{ "openapi": "3.0.3", "info": { "title": "InterServer Management API", "version": "0.9.0", "x-service-info": { "category": "web-infrastructure", "subcategories": [ "hosting", "cloud-compute", "domains-dns", "email-delivery", "tls-certificates", "storage-backup", "networking" ], "supported_currencies": [ "USD" ], "billing_models": [ "one-time", "recurring" ], "marketplace": { "url": "https://www.interserver.net/", "order_endpoint": "/billing/cart", "checkout_endpoint": "/billing/pay/{method}/{invoices}" } }, "description": "# Overview\n\nThe InterServer Management API provides programmatic access to manage your InterServer services. Use this REST API to automate provisioning, configuration, and billing operations across your account.\n\nThe API covers the following service categories:\n- [Domains](https://www.interserver.net/domains/) — registration, transfers, and DNS management\n- [Web Hosting](https://www.interserver.net/hosting/) — shared and reseller hosting\n- [VPS Hosting](https://www.interserver.net/vps/) — virtual private servers\n- [Dedicated Servers](https://www.interserver.net/dedicated/) — bare metal and [Rapid Deploy Servers](https://www.interserver.net/dedicated/rapid-deploy.html)\n- [Backups](https://www.interserver.net/storage/) — storage and backup services\n- Licenses — control panel and software licenses\n- [Mail](https://www.mail.baby/) — mail delivery services\n- SSL — certificate provisioning\n- Billing — invoices, payment methods, and account management\n\nFor interactive testing, see the [API documentation](/api-docs/).\n\n# Authentication\n\nMost endpoints require authentication. Two methods are supported:\n\n## API Key (Preferred)\n\nGenerate an API key from the [Account Security](https://my.interserver.net/account_security) page on [my.interserver.net](https://my.interserver.net/). Pass it in the `X-API-KEY` request header:\n\n```\nX-API-KEY: your-api-key-here\n```\n\n## Session-Based Authentication\n\nAlternatively, authenticate by creating a session:\n\n1. **Log in** — Send a `POST` request to `/login` with your account credentials. The response includes a session identifier.\n2. **Pass the session ID** — Include the session identifier in the `sessionid` header on subsequent requests:\n\n```\nsessionid: your-session-id-here\n```\n\nAPI key authentication is recommended for most integrations as it does not expire and avoids the overhead of session management.\n\n", "termsOfService": "https://www.interserver.net/terms-of-service.html", "contact": { "name": "InterServer Support Staff", "url": "https://www.interserver.net/contact-us.html", "email": "support@interserver.net" }, "license": { "name": "MIT License", "url": "https://opensource.org/licenses/MIT" } }, "servers": [ { "url": "https://my.interserver.net/apiv2", "description": "Live API Endpoint" } ], "security": [ { "apiKeyAuth": [] }, { "sessionIdHeaderAuth": [] }, { "sessionIdCookieAuth": [] } ], "tags": [ { "name": "Public", "description": "Endpoints that do not require authentication. Use these to check API availability, look up reference data (countries, currencies, timezones), and authenticate." }, { "name": "Account", "description": "Manage your account profile, contact information, security settings, API keys, SSH keys, two-factor authentication, and IP access restrictions." }, { "name": "Billing", "description": "Invoices, shopping cart, prepay balances, credit cards, and payment processing. Use `/billing/pay/{method}/{invoices}` to complete payment for outstanding invoices." }, { "name": "Backups", "description": "Cloud backup storage services. Order, view, and manage backup storage quotas and credentials." }, { "name": "DNS", "description": "Manage DNS domains and records hosted on InterServer's nameservers. Create domains, add/update/delete A, AAAA, CNAME, MX, TXT, and other record types." }, { "name": "Domains", "description": "Domain registration, transfers, renewals, WHOIS, nameserver management, and DNSSEC configuration." }, { "name": "Floating_IPs", "description": "Floating IP services that provide portable IP addresses which can be reassigned between servers for high availability and failover." }, { "name": "Licenses", "description": "Software license provisioning for control panels (cPanel, Plesk, DirectAdmin) and other licensed software. Order, manage, and change IP assignments." }, { "name": "Mail", "description": "Mail Baby email delivery services. Order, manage, view logs, configure alerts and deny rules, and monitor deliverability." }, { "name": "QuickServers", "description": "Rapid Deploy Servers (QuickServers) — pre-configured dedicated servers available for fast provisioning with OS reinstall, backup, and VNC capabilities." }, { "name": "Servers", "description": "Dedicated server ordering and management. Configure custom hardware, view IPMI information, and manage server lifecycle." }, { "name": "SSL-Certificates", "description": "SSL/TLS certificate provisioning and management. Order, renew, and manage certificates for securing your domains." }, { "name": "VPS", "description": "Virtual Private Server management. Order, configure, backup, restore, reinstall, and control VPS instances with full root access." }, { "name": "Webhosting", "description": "Shared and reseller web hosting packages. Order, manage, and access hosting control panels, backups, and reverse DNS." }, { "name": "Tickets", "description": "Support ticket system. Create new tickets, reply to existing ones, view ticket history, and close resolved issues." }, { "name": "Scrub Ips", "description": "DDoS protection and IP scrubbing services. Manage protected IPs, configure firewall rules, geographic filters, and view traffic logs." } ], "externalDocs": { "description": "Tips", "url": "https://www.interserver.net/tips/" }, "paths": { "/account": { "summary": "User Account Information and Management", "description": "This endpoint allows you to manage various user details, including contact information and account security.\n\n- Use the `GET` method to retrieve your account information.\n- Use the `POST` method to update your stored contact and billing information.\n", "get": { "tags": [ "Account" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/AccountInfo" } } }, "links": { "UpdateAccountInfo": { "operationId": "updateAccountInfo", "description": "Use the returned account data to pre-fill an update form and submit changes via POST /account." } }, "description": "Your account information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getAccountInfo", "summary": "Read full account profile, billing address, and security settings", "description": "Use to render the account-settings page or to verify current state before mutating with `updateAccountInfo`. No body, no path params. Returns: full profile (name, company, address1/2, city, state, zip, country, phone, email_invoices, email_abuse, gstin, locale, timezone), masked credit-card list (last-4 digits only — full PAN never returned), OAuth provider config (with secret keys stripped), feature toggles (`disable_reset`, `disable_reinstall`, `disable_*_notifications`), gravatar URL, language, country->currency map, and `enableLocales`/`enableCurrencies` UI flags. Timezone defaults to IP-derived value if unset, falling back to America/New_York. Errors: 401 if session invalid or expired. Sibling ops: `updateAccountInfo`, `getAccountTfaSetup`, `updateAccountFeatures`, `updateAccountIpLimits`." }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/AccountInfoPost" } }, "application/json": { "schema": { "$ref": "#/components/schemas/AccountInfoPost" } } }, "required": true }, "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "422": { "$ref": "#/components/responses/AccountValidationError" } }, "operationId": "updateAccountInfo", "summary": "Update contact and billing-address fields on the customer profile", "description": "Use to change the customer's name, company, mailing address, phone, GSTIN, locale, timezone, or notification-email overrides (`email_invoices`, `email_abuse`). Submit only fields you want to change — partial updates supported. Required (must be non-empty if sent): `name`, `country`, `address`, `city`, `state`, `zip`, `phone`. Phone is normalized: parens, dashes, underscores stripped. Timezone must be a valid IANA identifier (e.g. `America/New_York`). Side effects: triggers FraudRecord + MaxMind risk re-scoring on first save, updates Kayako helpdesk username when `name` changes. Returns `{success:true}`. Errors: 401 missing-required field; 422 invalid timezone or empty payload. Sibling ops: `getAccountInfo`, `updateAccountFeatures`, `updateAccountPassword`." } }, "/account/2fa": { "get": { "tags": [ "Account" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "2fa_google_key": { "description": "Base64-encoded secret key for TOTP setup.", "type": "string" }, "2fa_google_split": { "description": "Human-readable formatted key (chunks of 4 characters).", "type": "string" } } } } }, "description": "Two-factor authentication setup data." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getAccountTfaSetup", "summary": "Fetch TOTP secret to enroll a 2FA authenticator app (Google Authenticator etc.)", "description": "Use as step 1 of 2FA enrollment. The 160-bit secret is generated on first call and cached in the session until the user completes (or abandons) setup. No body, no path params. Returns `{2fa_google_key, 2fa_google_split}` — render `2fa_google_key` as a QR code (otpauth://totp/My.InterServer:LID?secret=KEY) and display `2fa_google_split` (key chunked into 4-char groups, space-separated) for manual entry. After the user types the 6-digit code from their app, finalize enrollment with `updateAccountTfa`. Calling this multiple times before enrolling reuses the same in-session secret. Errors: 401 if session invalid. Sibling ops: `updateAccountTfa` (verify & enable), `deleteAccountTfa` (disable)." }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "required": [ "2fa_google_code" ], "type": "object", "properties": { "2fa_google_code": { "description": "The 6-digit verification code from your authenticator app.", "type": "string" } } } }, "application/json": { "schema": { "required": [ "2fa_google_code" ], "type": "object", "properties": { "2fa_google_code": { "description": "The 6-digit verification code from your authenticator app.", "type": "string" } } } } }, "required": true }, "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "422": { "$ref": "#/components/responses/InvalidTwoFactorCode" } }, "operationId": "updateAccountTfa", "summary": "Verify TOTP code and enable two-factor authentication on the account", "description": "Use as step 2 of 2FA enrollment, after `getAccountTfaSetup`. Body: `{2fa_google_code:string}` — the 6-digit code currently displayed by the user's authenticator app for the secret returned from `getAccountTfaSetup`. On verify success, the secret is persisted to `account_security` (type `2fa_google_key`, label `default`) and ALL OTHER active sessions for this account are invalidated (server destroys appsessions and sessions rows where session_id != current). The current session remains. Subsequent logins will require both password and a fresh TOTP code. Returns `{success:true, text}`. Errors: 401 unauthenticated; 422 `Invalid Code` if the TOTP doesn't match (clock skew, wrong app entry, or expired). Sibling ops: `getAccountTfaSetup`, `deleteAccountTfa`." }, "delete": { "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteAccountTfa", "summary": "Disable two-factor authentication and remove the TOTP secret", "description": "DESTRUCTIVE: removes the 2FA secret from `account_security` and clears the in-session secret cache. After success, only password authentication is required for future logins — security posture drops materially. No body, no path params. Use when the customer has lost their authenticator device or wants to re-enroll from scratch (call this, then `getAccountTfaSetup` -> `updateAccountTfa`). Returns `{success:true, text:'Google Two Factor Authentication is disabled successfully!'