
GET /api/refs- List referencesPOST /api/refs- Create referenceGET /api/refs/:refId- Get referenceDELETE /api/refs/:refId- Delete reference
Tags
File and content tagging.
GET /api/tags- List tagsPUT /api/files/:fileId/tag/:tag- Add tagDELETE /api/files/:fileId/tag/:tag- Remove tag
Trash
Trash management.
GET /api/files?parentId=__trash__- List trashed filesPOST /api/files/:fileId/restore- Restore from trashDELETE /api/files/:fileId?permanent=true- Permanently deleteDELETE /api/trash- Empty trash
Communities
Community creation and management.
PUT /api/profiles/:idTag- Create communityPOST /api/profiles/verify- Verify availability
Admin
System administration (requires admin role).
GET /api/admin/tenants- List tenantsPOST /api/admin/tenants/{idTag}/password-reset- Send password resetPOST /api/admin/email/test- Test SMTPPATCH /api/admin/profiles/{idTag}- Admin profile updateGET /api/admin/proxy-sites- List proxy sitesPOST /api/admin/proxy-sites- Create proxy sitePATCH /api/admin/proxy-sites/{siteId}- Update proxy siteDELETE /api/admin/proxy-sites/{siteId}- Delete proxy sitePOST /api/admin/proxy-sites/{siteId}/renew-cert- Renew certificatePOST /api/admin/invite-community- Invite community
IDP Management
Identity provider administration.
GET /api/idp/identities- List managed identitiesPOST /api/idp/identities- Create identityGET /api/idp/identities/:idTag- Get identityPATCH /api/idp/identities/:idTag- Update identityPUT /api/idp/identities/:idTag/address- Update identity address (DNS)DELETE /api/idp/identities/:idTag- Delete identityGET /api/idp/api-keys- List API keysPOST /api/idp/api-keys- Create API keyDELETE /api/idp/api-keys/:keyId- Delete API key
Rate Limiting
API requests are rate-limited per tenant:
- Default: 1000 requests per minute
- Authenticated: 5000 requests per minute
- Admin: Unlimited
Rate limit headers:
X-RateLimit-Limit: 5000
X-RateLimit-Remaining: 4950
X-RateLimit-Reset: 1735000000CORS
CORS is enabled for all origins in development mode. In production, configure allowed origins in the server settings.
Timestamps
All response timestamps are in ISO 8601 format:
{
"createdAt": "2025-01-01T12:00:00Z"
}Query parameter timestamps accept both ISO 8601 strings and Unix seconds:
GET /api/actions?createdAfter=2025-01-01T00:00:00Z
GET /api/actions?createdAfter=1735689600Content Types
Request Content-Type
Most endpoints accept:
Content-Type: application/jsonFile uploads use:
Content-Type: multipart/form-dataResponse Content-Type
All responses return:
Content-Type: application/json; charset=utf-8Except file downloads which return the appropriate MIME type.
HTTP Methods
GET- Retrieve resourcesPOST- Create resourcesPATCH- Partially update resourcesPUT- Replace resourcesDELETE- Delete resources
Idempotency
PUT, PATCH, and DELETE operations are idempotent. POST operations are not idempotent unless you provide an idempotencyKey:
{
"idempotencyKey": "unique-key-123",
"type": "POST",
"content": {...}
}Pagination
List endpoints use cursor-based pagination for stable results:
GET /api/actions?limit=20Response includes pagination info:
{
"data": [...],
"cursorPagination": {
"nextCursor": "eyJzIjoiY3JlYXRlZCIsInYiOjE3MzUwMDAwMDAsImlkIjoiYTF-YWJjMTIzIn0",
"hasMore": true
},
"time": "2025-01-01T12:00:00Z"
}To fetch the next page, use the cursor:
GET /api/actions?limit=20&cursor=eyJzIjoiY3JlYXRlZCIsInYiOjE3MzUwMDAwMDAsImlkIjoiYTF-YWJjMTIzIn0Filtering
Many endpoints support filtering via query parameters. Each endpoint documents its available filters.
GET /api/actions?type=POST&status=A&createdAfter=2025-01-01T00:00:00ZWebSocket Endpoints
For real-time features, use WebSocket connections:
WSS /ws/crdt/{doc_id}- Collaborative documentsWSS /ws/rtdb/{file_id}- Real-time databaseWSS /ws/bus- Message bus
See WebSocket API for details.
Quick Start
Using @cloudillo/core
import * as cloudillo from '@cloudillo/core'
await cloudillo.init('my-app')
const api = cloudillo.createApiClient()
// Make requests
const profile = await api.profiles.getOwn()
const posts = await api.actions.list({ type: 'POST' })Using fetch directly
const response = await fetch('/api/me', {
headers: {
'Authorization': `Bearer ${token}`,
'Content-Type': 'application/json'
}
})
const data = await response.json()
console.log(data.data) // Profile object
console.log(data.time) // Timestamp
console.log(data.reqId) // Request ID
Cursor Pagination Details
Cursors are opaque base64-encoded strings containing:
- Sort field (
s) - Sort value (
v) - Last item ID (
id)
{
"s": "created",
"v": 1735000000,
"id": "a1~abc123"
}Benefits:
- Stable: Results don’t shift when new items are added
- Efficient: No offset scanning in database
- Reliable: Works with large datasets
Use the SDK for easier pagination:
let cursor = undefined
while (true) {
const result = await api.actions.list({ type: 'POST', limit: 20, cursor })
// Process result.data
if (!result.cursorPagination?.hasMore) break
cursor = result.cursorPagination.nextCursor
}Next Steps
Explore specific endpoint categories:
- Authentication - Login and tokens
- Profiles - User profiles
- Actions - Social features
- Files - File management
- Apps - App package management
- Shares - File sharing and access grants
- Trash - Trash management
- Tags - Content tagging
- Settings - User preferences
- References - Share links
- Communities - Community management
- Admin - System administration
- IDP Management - Identity provider admin