}`. Errors: 401 unauthenticated. Caveat: existing sessions remain valid; rotate `updateAccountPassword` if you suspect credential compromise. Sibling ops: `getAccountTfaSetup`, `updateAccountTfa`, `updateAccountPassword`." } }, "/account/apikey": { "post": { "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateAccountApiKey", "summary": "Rotate the account's REST/MCP API key — old key is invalidated immediately", "description": "DESTRUCTIVE: generates a new 128-character random API key and overwrites the existing entry in `account_security` (type `api_key`, label `default`). The OLD key stops working the moment this returns — any scripts, MCP clients, or CI jobs using the previous key will start receiving 401 until updated. No body, no path params. Returns `{success:true, text:NEW_KEY}` — the plaintext key is returned ONCE in this response and is not retrievable later (only stored hashed-equivalent server-side for verification). Store immediately in a secret manager. Use after suspected credential leak, employee offboarding, or routine rotation. Errors: 401 unauthenticated. Sibling ops: `updateAccountPassword`, `updateAccountIpLimits`, `Logout`." } }, "/account/features": { "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/AccountFeatures" } }, "application/json": { "schema": { "$ref": "#/components/schemas/AccountFeatures" } } }, "required": true }, "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "422": { "$ref": "#/components/responses/NothingToUpdate" } }, "operationId": "updateAccountFeatures", "summary": "Toggle account-wide safety locks for password reset and OS reinstall", "description": "Updates account-level feature flags that gate destructive service operations across every VPS / dedicated / QuickServer the customer owns. Useful for production accounts that want belt-and-suspenders protection against accidental reinstalls or root-password resets via the panel/API. Changes take effect immediately for all subsequent service operations. Sibling ops: `getAccountInfo`, `updateAccountInfo`, `updateAccountIpLimits`.\n\n**Body fields:**\n- `disable_reset` (bool, optional) — when `true`, blocks server / VPS root-password resets account-wide.\n- `disable_reinstall` (bool, optional) — when `true`, blocks OS reinstalls account-wide.\n\nSubmit either or both. Flags absent from the request default to `0` for the comparison and only persist if their value differs from the current stored value.\n\n**Returns:** `{ success: true, text }`.\n\n**Errors:**\n- `401` — unauthenticated.\n- `400` / `422` — `Nothing to update` when neither flag's value differs from current.\n" } }, "/account/iplimits": { "post": { "requestBody": { "description": "The lower and upper bounds of an ip range.", "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/IpLimitRange" }, "examples": { "IpLimitRangeFormExample": { "value": { "start": "1.2.3.0", "end": "1.2.3.255" } } } }, "application/json": { "schema": { "$ref": "#/components/schemas/IpLimitRange" }, "examples": { "IpLimitRangeJsonExample": { "value": { "start": "1.2.3.0", "end": "1.2.3.255" } } } } }, "required": true }, "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "422": { "$ref": "#/components/responses/InvalidIpAddress" } }, "operationId": "updateAccountIpLimits", "summary": "Add an IP CIDR/range to the account's API+web allow-list (lockout-safe)", "description": "DESTRUCTIVE / LOCKOUT-RISK: appends an IP range to `accounts.session_limit`. Once ANY range exists, all `/apiv2` and panel access is restricted to matching source IPs. Body: `{start, end, restrict?}` — both IPv4 dotted-quad; `restrict` is `Web & API` (default) or `Only API`. Safety net: server checks the caller's IP against the resulting list and auto-appends a /32 for the caller if not already covered (response text warns about this). The MCP server sets header `X-API-APP: 1` which short-circuits the IP check entirely (see `api_check_auth_limits()`), so MCP tools keep working. Caveats: `192.168.1.0`-`192.168.1.255` is rejected as a placeholder. Returns `{success:true, text}`. Errors: 400/422 `Invalid IP Address`; 401 unauthenticated. Sibling ops: `deleteIpLimit`, `getAccountInfo`." }, "patch": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/IpLimitRange" } } } }, "tags": [ "Account" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/GenericResponse" } } }, "description": "IP Range removed." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteIpLimit", "summary": "Remove one IP range from the account allow-list (PATCH on /account/iplimits)", "description": "DESTRUCTIVE: deletes the matching `{start, end}` entry from `accounts.session_limit`. Method is PATCH (not DELETE) because the path collides with `updateAccountIpLimits`. Body: `{start, end}` — must exactly match an existing range (trim-equal on both bounds). Behaviour: if removing this range would leave an empty list, IP limiting is disabled and the account becomes accessible from any IP. If ranges remain but none cover the caller's source IP, the server auto-injects a /32 for the caller to prevent self-lockout (response text warns). MCP callers bypass via `X-API-APP: 1` header. Returns `{success:true, text:'IP Range deleted.'}`. Errors: 400/422 `Invalid IP Address` if `start`/`end` aren't valid IPs; 401 unauthenticated. Sibling ops: `updateAccountIpLimits`, `getAccountInfo`." } }, "/account/oauth/{name}": { "delete": { "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteAccountOauthName", "summary": "Unlink a third-party OAuth/social provider (Google, GitHub, etc.) from the account", "description": "DESTRUCTIVE: removes the linked provider's tokens from `accounts_ext` (rows where `account_key` IN (`{name}_id`,`{name}_url`)). After unlinking, that provider can no longer be used to log in or pre-fill profile data — the user must log in via password (and 2FA if enabled). Path param: `name` (case-insensitive provider key, e.g. `google`, `github`, `facebook`) — must be present in `getOauthConfig().providers`. No request body. Use when the customer wants to revoke a previously authorized social-login. Returns `{success:true, text:'OAuth Provider Unlinked.'}`. Errors: 400 `Invalid Provider Name.` if `name` not configured; 401 unauthenticated. Sibling ops: `logoutAccountOauth`, `getAccountInfo`, `updateAccountPassword`." }, "parameters": [ { "name": "name", "schema": { "type": "string" }, "in": "path", "required": true } ] }, "/account/oauth/{name}/logout": { "get": { "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "logoutAccountOauth", "summary": "Sign out of the upstream OAuth provider session (does not unlink the account)", "description": "Soft de-authorization for a linked OAuth provider — terminates only the upstream provider session/cookie state. The account-level link in `accounts_ext` is preserved, so the user can log back in with that provider without re-linking. Path param: `name` (provider key, e.g. `google`, `github`). No request body. Use when forcing a fresh consent screen on next OAuth login, or after the user reports a stuck/stale provider session. NOT a substitute for `Logout` (which kills the MyAdmin session) and NOT a substitute for `deleteAccountOauthName` (which permanently severs the link). Returns `{success:true, text:'OAuth Provider Logged Out.'}`. Errors: 401 unauthenticated. Sibling ops: `deleteAccountOauthName`, `Logout`, `getAccountInfo`." }, "parameters": [ { "name": "name", "schema": { "type": "string" }, "in": "path", "required": true } ] }, "/account/password": { "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/PasswordRequest" } }, "application/json": { "schema": { "$ref": "#/components/schemas/PasswordRequest" } } }, "required": true }, "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/TextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateAccountPassword", "summary": "Change the account login password (verifies current, kills other sessions)", "description": "DESTRUCTIVE: changes the account login password and invalidates all OTHER active sessions for this account. The current caller's session is preserved; API keys generated via `updateAccountApiKey` remain valid. Sibling ops: `updateAccountApiKey`, `Logout`, `updateAccountTfa`.\n\n**Body fields:**\n- `currentpassword` (string, required) — verified via `auth::authenticate`.\n- `password` (string, required) — must pass `valid_password()` — 8–50 chars, at least one uppercase, one lowercase, one digit, and one of `_~-!@#$%^&*`.\n- `password2` (string, required) — must equal `password`.\n\n**Returns:** `{ success: bool }` — flash messages on the response capture per-field errors.\n\n**Side effects:**\n- Persists `md5(password)` to `accounts.account_passwd`.\n- Sends `password_change_notify.tpl` email to the account login id.\n- Destroys all other sessions for this account row-by-row.\n\n**Errors:**\n- `401` — unauthenticated.\n- Flash `Current login password is mismatching` — bad `currentpassword`.\n- Flash `Confirm Password is mismatching` — `password` ≠ `password2`.\n- Flash password-policy violation message.\n" } }, "/account/sshkey": { "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/AccountSshKey" } }, "application/json": { "schema": { "$ref": "#/components/schemas/AccountSshKey" } } }, "required": true }, "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateAccountSshKey", "summary": "Set the account-level SSH public key auto-installed on new VPS/dedicated orders", "description": "Stores or replaces the SSH public key on `account_security` (type `ssh_key`, label `default`). On future VPS, dedicated server, or quickserver orders the activation flow can install this key into `~/.ssh/authorized_keys` for the root/sudo user, eliminating password-based SSH for the initial provisioning. Body: `{sshKey:string}` — full single-line OpenSSH public key (ssh-rsa/ssh-ed25519/ecdsa-sha2-* + base64 + optional comment). Newlines are stripped on save. Existing servers are NOT retroactively updated — only new orders pick this up. Use to set up key-based access ahead of order activation, or to rotate the canonical key. Returns `{success:true, text:'SSH Keys Updated.'}`. Errors: 401 unauthenticated. Sibling ops: `getAccountInfo`, `updateAccountPassword`, `updateAccountApiKey`." } }, "/affiliate/banners": { "get": { "tags": [ "Billing" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/AffiliateBannerRow" } }, "examples": { "AffiliateBannerExample": { "value": [ { "image": "12946798.gif", "width": "125", "height": "125" }, { "image": "12946800.gif", "width": "160", "height": "90" }, { "image": "12946802.gif", "width": "160", "height": "190" }, { "image": "12946806.gif", "width": "200", "height": "200" }, { "image": "12946808.gif", "width": "250", "height": "250" }, { "image": "12946811.gif", "width": "300", "height": "250" } ] } } } }, "description": "Affiliate Banners Array" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getAffiliateBanners", "summary": "List affiliate banner image assets with filename and dimensions", "description": "Returns the catalog of pre-built banner images affiliates can embed on partner sites — same catalog for every account (not per-affiliate). Use to render a creative-asset picker in the affiliate dashboard. Each row carries the image filename and dimensions so the client can build correctly-sized `` tags. Read-only. Sibling ops: `getAffiliateRichReport`, `getAffiliateSalesGraph`, `getAffiliateTrafficGraph`, `getAffiliateWebTraffic`, `getAffiliateSignups`, `updateAffiliateDockSetup`.\n\n**Path/Query/Body:** None.\n\n**Returns:** Array of `AffiliateBannerRow`:\n- `image` (string) — filename (e.g. `12946798.gif`); served from the affiliate asset bucket.\n- `width` (string) — pixels.\n- `height` (string) — pixels.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n" } }, "/affiliate/dock_setup": { "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/AffiliateDockSetup" } }, "application/json": { "schema": { "$ref": "#/components/schemas/AffiliateDockSetup" } } }, "required": true }, "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/TextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateAffiliateDockSetup", "summary": "Configure the affiliate landing dock title, description, and referrer coupon", "description": "Customizes the branded landing-dock page shown to visitors arriving via the affiliate's referral link, and reserves a unique referrer coupon code that's automatically created across all affiliate-eligible modules. Title/description allow a limited HTML allowlist (``, `
`, ``, `
`); everything else is entity-escaped. Coupon changes propagate to **all** affiliate modules atomically. Sibling ops: `updateAffiliatePaymentSetup`, `getAffiliateSignups`.\n\n**Body fields (multipart or JSON, schema `AffiliateDockSetup`):**\n- `affiliate_dock_title` (string, optional) — landing-page title. HTML allowlist: ``, `
`, ``, `
`.\n- `affiliate_dock_description` (string, optional) — landing-page body. Same allowlist.\n- `referrer_coupon` (string, optional) — coupon code reservation. Requirements:\n - ≥ 6 chars.\n - `^[a-zA-Z0-9]+$` (alphanumeric only).\n - Must NOT contain `facebook`, `test`, or `interserver` (substring check, case-insensitive).\n - Must NOT exactly match a reserved word.\n - Must NOT already exist as a coupon in any affiliate module (`webhosting`, `vps`, `quickservers`, `servers`, `backups`).\n\n**Returns:** `{text: \"\"}`.\n\n**Side effects:**\n- First time setting `referrer_coupon`: inserts a `coupons` row in each affiliate module (`type=3`, `amount=0.01`, `onetime=1`, `customer=-1`, `usable=1`, `applies=-1`).\n- Changing `referrer_coupon`: renames the coupon across all affiliate modules in one transaction.\n- Updates the account's `affiliate_dock_title`, `affiliate_dock_description`, `referrer_coupon` fields.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `422 The name must be at least 6 characters long`.\n- `422 Invalid Characters, use only standard english letters and numbers`.\n- `422 That is a reserved word that cannot be used here`.\n- `422 is a reserved word that cannot be used here` (substring match against `facebook`/`test`/`interserver`).\n- `409 That name is already taken` — coupon exists in another account's module.\n- `401` — unauthenticated.\n" } }, "/affiliate/payment_setup": { "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/AffiliatePaymentSetup" } }, "application/json": { "schema": { "$ref": "#/components/schemas/AffiliatePaymentSetup" } } }, "required": true }, "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/TextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateAffiliatePaymentSetup", "summary": "Configure how affiliate commissions get paid out (PayPal or internal prepay)", "description": "Sets the disbursement preferences for affiliate commission payouts. Choose between PayPal payout (provide an email — validated) or internal prepay credit (auto-applied to future invoices via `method=prepay`). Selecting `not set` suspends payouts. Sibling ops: `updateAffiliateDockSetup`, `getAffiliateRichReport`, `getAffiliateDownload`.\n\n**Body fields (multipart or JSON, schema `AffiliatePaymentSetup`):**\n- `affiliate_payment_method` (string, optional) — one of `paypal` / `prepay` / `not set`.\n- `affiliate_paypal` (string, optional, required when method=`paypal`) — email validated by `valid_email()`.\n\n**Returns:** `{text: \"Ok\"}`.\n\n**Side effects:**\n- Updates the account's `affiliate_payment_method` and/or `affiliate_paypal` fields.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `422 Invalid Email` — `affiliate_paypal` fails `valid_email()`.\n- `422 Invalid Payment Method` — value not in `{paypal, prepay, not set}`.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Read current commissions:** `getAffiliateRichReport`, `getAffiliateSalesGraph`.\n- **Export commission report:** `getAffiliateDownload`.\n" } }, "/affiliate/rich_report": { "get": { "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/TextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getAffiliateRichReport", "summary": "Read a combined affiliate performance summary (HTML payload)", "description": "Returns a server-rendered HTML/text summary report combining commission totals, conversion rates, and traffic in one round-trip — useful for embedding in a dashboard panel. The payload is **not structured JSON** — for chart-friendly data use `getAffiliateSalesGraph` and `getAffiliateTrafficGraph` instead. Backed by `affiliate_summary_report()`. Sibling ops: `getAffiliateSalesGraph`, `getAffiliateTrafficGraph`, `getAffiliateSignups`, `getAffiliateDownload`, `getAffiliateWebTraffic`.\n\n**Path/Query/Body:** None.\n\n**Returns:** `{text: \"\"}`.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Structured time series:** `getAffiliateSalesGraph`, `getAffiliateTrafficGraph`.\n- **Per-signup detail:** `getAffiliateSignups`.\n- **CSV/XLSX export:** `getAffiliateDownload`.\n" } }, "/affiliate/sales_graph": { "get": { "tags": [ "Billing" ], "parameters": [ { "name": "days", "description": "Number of days of sales history to include in the graph data. Determines the time window for the returned data points.", "schema": { "type": "integer" }, "in": "query" } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/StatusMonthlyBreakdown" } } }, "description": "Affiliate sales graph data broken down by time period." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getAffiliateSalesGraph", "summary": "Read aggregated affiliate sales time-series (monthly buckets) for chart rendering", "description": "Returns aggregated sales time-series data — monthly buckets with sale counts/totals — for the requested look-back window. Use to render a sales trend chart in the affiliate dashboard. Bucket granularity is fixed at monthly by `sales_graph_lte_data`; increasing `days` extends the window, it does not change bucket size. Sibling ops: `getAffiliateTrafficGraph` (clicks), `getAffiliateRichReport` (combined summary), `getAffiliateSignups`, `getAffiliateDownload`.\n\n**Query params:**\n- `days` (integer, optional, default `365`) — look-back window in days.\n\n**Returns:** `StatusMonthlyBreakdown` — buckets keyed by month with aggregated sale counts and amounts.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n" } }, "/affiliate/traffic_graph": { "get": { "tags": [ "Billing" ], "parameters": [ { "name": "days", "description": "Number of days of traffic history to include in the graph data. Determines the time window for the returned data points.", "schema": { "type": "integer" }, "in": "query" } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MonthlyCounts" } } }, "description": "Affiliate traffic graph data broken down by time period." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getAffiliateTrafficGraph", "summary": "Read aggregated affiliate referral click/visit time-series for chart rendering", "description": "Returns aggregated click/visit time-series data from the `affiliate_traffic` table — monthly buckets with visit counts — for the requested look-back window. Pair with `getAffiliateSalesGraph` to compute click-to-sale conversion ratios client-side. Sibling ops: `getAffiliateSalesGraph` (sales), `getAffiliateWebTraffic` (raw per-visit log entries), `getAffiliateRichReport`.\n\n**Query params:**\n- `days` (integer, optional, default `180`) — look-back window in days.\n\n**Returns:** `MonthlyCounts` — buckets keyed by month with aggregated visit counts.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n" } }, "/affiliate/web_traffic": { "get": { "tags": [ "Billing" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/AffiliateTrafficRow" } }, "examples": { "AffiliateWebTrafficResponseExample": { "value": [ { "traffic_id": "91839913", "traffic_ip": "2a06:98c0:3600::", "traffic_url": "https://www.interserver.net/webhosting/?id=8", "traffic_affiliate": "8", "traffic_referrer": "", "traffic_timestamp": "2023-09-30 06:30:27" }, { "traffic_id": "91831932", "traffic_ip": "2a06:98c0:3600::", "traffic_url": "https://www.interserver.net/webhosting/?id=8", "traffic_affiliate": "8", "traffic_referrer": "", "traffic_timestamp": "2023-09-30 03:15:13" } ] } } } }, "description": "The recent affiliate web traffic" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getAffiliateWebTraffic", "summary": "List the 20 most recent affiliate referral visits with IP, referrer, timestamp", "description": "Returns the 20 most recent raw referral visits from the `affiliate_traffic` table — visitor IP, full referral URL, and timestamp per row. Use to audit traffic sources, identify top referrers, or investigate suspicious click patterns. Hard-coded limit 20 (no pagination); for longer-term analysis use `getAffiliateTrafficGraph` or export via `getAffiliateDownload`. Sibling ops: `getAffiliateTrafficGraph`, `getAffiliateSignups`, `getAffiliateRichReport`, `getAffiliateDownload`.\n\n**Path/Query/Body:** None.\n\n**Returns:** Array of `AffiliateTrafficRow`:\n- `traffic_id` (string) — row id (most-recent-first).\n- `traffic_ip` (string) — visitor IP (IPv4 or IPv6).\n- `traffic_url` (string) — referral landing URL.\n- `traffic_affiliate` (string) — affiliate (= session `account_id`).\n- `traffic_referrer` (string) — HTTP Referer (may be empty).\n- `traffic_timestamp` (string) — `YYYY-MM-DD HH:MM:SS` in account timezone.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n" } }, "/affiliate/signups": { "get": { "tags": [ "Billing" ], "parameters": [ { "name": "st", "description": "Filter signups by status. Use `default` to show all or pass a specific status value to narrow results.", "schema": { "type": "string" }, "in": "query" } ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "data": { "description": "Affiliate signup statistics and client-side data.", "type": "object" } } } } }, "description": "Affiliate signup statistics." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getAffiliateSignups", "summary": "Read affiliate signup stats and per-customer conversion data", "description": "Returns referred-customer signup statistics with optional status filtering — counts, conversion data, and per-customer detail produced by `affiliates_clientside()`. The inner `data` shape varies by status filter; pass `default` for the full dataset. Sibling ops: `getAffiliateRichReport`, `getAffiliateSalesGraph`, `getAffiliateTrafficGraph`, `getAffiliateDownload`.\n\n**Query params:**\n- `st` (string, optional, default `default`) — status filter. `default` returns all; other values narrow the results to that status.\n\n**Returns:** `{data: }` — signup counts, conversions, per-customer detail (shape depends on `st`).\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n" } }, "/affiliate/download": { "get": { "tags": [ "Billing" ], "parameters": [ { "name": "st", "description": "Filter by status.", "schema": { "type": "string" }, "in": "query" }, { "name": "ex", "description": "Export format: csv, xls, xlsx, or pdf. Defaults to csv.", "schema": { "enum": [ "csv", "xls", "xlsx", "pdf" ], "type": "string" }, "in": "query" }, { "name": "year", "description": "Year to filter the report. Defaults to the current year.", "schema": { "type": "integer" }, "in": "query" } ], "responses": { "200": { "description": "Affiliate report file download. The response Content-Type matches the requested format (text/csv, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet, or application/pdf)." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getAffiliateDownload", "summary": "Export the affiliate signup report as CSV, XLS, XLSX, or PDF file download", "description": "Exports the affiliate signup report as a downloadable file in the requested format. Use for accounting, tax filings, or sharing reports outside the dashboard. **Response is a binary stream, not JSON** — the handler emits the file body with matching `Content-Type` + `Content-Disposition: attachment` headers and `exit()`s the request immediately. Consumers must read the raw response body. Sibling ops: `getAffiliateRichReport`, `getAffiliateSignups`, `getAffiliateSalesGraph`.\n\n**Query params:**\n- `ex` (string, optional, enum `csv`/`xls`/`xlsx`/`pdf`, default `csv`) — export format.\n- `st` (string, optional, default `default`) — status filter (same as `getAffiliateSignups`).\n- `year` (integer, optional, default current year) — report scope.\n\n**Returns:** File download with format-appropriate Content-Type:\n- `csv` → `text/csv`, filename `Interserver_Affiliates.csv`.\n- `xls` / `xlsx` → `application/vnd.openxmlformats-officedocument.spreadsheetml.sheet`, filename `Interserver_Affiliates.`.\n- `pdf` → `application/pdf`, filename `Interserver_Affiliates.pdf`.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n" } }, "/backups": { "get": { "tags": [ "Backups" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/BackupRow" } } } }, "links": { "GetBackupDetails": { "operationId": "getBackupInfo", "parameters": { "id": "$response.body#/0/backup_id" }, "description": "Use the backup_id from the list to retrieve full service details including connection info and status." } }, "description": "The listing of backup storage services on your account." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getBackupsList", "summary": "List off-site backup storage subscriptions on the authenticated account", "description": "Use when enumerating all off-site backup storage services (SFTP-style remote storage subscriptions) on the authenticated customer's account. NOT for VPS/QS/webhosting in-place snapshots — those live under their own tags (`getVpsBackups`, `getQsBackups`, `getWebsitesBackups`). No query params, no body.\nReturns an array of rows; each row carries `backup_id`, `backup_name`, `backup_username`, `backup_status`, `services_name` (plan), and `backup_cost` (recurring price from `repeat_invoices`). Use `backup_id` as the path `{id}` for `getBackupInfo`, `getBackupLogin`, `getBackupInvoices`, `getBackupsWelcomeEmail`, `cancelBackup`. Errors: HTTP 401 if unauthenticated. Empty array when the customer has no backup services.\nSiblings: `getBackupInfo`, `getNewBackup`, `addBackup`." } }, "/backups/order": { "get": { "tags": [ "Backups" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BackupsOrder" } } }, "description": "Information needed to generate an order form." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewBackup", "summary": "Get backup-storage order form metadata and pricing tiers", "description": "Use before placing an off-site backup storage order to fetch the available plans, their service-type IDs, and per-tier pricing needed to render an order form. No params, no body.\nReturns `{ packageCosts, serviceTypes }` — `packageCosts` is a map of `services_id` → recurring cost (from `services` where `services_module='backups'` and `services_buyable=1`); `serviceTypes` is the dispatcher output of `run_event('get_service_types', true, 'backups')` describing each tier. Pass the chosen `services_id` as `serviceType` to `validateBackupOrder` (PUT) for a price preview, then to `addBackup` (POST) to commit. Errors: HTTP 401 if unauthenticated.\nSiblings: `validateBackupOrder`, `addBackup`, `getBackupsList`." }, "put": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/BackupOrderPutRequest" } }, "application/json": { "schema": { "$ref": "#/components/schemas/BackupOrderPutRequest" } } }, "required": true }, "tags": [ "Backups" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BackupOrderPutResponse" } } }, "description": "Validate Backup Order Response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "validateBackupOrder", "summary": "Validate a backup-storage order and preview pricing without charging", "description": "Use to dry-run a backup order — runs `validate_buy_storage()` to compute final price, apply any coupon, and surface validation errors before the customer commits. No invoice is created and no service is provisioned.\nBody (JSON or multipart): `serviceType` (services_id from `getNewBackup`), optional `coupon`, `period` (months, default 1), `comment`. Returns `{ continue, errors, serviceType, serviceCost, originalCost, repeatServiceCost, hostname, password, coupon, couponCode }`. Use the response to render a confirmation screen, then call `addBackup` (POST same path) to place the order. Errors: HTTP 401 unauthenticated; HTTP 422 surfaced inside `errors[]` (invalid coupon, ineligible plan, duplicate hostname).\nSiblings: `addBackup`, `getNewBackup`." }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/BackupOrderPutRequest" } }, "application/json": { "schema": { "$ref": "#/components/schemas/BackupOrderPutRequest" } } }, "required": true }, "tags": [ "Backups" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BackupOrderPostResponse" } } }, "links": { "InitiatePayment": { "operationId": "getBillingInvoice", "parameters": { "id": "$response.body#/invoices_id" }, "description": "Use the invoice ID from the order response to retrieve invoice details or proceed to payment." } }, "description": "Response from the backup order call including invoice IDs for payment." }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Order a managed off-site backup storage service. Returns invoice IDs for /billing/pay/{method}/{invoices}.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addBackup", "summary": "Place a new off-site backup storage order and generate the invoice", "description": "Step 3 of the backup-storage order flow. Revalidates via `validate_buy_storage()`, then calls `place_buy_storage()` which creates a `backups` service row, a `repeat_invoices` recurring entry, and the first `invoices` row. **Real billable order — call `validateBackupOrder` first.** Service is provisioned only after the invoice is paid. Sibling ops: `getNewBackup` (catalog), `validateBackupOrder` (quote), `getBackupInvoices` (billing history), `initiatePayment` (settle).\n\n**Body fields** (JSON or multipart):\n- `serviceType` (integer, required) — `services_id` from `getNewBackup`.\n- `coupon` (string, optional) — coupon code.\n- `period` (integer, optional, default `1`) — billing months.\n- `comment` (string, optional) — saved on the order row.\n\n**Returns** (on success): `{ continue: true, total_cost, iid, iids, real_iids, serviceId, invoice_description, cj_params }` — feed `real_iids` into `initiatePayment`. On validation failure: `{ continue: false, errors: [...] }` with HTTP 200.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n- `422` inside `errors[]` — coupon/plan/duplicate-hostname validation.\n- Explicit error text when no backend storage server is available for assignment.\n\n**Side effects:** new rows in `backups`, `repeat_invoices`, `invoices`; queued provisioning kicks off only after payment.\n\n**Related calls:**\n- **Prerequisite:** `validateBackupOrder`.\n- **Pay:** `getBillingInvoice` → `initiatePayment`.\n- **Poll status:** `getBackupInfo` (until `backup_status='active'`).\n" } }, "/backups/{id}": { "get": { "tags": [ "Backups" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Backup" } } }, "links": { "GetBackupInvoices": { "operationId": "getBackupInvoices", "parameters": { "id": "$request.path.id" }, "description": "Retrieve invoices for this backup service." }, "GetBackupLogin": { "operationId": "getBackupLogin", "parameters": { "id": "$request.path.id" }, "description": "Obtain a login session URL for the backup storage panel." }, "CancelBackup": { "operationId": "cancelBackup", "parameters": { "id": "$request.path.id" }, "description": "Cancel this backup service." } }, "description": "Full backup service details including serviceInfo, billingDetails, and client_links." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getBackupInfo", "summary": "Get details of a specific off-site backup storage service", "description": "Use to fetch the full management view for one backup-storage subscription. Path param: `id` (backup service ID from `getBackupsList`). No body.\nReturns `serviceInfo` (with `backup_username`, `backup_ip`, `backup_status`, `backup_quota`, `backup_type`, `backup_invoice`), plus `billingDetails`, `extraInfoTables`, `package`, `custCurrency`, and `client_links` (rewritten to surface the link target rather than the raw queue URL). `admin_links`, internal `settings`, and `csrf` are stripped. Errors: HTTP 401 unauthenticated; HTTP 404 if `id` does not belong to the caller (cross-account access blocked by `get_service`).\nSiblings: `getBackupLogin` (open storage panel session), `getBackupInvoices`, `getBackupsWelcomeEmail`, `cancelBackup`, `updateBackupInfo`." }, "post": { "tags": [ "Backups" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateBackupInfo", "summary": "Update stored metadata for a backup-storage subscription", "description": "Use to update non-billing metadata (e.g. stored credentials, comment, hostname) on an existing off-site backup storage service. Path param: `id` from `getBackupsList`. Body fields are forwarded to the same `View::go()` handler as the GET; consult the order form for accepted keys.\nReturns the standard `SuccessTextResponse`. Caveats: this endpoint does NOT change the plan, quota, or billing — those require cancel + reorder via `cancelBackup` and `addBackup`. It also does NOT trigger any backend SFTP credential rotation. Errors: HTTP 401 unauthenticated; HTTP 404 if `id` is not owned by the caller; HTTP 422 on invalid input.\nSiblings: `getBackupInfo`, `cancelBackup`, `getBackupLogin`." }, "delete": { "tags": [ "Backups" ], "responses": { "200": { "$ref": "#/components/responses/BackupsCancelResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "cancelBackup", "summary": "Cancel an off-site backup storage subscription", "description": "DESTRUCTIVE. Use to terminate a backup-storage subscription. Delegates to `CancelService::go($id)` with module `backups`, which marks the service for cancellation and stops future recurring billing; data on the storage backend may become inaccessible at end of cycle. Path param: `id` from `getBackupsList`. No body.\nReturns `BackupsCancelResponse`. Caveats: irreversible — a new order via `addBackup` is required to restore service, with a new IP/username and no migration of prior data. Does NOT delete VPS/QS/webhosting in-place snapshots (those live under their own tags). Errors: HTTP 401 unauthenticated; HTTP 404 if `id` is not owned by the caller; HTTP 409 if the service is already cancelled or pending cancellation.\nSiblings: `addBackup`, `getBackupInfo`, `getBackupInvoices`." }, "parameters": [ { "name": "id", "description": "The backup service ID. Use the `backup_id` from `GET /backups` to identify the service.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/backups/{id}/invoices": { "get": { "tags": [ "Backups" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getBackupInvoices", "summary": "List invoices for a single backup-storage subscription", "description": "Use to retrieve all invoices tied to one off-site backup storage service — useful for confirming billing status, locating an unpaid invoice to pay, or reconciling renewals. Path param: `id` from `getBackupsList`. Delegates to the shared `InvoicesList::go()` handler with module `backups`. No body.\nReturns `ChargeInvoiceRows` (array of invoice rows with `invoices_id`, status, amount, dates). Feed `invoices_id` into `getBillingInvoice` for full detail or `/billing/pay/{method}/{invoices}` to settle an unpaid invoice. For the account-wide invoice list use the Billing tag instead. Errors: HTTP 401 unauthenticated; HTTP 404 if `id` is not owned by the caller.\nSiblings: `getBackupInfo`, `addBackup`." }, "parameters": [ { "name": "id", "description": "The backup service ID. Use the `backup_id` from `GET /backups` to identify the service.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/backups/{id}/login": { "get": { "tags": [ "Backups" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BackupLoginResponse" } } }, "description": "Login session details for the backup storage service." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getBackupLogin", "summary": "Open a single sign-on session URL for the backup storage panel", "description": "Use to drop the customer straight into the off-site backup storage management panel without a separate login prompt. Calls `get_storage_session($id)` to mint a one-shot session URL; treat the URL as short-lived and credentials-equivalent — do not log or share.\nPath param: `id` from `getBackupsList`. No body. Returns `BackupLoginResponse` (`success`, session URL/token, optional connection hints). On `success=false` the handler returns `json_error(text)` (HTTP 400) with the upstream reason. Errors: HTTP 401 unauthenticated; HTTP 404 if `id` is not owned by the caller; backend errors when the storage server is unreachable.\nSiblings: `getBackupInfo` (SFTP `backup_username`/`backup_ip` for direct connections), `getBackupsWelcomeEmail` (resend setup credentials)." }, "parameters": [ { "name": "id", "description": "The backup service ID. Use the `backup_id` from `GET /backups` to identify the service.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/backups/{id}/welcome_email": { "get": { "tags": [ "Backups" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getBackupsWelcomeEmail", "summary": "Resend the welcome email for an off-site backup storage service", "description": "Use when the original welcome email was lost or never arrived. Resends connection credentials (SFTP host, username, quota) and setup instructions to the account email by invoking the module's `backup_welcome_email($id)` helper.\nPath param: `id` from `getBackupsList`. No body. Returns `SuccessTextResponse` with `text='Welcome Email has been resent.'`. Caveats: only works while the service is `active`; cancelled/pending services will return 409. Email is sent to the customer-of-record on file — there is no override recipient parameter. Errors: HTTP 401 unauthenticated; HTTP 404 if `id` is not owned by the caller (`Invalid Service Passed`); HTTP 409 if `backup_status` is not `active` (`Service is not active`).\nSiblings: `getBackupLogin`, `getBackupInfo`." }, "parameters": [ { "name": "id", "description": "The backup service ID. Use the `backup_id` from `GET /backups` to identify the service.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/billing/cart": { "get": { "tags": [ "Billing" ], "responses": { "200": { "content": { "application/json": { "schema": { "description": "Cart contents and checkout metadata.", "type": "object" } } }, "description": "Current shopping cart contents and available payment methods." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "View shopping cart contents and pick a payment method before checkout.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "getBillingCart", "summary": "Read the current shopping cart contents, totals, and available payment methods", "description": "Returns the customer's checkout state — every pending/unpaid invoice on the account aggregated as a cart, plus available payment methods, currency totals, and checkout metadata. Use to render a checkout page or, in agent flows, as a pre-payment confirmation step before calling `initiatePayment`. Backed by the `cart` helper module; `modules_json` and `csrf_token` are stripped from the response. Read-only. Sibling ops: `getBillingInvoices` (raw list), `getBillingInvoice` (one invoice in detail), `initiatePayment` (pay), `getBillingPrePays` (check prepay balance first).\n\n**Path/Query/Body:** None.\n\n**Returns:** A cart object with:\n- Line items aggregated from unpaid `invoices` rows for the session account.\n- Currency-normalized subtotal / total.\n- Available payment methods (filtered by feature flags, account country, and which gateways are enabled): `cc`, `paypal`, `btcpay`, `coinbase`, `payu`, `ccavenue`, `cashfree`, `payssion`, `prepay`.\n- Per-invoice description, module, service-id, amount.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **List unpaid invoices directly:** `getBillingInvoices`.\n- **Drill into one invoice:** `getBillingInvoice`.\n- **Pay:** `initiatePayment` (use the cart's invoice ids or the `SERVICEvpsN` / `INVvpsN` tag forms).\n- **Top up prepay first:** `getBillingPrePays`, `addBillingPrepay`.\n" } }, "/billing/prepays": { "get": { "tags": [ "Billing" ], "responses": { "200": { "content": { "application/json": { "schema": { "description": "Prepay balance data.", "type": "object" } } }, "description": "Prepay balances and metadata." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getBillingPrePays", "summary": "List prepay deposits on the account — remaining balance and auto-use flags", "description": "Returns every prepay deposit on the account — funded or pending — with remaining balances, modules they're scoped to, and the `automatic_use` flag controlling whether the balance auto-applies to future invoices. Use to gate `method=prepay` at checkout (a prepay must be funded to count toward payment) or to render a prepays management page. Read-only. `csrf_token` is stripped from the helper output. Sibling ops: `addBillingPrepay` (top up), `deleteBillingPrepay` (remove), `initiatePayment` (`method=prepay`), `getBillingCart`.\n\n**Path/Query/Body:** None.\n\n**Returns:** Object with per-prepay rows:\n- `prepay_id` (integer).\n- `prepay_module` (string) — service module the prepay is scoped to (or `default` for any).\n- `prepay_amount` (decimal) — original deposit amount.\n- `prepay_remaining` (decimal) — funds left.\n- `prepay_automatic_use` (bool) — auto-apply to invoices.\n- `prepay_paid` (bool) — whether the funding invoice has been paid (unpaid prepays are listed but unusable).\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Top up:** `addBillingPrepay` (returns an invoice id you then pay via `initiatePayment`).\n- **Pay with prepay:** `initiatePayment` with `method=prepay`.\n- **Remove an unfunded prepay:** `deleteBillingPrepay`.\n- **Cart view:** `getBillingCart` (includes prepay summary).\n" }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BillingPrepayRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/BillingPrepayRequest" } } }, "required": true }, "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Top up prepay balance — creates an invoice you then pay via /billing/pay/{method}/{invoices}.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addBillingPrepay", "summary": "Create a prepay deposit and return an invoice id to fund it", "description": "Creates a prepay row (`prepays` table) at the requested amount and inserts a matching `invoices` row (`Prepay ID {pid} Invoice`) that the customer must pay through `initiatePayment` before the balance becomes usable. The prepay is added with `PREPAY_TYPE_ANY` / `PREPAY_SERVICE_ANY` defaults via `add_prepay()`. Use to seed an account balance the customer can later spend via `method=prepay` at checkout. **Real money** — funding the returned invoice charges a real payment method. Sibling ops: `getBillingPrePays`, `deleteBillingPrepay`, `getBillingInvoice`, `initiatePayment`.\n\n**Body fields (JSON or multipart, schema `BillingPrepayRequest`):**\n- `amount` (number, required) — deposit size in account currency. **Minimum $10**; smaller values are rejected.\n- `module` (string, required) — service module scope (`default` for any service, or specific like `vps`, `webhosting`).\n- `automatic_use` (bool, required) — when `true`, the balance auto-applies to future invoices in the scoped module.\n\n**Returns:** `{text: \"Thank you! Prepay created! Kindly pay the invoice to activate the prepay fund.\", invoice: }` — pass `invoice` to `initiatePayment` (use a real `method` like `cc` / `paypal`, not `prepay` — you can't fund a prepay with a prepay).\n\n**Side effects:**\n- Inserts `prepays` row.\n- Inserts `invoices` row (`invoices_description = \"Prepay ID {pid} Invoice\"`, `invoices_paid=0`, `invoices_module='default'`).\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `Sorry! Minimum prepay amount is $10.00` — amount below floor.\n- `Something went wrong! Try again or contact our support team!` — invoice insert failed.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Confirm invoice:** `getBillingInvoice` with the returned `invoice` id.\n- **Pay it:** `initiatePayment` (`method=cc|paypal|...`, not `prepay`).\n- **Verify it's now usable:** `getBillingPrePays` (look for `prepay_remaining > 0`).\n- **Cancel before paying:** `deleteBillingPrepay`.\n\n**Example happy path:**\n```text\nPOST /apiv2/billing/prepays { \"amount\": 100, \"module\": \"default\", \"automatic_use\": true }\n-> { \"text\": \"...\", \"invoice\": 25296701 }\nGET /apiv2/billing/pay/cc/25296701\n-> { \"type\": \"single\", \"text\": \"Payment processed.\" }\nGET /apiv2/billing/prepays\n-> [{ \"prepay_id\": 99, \"prepay_remaining\": 100, ... }]\n```\n" } }, "/billing/prepays/{id}": { "delete": { "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteBillingPrepay", "summary": "Delete an unfunded prepay or strip its unpaid funding invoices", "description": "Removes a prepay from the account, with one safety rule: a prepay that still has usable credit (`prepay_remaining > $0.01`) cannot be deleted *unless* it also has unpaid funding invoices we can clean up — in which case those unpaid `invoices` rows are deleted and the prepay row stays. Use to back out a never-funded prepay, or to surface stuck unpaid funding invoices. **Irreversible** — funded credit is unrecoverable through this endpoint. Sibling ops: `getBillingPrePays`, `addBillingPrepay`, `deleteBillingInvoice`.\n\n**Path param:**\n- `id` (integer, required) — prepay id from `getBillingPrePays.prepay_id`.\n\n**Body:** None.\n\n**Returns:**\n- When unpaid funding invoices were stripped but prepay still has funds: `\"PrePay {id} Unpaid Invoices Deleted\"`.\n- When the prepay row was deleted: `\"PrePay {id} deleted.\"`.\n\n**Side effects:**\n- Deletes any unpaid `invoices` rows matching `invoices_description = \"Prepay ID {id} Invoice\"` and `invoices_paid=0`.\n- Deletes the `prepays` row when remaining balance ≤ $0.01.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `Invalid Prepay` — `id` not found.\n- `That prepay still hands funds available on it` — funds remain AND no unpaid invoices to clean up.\n- `There was an error deleting the prepay, please contact support` — delete affected 0 rows.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **List first:** `getBillingPrePays`.\n- **Re-add later:** `addBillingPrepay`.\n- **Cancel a specific funding invoice:** `deleteBillingInvoice` (routes prepay invoices here automatically).\n" }, "parameters": [ { "name": "id", "description": "The prepay balance ID to delete.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/billing/invoices": { "get": { "tags": [ "Billing" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BillingInvoiceList" } } }, "links": { "GetInvoiceDetails": { "operationId": "getBillingInvoice", "parameters": { "id": "$response.body#/invoices/0/id" }, "description": "Use an invoice ID from the list to retrieve the full invoice details for payment or review." } }, "description": "Invoice listing and summary for the account." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getBillingInvoices", "summary": "List every invoice on the account with summary totals and paid/unpaid status", "description": "Returns the customer's complete invoice ledger — every charge, paid or unpaid, across every service module. Use to render a billing-history page, find an unpaid invoice id to pass to `initiatePayment`, or audit recent activity. Server-side strips the first synthetic header row from `get_view_invoices()` and reindexes the array. Read-only. The response includes a Link to `getBillingInvoice` for drilling into any row. Sibling ops: `getBillingInvoice`, `deleteBillingInvoice`, `initiatePayment`, `getBillingCart`, `getBillingPrePays`.\n\n**Path/Query/Body:** None.\n\n**Returns:** `BillingInvoiceList` — object containing:\n- `rows` (array) — per-invoice summaries: `id`, `amount`, `paid`, `description`, `date`, `due_date`, `module`, `service` (service-id within the module), `currency`.\n- Aggregate totals across the array (totals object: `total`, `paid_total`, `unpaid_total`).\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Drill into one invoice:** `getBillingInvoice`.\n- **Pay an unpaid invoice:** `initiatePayment`.\n- **Cancel an unpaid pending-service invoice:** `deleteBillingInvoice` (only works on pending services / unpaid prepays).\n- **Per-service invoices instead:** `getVpsInvoices`, `getDomainInvoices`, `getMailInvoices`, `getBackupInvoices`, etc.\n" } }, "/billing/invoices/{id}": { "get": { "tags": [ "Billing" ], "parameters": [ { "name": "id", "description": "The invoice ID. Use IDs from `GET /billing/invoices` or from order responses.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BillingInvoiceDetail" } } }, "links": { "DeleteInvoice": { "operationId": "deleteBillingInvoice", "parameters": { "id": "$request.path.id" }, "description": "Delete this invoice if it is still unpaid." } }, "description": "Detailed invoice payload for the requested invoice." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getBillingInvoice", "summary": "Read full invoice detail — line items, totals, paid status, customer info", "description": "Returns the full rendered invoice payload for a single invoice — backed by `get_invoice_data()`, the same helper that builds the email-style invoice document. Use to confirm the exact balance due and the invoice description before calling `initiatePayment`, or to render an invoice viewer page. Read-only. The response is an email-style/HTML payload (not a structured line-item array) — for a structured cart-style summary use `getBillingCart`. The response includes a Link to `deleteBillingInvoice` for unpaid pending-service invoices. Sibling ops: `getBillingInvoices`, `deleteBillingInvoice`, `initiatePayment`, `getBillingCart`, per-service `getVpsInvoices` / `getMailInvoices` / etc.\n\n**Path param:**\n- `id` (integer, required) — invoice id from `getBillingInvoices.rows[].id`, from an order endpoint's response (e.g. `addVps.iid`), or from a per-service invoice list.\n\n**Body:** None.\n\n**Returns:** `BillingInvoiceDetail` — full rendered invoice payload (email body) with line items, totals, customer/billing info, and paid status. The exact shape mirrors what gets sent to the customer.\n\n**Auth:** Session/API key. Ownership enforced through the invoice's `invoices_custid`.\n\n**Errors:**\n- `Invalid Invoice` — `id` not found or owned by another account.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Pay it:** `initiatePayment` (`/billing/pay/{method}/{id}`).\n- **Delete if pending/unpaid:** `deleteBillingInvoice`.\n- **List all:** `getBillingInvoices`.\n- **Cart-style summary across all unpaid:** `getBillingCart`.\n" }, "delete": { "tags": [ "Billing" ], "parameters": [ { "name": "id", "description": "The invoice ID to delete. Only unpaid invoices can be deleted.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteBillingInvoice", "summary": "Cancel a pending unpaid invoice — and its pending service or repeat invoice", "description": "Cancels an unpaid invoice and cleans up the records it represents. Behavior depends on what the invoice funds: a **prepay** invoice is routed to `deleteBillingPrepay`; an **initial service charge** (where `repeat_invoices_id` matches the service's `_invoice` field) deletes the `repeat_invoices` row, all child `invoices`, AND the pending service row from the module's table; an **addon/recurring** invoice just deletes that one `invoices` row plus its `repeat_invoices` row. **Only invoices for services in `pending` status can be deleted** — once provisioned, the service must be cancelled via the per-service Cancel endpoint instead. **Irreversible**. Sibling ops: `getBillingInvoice`, `deleteBillingPrepay`, `VPSCancel` / `CancelDomain` / `mailCancel` / `webhostingCancel` / etc.\n\n**Path param:**\n- `id` (integer, required) — invoice id (`invoices_type=1`, ownership enforced via `invoices_custid`).\n\n**Body:** None.\n\n**Returns:** `Invoice Deleted` text.\n\n**Side effects:** (depends on invoice type)\n- **Prepay invoice** (description matches `Prepay ID N Invoice`) — delegates to `deleteBillingPrepay($pid)`.\n- **Initial service invoice** (`repeat_invoices_id == service._invoice`) — deletes:\n - the `repeat_invoices` row,\n - every `invoices` row for that service,\n - the service row in `{settings['TABLE']}`.\n- **Addon/recurring invoice** — deletes only the matching `repeat_invoices` row and the single `invoices` row.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `Invalid invoice` — `id` not found or wrong owner.\n- `Invalid service` — invoice references a service that no longer exists.\n- `Can only delete invoices for pending services or prepays` — service is `active`/`suspended`/`cancelled`.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **List candidates:** `getBillingInvoices`.\n- **Detail first:** `getBillingInvoice`.\n- **For active services:** `VPSCancel`, `CancelDomain`, `mailCancel`, `webhostingCancel`, `licensesCancel`, `sslCancel`, `cancelScrubIp`, `floating_ipsCancel`, `cancelBackup`, `quickserversCancel`, `serversCancel` — these use `Billing\\CancelService::go()`.\n- **For prepay invoices:** `deleteBillingPrepay` (delegated automatically).\n" } }, "/billing/creditcards": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BillingAddCcRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/BillingAddCcRequest" } } }, "required": true }, "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "addBillingCreditCard", "summary": "Store a credit card on the account — may return a verification flow", "description": "Stores a new credit card on the account so it can later be selected via `updateBillingPaymentMethod` or used directly with `initiatePayment` (`method=cc`). The card number has dashes stripped and is sanitized through `FILTER_SANITIZE_NUMBER_INT`; billing address fields are HTML-entity-escaped server-side; the CC number is encrypted at rest via `App::encrypt()`. The flow may return `action='verify'` indicating a two-step micro-charge verification is required before the card is usable — complete it with `patchBillingCreditCardVerify` then `postBillingCreditCardVerify`. Sibling ops: `updateBillingCreditCard`, `deleteBillingCreditCard`, `patchBillingCreditCardVerify`, `postBillingCreditCardVerify`, `updateBillingPaymentMethod`.\n\n**Body fields (JSON or multipart, schema `BillingAddCcRequest`):**\n- `cc` (string, required) — card number; dashes stripped, non-digits filtered.\n- `name` (string, required) — cardholder name.\n- `cc_exp` (string, required) — `MM/YYYY`.\n- `address` (string, required), `city`, `state`, `country`, `zip` (strings) — billing address; HTML-entity-escaped.\n\n**Returns:**\n- **Added directly:** `{success: true, text: \"Card Added Successfully!\"}`.\n- **Verification needed:** `{success: false, text: \"Kindly verify your card by updating the amounts in the fields\", action: \"verify\"}` — proceed to `patchBillingCreditCardVerify`.\n\n**Side effects:**\n- Inserts the encrypted card into the account's `ccs` array (managed via `parse_ccs` / `add_cc`).\n- May trigger a small initial test charge (gateway-dependent).\n- First-card-on-account triggers MaxMind + FraudRecord risk-score recomputation.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `Card number, Full Name, Expiry date are required!` — required field missing/empty.\n- `401` — unauthenticated.\n- Gateway/AVS error text — declined, mismatch, etc.\n\n**Related calls:**\n- **Verify (if `action='verify'`):** `patchBillingCreditCardVerify` (CVV + initiate micro-charge) → `postBillingCreditCardVerify` (submit amounts).\n- **Make it the default:** `updateBillingPaymentMethod` with `payment_method=cc`.\n- **Pay an invoice with it:** `initiatePayment` (`method=cc`).\n" } }, "/billing/creditcards/{id}": { "post": { "tags": [ "Billing" ], "parameters": [ { "name": "id", "description": "The credit card ID. Use IDs from `GET /billing/creditcards` or the response from `POST /billing/creditcards`.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateBillingCreditCard", "summary": "Refresh stored card expiration and re-trigger MaxMind fraud scoring", "description": "Updates the expiration date on a stored credit card and re-encrypts the card record. If the updated card matches the account's primary `cc`, the account-level `cc_exp` is also refreshed. If no MaxMind risk score exists yet for the card, `update_maxmind()` is called to compute one. Use to fix an upcoming expiration before recurring charges fail. Sibling ops: `addBillingCreditCard`, `deleteBillingCreditCard`, `getBillingCreditCardVerify`, `postBillingCreditCardVerify`, `updateBillingPaymentMethod`.\n\n**Path param:**\n- `id` (integer, required) — credit card index (the key in the account's `ccs` array, returned by `parse_ccs` and surfaced as `cc` in `updateBillingPaymentMethod`).\n\n**Body fields:**\n- `cc_exp` (string, required) — new expiration in `MM/YYYY` format.\n\n**Returns:** `Card updated successfully.`.\n\n**Side effects:**\n- Updates the `ccs` array (re-serialized via `myadmin_stringify`) on the account.\n- When the card == primary `cc`, the account-level `cc_exp` is also written.\n- Triggers `update_maxmind($custid, false, $cc_idx)` if no risk score exists.\n\n**Auth:** Session/API key. Card ownership enforced via `parse_ccs`.\n\n**Errors:**\n- `Invalid Credit Card Passed` — `id` not in `parse_ccs`.\n- `Please enter valid card expiry date` — `cc_exp` body field missing.\n- `Invalid expiration date. It must be in the form of MM/YYYY` — wrong format.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Verify a freshly added card:** `patchBillingCreditCardVerify` → `postBillingCreditCardVerify`.\n- **Remove the card:** `deleteBillingCreditCard`.\n- **Make it default:** `updateBillingPaymentMethod` with `payment_method=cc`.\n" }, "delete": { "tags": [ "Billing" ], "parameters": [ { "name": "id", "description": "The credit card ID to remove. Use IDs from `GET /billing/creditcards`.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteBillingCreditCard", "summary": "Remove a stored credit card from the account", "description": "Removes the indexed credit card from the account's `ccs` collection. If the deleted card was also the account's primary `cc`, the primary field is cleared — `initiatePayment` (`method=cc`) will then return an error until a new default is designated via `updateBillingPaymentMethod`. **Irreversible** — to re-store the same card, re-run `addBillingCreditCard`. Sibling ops: `addBillingCreditCard`, `updateBillingCreditCard`, `updateBillingPaymentMethod`, `getBillingCreditCardVerify`.\n\n**Path param:**\n- `id` (integer, required) — credit card index from `parse_ccs`.\n\n**Body:** None.\n\n**Returns:** `Card removed successfully.`.\n\n**Side effects:**\n- Removes the entry from the `ccs` array; re-serialized via `myadmin_stringify`.\n- When the deleted card was primary: clears account-level `cc`.\n\n**Auth:** Session/API key. Card ownership enforced.\n\n**Errors:**\n- `Invalid Credit Card Passed` — `id` not in `parse_ccs`.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Set a new default:** `updateBillingPaymentMethod`.\n- **Add a replacement:** `addBillingCreditCard`.\n" } }, "/billing/creditcards/{id}/verify": { "get": { "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getBillingCreditCardVerify", "summary": "Probe whether a stored card still needs micro-charge verification", "description": "Status probe for the credit-card verification flow. Read-only — current implementation returns a placeholder string indicating verification is pending; the actual two-step verification happens via `patchBillingCreditCardVerify` (initiate dual micro-charge with CVV) followed by `postBillingCreditCardVerify` (submit the charged amounts). Use to drive the UI's \"verify card\" form rendering. Sibling ops: `patchBillingCreditCardVerify`, `postBillingCreditCardVerify`, `addBillingCreditCard`, `updateBillingPaymentMethod`.\n\n**Path param:**\n- `id` (integer, required) — credit card index from `parse_ccs`.\n\n**Body:** None.\n\n**Returns:** `Verification requirements` (placeholder text — reserved for future structured response with `requires_cvv` / `requires_amounts` flags).\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Step 1 of verify flow:** `patchBillingCreditCardVerify`.\n- **Step 2 of verify flow:** `postBillingCreditCardVerify`.\n- **Add a new card:** `addBillingCreditCard`.\n" }, "patch": { "requestBody": { "content": { "application/json": { "schema": { "type": "object", "required": [ "cc_ccv2" ], "properties": { "cc_ccv2": { "description": "The CVV/CVC code on the back of the credit card.", "type": "string" } } } }, "multipart/form-data": { "schema": { "type": "object", "required": [ "cc_ccv2" ], "properties": { "cc_ccv2": { "description": "The CVV/CVC code on the back of the credit card.", "type": "string" } } } } }, "required": true }, "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "patchBillingCreditCardVerify", "summary": "Place two micro-charges on the card to start CVV verification (step 1 of 2)", "description": "Step 1 of the two-step card-verification flow. After `addBillingCreditCard` returns `action='verify'`, call this with the card's CVV to place two small charges (cents-scale) on the card. The customer must then look up the exact amounts in their bank statement and submit them via `postBillingCreditCardVerify` to finalize verification. **After 3 failed CVV attempts** (`cc_fails_` counter on the account) the card is locked from further verification attempts — contact support. Sibling ops: `getBillingCreditCardVerify`, `postBillingCreditCardVerify`, `addBillingCreditCard`, `updateBillingPaymentMethod`.\n\n**Path param:**\n- `id` (integer, required) — credit card index from `parse_ccs`.\n\n**Body fields:**\n- `cc_ccv2` (string, required) — the 3- or 4-digit CVV/CVC code from the back (or front, for Amex) of the card.\n\n**Returns:** `Your card is charged. Please enter the amounts charged up!` — surface to the UI to prompt for the two amounts.\n\n**Side effects:**\n- Places two test charges via `verify_cc_charge()` (gateway-side).\n- On failure: increments `cc_fails_` on the account.\n\n**Auth:** Session/API key. Card ownership enforced.\n\n**Errors:**\n- `Invalid Credit Card Passed` — `id` not in `parse_ccs`.\n- `Reached the max number of tries to authenticate this card` — `cc_fails_ > 3`.\n- `Missing or blank CVV` — `cc_ccv2` absent or empty.\n- Gateway error text — charge attempt failed.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Prerequisite:** `addBillingCreditCard` (must have returned `action='verify'`).\n- **Next (step 2):** `postBillingCreditCardVerify` (submit `cc_amount1` + `cc_amount2`).\n- **After verification:** `updateBillingPaymentMethod` to make it the default.\n" }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BillingVerifyCcRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/BillingVerifyCcRequest" } } }, "required": true }, "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postBillingCreditCardVerify", "summary": "Submit two micro-charge amounts to finalize card verification (step 2 of 2)", "description": "Step 2 of the two-step card-verification flow. Submits the two exact micro-charge amounts the customer saw on their statement (placed by `patchBillingCreditCardVerify`) so the gateway can confirm the customer controls the card. On success, the card is marked verified and can be selected via `updateBillingPaymentMethod` (`payment_method=cc`) or used directly with `initiatePayment` (`method=cc`). After 3 failed attempts (`cc_fails_ > 3`) the card is locked. Sibling ops: `getBillingCreditCardVerify`, `patchBillingCreditCardVerify`, `addBillingCreditCard`, `updateBillingPaymentMethod`.\n\n**Path param:**\n- `id` (integer, required) — credit card index from `parse_ccs`.\n\n**Body fields (schema `BillingVerifyCcRequest`):**\n- `cc_amount1` (number, required) — first micro-charge amount (in dollars, decimal).\n- `cc_amount2` (number, required) — second micro-charge amount.\n\n**Returns:** Verification success text (gateway-returned).\n\n**Side effects:**\n- Marks the card as verified when amounts match.\n- On failure: increments `cc_fails_` on the account.\n\n**Auth:** Session/API key. Card ownership enforced.\n\n**Errors:**\n- `Invalid Credit Card Passed` — `id` not in `parse_ccs`.\n- `Reached the max number of tries to authenticate this card` — `cc_fails_ > 3`.\n- `Missing charge amounts` — `cc_amount1` or `cc_amount2` absent.\n- Verification failure text (status `failed` / `error` / `warning`) — amounts don't match.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Prerequisite (step 1):** `patchBillingCreditCardVerify`.\n- **Next:** `updateBillingPaymentMethod` to make the verified card default, or `initiatePayment` (`method=cc`) to pay immediately.\n" }, "parameters": [ { "name": "id", "description": "The credit card ID to verify. Use the ID returned from `POST /billing/creditcards`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/billing/payment_method": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BillingPaymentMethodRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/BillingPaymentMethodRequest" } } }, "required": true }, "tags": [ "Billing" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateBillingPaymentMethod", "summary": "Set the account's default payment method for recurring/auto charges", "description": "Sets the account's preferred payment method for recurring/automatic charges and (when applicable) promotes a specific stored credit card to be the primary `cc` on the account. Use after `addBillingCreditCard` + verification to select the new card, or when switching between PayPal and credit-card billing. First-time payment-method assignment triggers `update_maxmind()` and `update_fraudrecord()` risk-score generation. Sibling ops: `addBillingCreditCard`, `postBillingCreditCardVerify`, `deleteBillingCreditCard`, `initiatePayment`.\n\n**Body fields (JSON or multipart, schema `BillingPaymentMethodRequest`):**\n- `payment_method` (string, required) — one of:\n - `cc` — use the existing primary credit card.\n - `cc` (e.g. `cc2`) — promote the card at index `idx` (from `parse_ccs`) to primary. Must be verified.\n - `paypal` — switch to PayPal.\n- `cc_auto` (string `0`/`1`, optional) — auto-charge flag. Implicitly set to `1` when selecting `cc`/`cc`, `0` for `paypal`.\n\n**Returns:** `{text: \"Payment Method Updated\"}`.\n\n**Side effects:**\n- When `payment_method=cc`: copies the indexed card's encrypted `cc` and `cc_exp` onto the account's primary fields.\n- First time a payment method is set: runs MaxMind risk score, then FraudRecord score.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `Invalid Credit Card Specified` — `cc` is malformed or `idx` not found in `parse_ccs`.\n- `This CC has not been verified.` — the chosen card hasn't completed `postBillingCreditCardVerify`.\n- `Invalid Payment Method Specified` — value not in `{cc, paypal, cc}`.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Prerequisite for `cc`:** `addBillingCreditCard` → `patchBillingCreditCardVerify` → `postBillingCreditCardVerify`.\n- **Now pay an invoice:** `initiatePayment` (`method=cc` will use the default; `method=paypal` if you switched).\n- **Audit current methods:** `getAccountInfo` (account profile shows cards as masked).\n" } }, "/captcha": { "get": { "tags": [ "Public" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CaptchaResponse" }, "examples": { "CaptchaResponseExample": { "value": { "captcha": "data:image/jpeg;base64,/9j/4AAQ" } } } } }, "description": "An array containing a `captcha` field containing a string with a base64 encoded captcha image." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "security": [ {} ], "operationId": "getCaptcha", "summary": "Fetch a base64 JPEG captcha challenge for human verification", "description": "Fetches a fresh captcha challenge image to display before submitting `submitSignup` (or any unauthenticated form that needs human verification). Public endpoint — no authentication required. Sibling ops: `getLoginInfo` (returns a captcha alongside other login-page data), `submitSignup` (consumes the answer), `submitLogin`.\n\n**Path/Query/Body:** None.\n\n**Returns:** `{ captcha: string }` — `captcha` is a `data:image/jpeg;base64,...` URL ready to drop into an ``.\n\n**Side effects:** the phrase is stored server-side in `$_SESSION['captcha']` (also aliased to the signup-flow key `$_SESSION['captchaSignup']` and forgot-password key `$_SESSION['captchaFP']`). The browser must send the same `PHPSESSID` cookie back when posting the answer.\n\n**Charset:** 8 chars from `3456789ABCDEFGHJKLMNPQRSTWXY` — no ambiguous `0`/`1`/`I`/`O`/`2`/`Z`.\n\n**Related calls:**\n- **Consumers:** `submitSignup`, `submitLogin`.\n- **One-shot login bootstrap:** `getLoginInfo`.\nanswer in `captcha` field).\n" } }, "/buy_now_servers_list": { "get": { "tags": [ "Servers", "Public" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/BuyItNowList" }, "example": [ { "server_id": "10467", "cpu": [ "Xeon E3-1270v6", { "img": "xeon-e3.png", "type": "XEON", "speed": "", "num_cpus": "1", "num_cores": "4" } ], "memory": "64GB", "disk": { "4TB SSD": "4TB SSD" }, "bandwidth": "1Gbps Unmetered", "ips": "1 Vlan Ip (/30)", "location": "NYC Region", "price": 64 } ] } }, "description": "Marketplace Buy it now servers list" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getMPServers", "summary": "List Rapid Deploy (Buy-It-Now) marketplace dedicated servers with live pricing", "description": "Use to browse pre-built dedicated servers ready for immediate provisioning (Rapid Deploy / marketplace). No params, no body. Pulls live inventory from `mynew.interserver.net/ajax/server_a.php`.\nReturns: array of `{ server_id, cpu: [model, {img,type,speed,num_cpus,num_cores}], memory, disk, bandwidth, ips, location, price }`. The `server_id` is the marketplace asset id — feed it into `buyItNowServerOrder` (GET options for asset `?a=`) and `placeBuyNowServer` (POST to commit). Errors: 401 if session expired.\nSibling ops: `buyItNowServerOrder` (configure asset), `placeBuyNowServer` (purchase), `getNewServer`/`addServer` (custom-spec build, not pre-built), `getServerList` (already-owned servers)." } }, "/dns": { "summary": "DNS Management", "description": "View and manage your DNS domains and records", "get": { "tags": [ "DNS" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/DnsListItem" } }, "examples": { "DnsListExample": { "value": [ { "id": 68, "name": "hussfamily.com", "content": "64.20.35.186" }, { "id": 1658, "name": "detain.interserver.net", "content": "66.45.228.74" }, { "id": 1659, "name": "creation.interserver.net", "content": "66.23.239.99" } ] } } } }, "links": { "GetDnsDomain": { "operationId": "getDnsDomain", "parameters": { "id": "$response.body#/0/id" }, "description": "Use the domain id from the list to retrieve all DNS records for that domain." } }, "description": "Listing of DNS domains on the account with their primary A record." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDnsList", "summary": "List DNS zones hosted on the account with each zone's apex A-record IP", "description": "Returns every PowerDNS-hosted authoritative zone owned by the authenticated account, one row per zone, with the IP from the apex `A` record. Canonical entry point for discovering zone IDs before reading or editing records. The list is filtered server-side by session `account_id` — cross-account zones are never returned. Empty array means the account holds no zones (not an error). **Note:** this is the hosted DNS zone list, not registrar delegation — use the Domains tag's `updateDomainNameservers` to point a registered domain at `cdns1.interserver.net`/`cdns2.interserver.net`. Sibling ops: `getDnsDomain`, `addDnsDomain`, `addDnsRecord`, `deleteDnsDomain`.\n\n**Path/Query/Body:** None.\n\n**Returns:** Array of `DnsListItem`:\n- `id` (integer) — zone ID; pass to `getDnsDomain` / `addDnsRecord` / `deleteDnsDomain`.\n- `name` (string) — zone FQDN (e.g. `example.com`).\n- `content` (string) — IP from the apex `A` record matching the zone name (empty when no apex A exists yet).\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Per-zone record list:** `getDnsDomain`.\n- **Add a zone:** `addDnsDomain`.\n- **Add a record to an existing zone:** `addDnsRecord`.\n- **Registrar delegation:** `getDomainNameservers` / `updateDomainNameservers` (Domains tag).\n" }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/DnsNewDomain" }, "examples": { "DnsNewDomainExample": { "value": { "domain": "mydomain.com", "ip": "1.2.3.4" } } } }, "application/json": { "schema": { "$ref": "#/components/schemas/DnsNewDomain" }, "examples": { "DnsNewDomainExampleJson": { "value": { "domain": "mydomain.com", "ip": "1.2.3.4" } } } } }, "required": true }, "tags": [ "DNS" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "addDnsDomain", "summary": "Create a new authoritative DNS zone seeded with apex A + NS + SOA records", "description": "Creates a new authoritative zone in PowerDNS for this account and seeds it with a default record set: apex `A` record pointing at `ip`, `NS` records for InterServer's `cdns1.interserver.net` / `cdns2.interserver.net` anycast resolvers, and an `SOA`. Served immediately by InterServer's nameservers via supermaster propagation. **Important:** this only creates the hosted zone — the customer must still point their registrar's nameservers at `cdns1.interserver.net` / `cdns2.interserver.net` for queries to resolve through this zone (use `updateDomainNameservers` if the domain is registered through InterServer). Sibling ops: `getDnsList`, `getDnsDomain`, `addDnsRecord`, `updateDomainNameservers`.\n\n**Body fields (form or JSON, schema `DnsNewDomain`):**\n- `domain` (string, required) — FQDN of the zone (e.g. `example.com`).\n- `ip` (string, required) — IPv4 address for the apex A record.\n\n**Returns:** `SuccessTextResponse` — status text confirming the zone was created.\n\n**Side effects:**\n- Inserts `domains` row scoped to session `account_id`.\n- Inserts default `records` rows: apex `A`, two `NS`, one `SOA`.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `400` — missing `domain` or `ip`.\n- `401` — unauthenticated.\n- `409` — zone already exists.\n\n**Related calls:**\n- **Find new zone id:** `getDnsList`.\n- **Add more records:** `addDnsRecord`.\n- **Update registrar nameservers:** `updateDomainNameservers` (Domains tag).\n\n**Example request:**\n```json\n{ \"domain\": \"mydomain.com\", \"ip\": \"203.0.113.42\" }\n```\n" } }, "/dns/{id}": { "summary": "DNS Domain Management", "description": "View and manage a domain and the records for it.", "get": { "tags": [ "DNS" ], "parameters": [ { "name": "id", "description": "The DNS domain ID. Use the `id` from `GET /dns` to identify the domain.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/DnsRecord" } }, "examples": { "DnsRecordExample": { "value": [ { "id": "473", "domain_id": "68", "name": "hussfamily.com", "type": "NS", "content": "cdns1.interserver.net", "ttl": "86400", "prio": "0", "disabled": "0", "ordername": "", "auth": "1" }, { "id": "474", "domain_id": "68", "name": "hussfamily.com", "type": "NS", "content": "cdns2.interserver.net", "ttl": "86400", "prio": "0", "disabled": "0", "ordername": "", "auth": "1" }, { "id": "475", "domain_id": "68", "name": "hussfamily.com", "type": "A", "content": "64.20.35.186", "ttl": "86400", "prio": "0", "disabled": "0", "ordername": "", "auth": "1" } ] } } } }, "links": { "UpdateDnsRecord": { "operationId": "updateDnsRecord", "parameters": { "domainId": "$request.path.id", "recordId": "$response.body#/0/id" }, "description": "Use a record id from the list to update that DNS record." }, "DeleteDnsRecord": { "operationId": "deleteDnsRecord", "parameters": { "domainId": "$request.path.id", "recordId": "$response.body#/0/id" }, "description": "Use a record id from the list to delete that DNS record." } }, "description": "The DNS records for the specified domain." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDnsDomain", "summary": "List every DNS record in one zone with the IDs needed to edit or delete them", "description": "Returns the full record set for the specified PowerDNS zone (NS, A, AAAA, CNAME, MX, TXT, SRV, CAA, SOA, etc.) in a single response. Ownership is enforced via `get_dns_domain($id)` against the session account — cross-account access returns an error rather than 200. Use a returned record `id` together with the zone `id` to call `updateDnsRecord` or `deleteDnsRecord`. Sibling ops: `getDnsList`, `addDnsRecord`, `updateDnsRecord`, `deleteDnsRecord`, `deleteDnsDomain`.\n\n**Path param:**\n- `id` (integer, required) — zone ID from `getDnsList.id`.\n\n**Returns:** Array of `DnsRecord`:\n- `id` (string) — record ID; pass to `updateDnsRecord` / `deleteDnsRecord`.\n- `domain_id` (string) — parent zone ID.\n- `name` (string) — FQDN of the record (apex or subdomain).\n- `type` (string) — `A` / `AAAA` / `CNAME` / `MX` / `TXT` / `NS` / `SRV` / `CAA` / `SOA` / `PTR` / `SPF` / `TLSA`.\n- `content` (string) — record value (IP for A/AAAA, hostname for CNAME/NS/MX, free text for TXT, etc.).\n- `ttl` (string) — seconds; default 86400.\n- `prio` (string) — priority for MX/SRV (`0` for non-priority records).\n- `disabled` (string `0`/`1`), `ordername` (string), `auth` (string `0`/`1`).\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `invalid or missing domain or record id` — zone not found or owned by another account.\n\n**Related calls:**\n- **Add a record:** `addDnsRecord` (POST same path).\n- **Update a record:** `updateDnsRecord` (`POST /dns/{domainId}/{recordId}`).\n- **Delete a record:** `deleteDnsRecord`.\n- **Delete the whole zone:** `deleteDnsDomain` (DELETE same path).\n" }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/DnsNewRecord" } }, "application/json": { "schema": { "$ref": "#/components/schemas/DnsNewRecord" } } }, "required": true }, "tags": [ "DNS" ], "responses": { "200": { "description": "Add DNS Domain Response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "addDnsRecord", "summary": "Add a DNS record (A, AAAA, MX, TXT, CNAME, NS, SRV, CAA, ...) to a zone", "description": "Adds a single record to the zone identified by path `id`. Type is validated against the global `$rtypes` allowlist (A, AAAA, CNAME, MX, TXT, NS, SRV, CAA, PTR, SPF, TLSA, etc.); content is validated against the record type by `validate_input()`. The record goes live on PowerDNS immediately; resolvers honor the existing TTL on any cached answer. Sibling ops: `getDnsDomain` (find record id afterward), `updateDnsRecord`, `deleteDnsRecord`.\n\n**Path param:**\n- `id` (integer, required) — zone ID from `getDnsList.id`.\n\n**Body fields (form or JSON, schema `DnsNewRecord`):**\n- `name` (string, required) — FQDN of the record (must be at or below the zone apex).\n- `type` (string, required) — `A` / `AAAA` / `CNAME` / `MX` / `TXT` / `NS` / `SRV` / `CAA` / `PTR` / `SPF` / `TLSA` (must be in `$rtypes`).\n- `content` (string, required) — value matching `type` syntax (IPv4 for A, IPv6 for AAAA, hostname for CNAME/NS/MX, free text for TXT).\n- `ttl` (integer, optional, default 86400) — seconds.\n- `prio` (integer, optional, default 0) — priority (MX/SRV only).\n\n**Returns:** `{success: true, text: \"Record added\"}`.\n\n**Auth:** Session/API key. Zone ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `Type must be one of: ...` — `type` not in allowlist.\n- `invalid or missing domain or record id` — zone not found / not owned.\n- Content-format validation failure (`text` describes the issue).\n\n**Related calls:**\n- **Find new record id:** `getDnsDomain`.\n- **Edit later:** `updateDnsRecord`.\n- **Delete:** `deleteDnsRecord`.\n" }, "delete": { "tags": [ "DNS" ], "parameters": [ { "name": "id", "description": "The DNS domain ID to delete. Use the `id` from `GET /dns` to identify the domain.", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteDnsDomain", "summary": "Permanently delete a DNS zone and every record it contains", "description": "Removes the zone identified by path `id` AND every record it contains from PowerDNS in a single transaction. **Permanent — no soft-delete, no undo.** Any service relying on these records (web, mail, SPF/DKIM, third-party domain verifications, ACME challenges) will start failing as resolver caches expire (per-record TTL, default 86400s). **Note:** this only deletes the hosted zone on InterServer's nameservers — it does not affect registrar delegation. If `cdns1`/`cdns2` are still delegated at the registrar, queries will return NXDOMAIN/SERVFAIL until delegation is changed or the zone is recreated. Sibling ops: `deleteDnsRecord` (delete one record only), `addDnsDomain` (recreate), `updateDomainNameservers` (change registrar delegation).\n\n**Path param:**\n- `id` (string, required) — zone ID from `getDnsList`.\n\n**Returns:** `{success: true, text: \"Domain deleted\"}`.\n\n**Side effects:**\n- Deletes every `records` row with `domain_id={id}`.\n- Deletes the `domains` row.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `invalid or missing domain or record id` — zone not found / not owned.\n\n**Related calls:**\n- **Delete one record only:** `deleteDnsRecord`.\n- **Recreate the zone:** `addDnsDomain`.\n- **Update registrar delegation:** `updateDomainNameservers` (Domains tag).\n" }, "parameters": [ { "examples": { "DnsDomainIdExample": { "value": "472" } }, "name": "id", "description": "The DNS Domain ID.", "schema": { "type": "string" }, "in": "path", "required": true } ] }, "/dns/{domainId}/{recordId}": { "summary": "DNS Record Management", "description": "Manage a DNS Record for the given Domain.", "post": { "requestBody": { "description": "The request data to update a dns record.", "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/DnsUpdateRecord" } }, "application/json": { "schema": { "$ref": "#/components/schemas/DnsUpdateRecord" } } }, "required": true }, "tags": [ "DNS" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateDnsRecord", "summary": "Replace values on an existing DNS record (name, type, content, ttl, priority)", "description": "Replaces the record identified by `recordId` within zone `domainId` with new values. **TTL caveat:** the change is written to PowerDNS immediately, but already-cached resolver answers persist until the previous record's TTL expires — plan TTL down ahead of a clean cutover. Type is validated against the global `$rtypes` allowlist; content is validated against the record type. Sibling ops: `getDnsDomain` (read), `addDnsRecord` (create), `deleteDnsRecord`.\n\n**Path params:**\n- `domainId` (integer, required) — zone ID from `getDnsList.id`.\n- `recordId` (integer, required) — record ID from `getDnsDomain.id`.\n\n**Body fields (form or JSON, schema `DnsUpdateRecord`):**\n- `name` (string, required) — FQDN at/below zone apex.\n- `type` (string, required) — one of the allowed PowerDNS types.\n- `content` (string, required) — value matching `type`.\n- `ttl` (integer, required) — seconds.\n- `prio` (integer, required) — MX/SRV priority (`0` otherwise).\n\n**Returns:** `{success: true, text: \"domain record updated\"}`.\n\n**Auth:** Session/API key. Zone ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `Type must be one of: ...` — `type` not in `$rtypes`.\n- `invalid or missing domain or record id` — zone/record not found / not owned.\n- Content-format validation text — `validate_input()` failure.\n\n**Related calls:**\n- **Read first:** `getDnsDomain`.\n- **Delete:** `deleteDnsRecord`.\n- **Create new:** `addDnsRecord`.\n" }, "delete": { "tags": [ "DNS" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteDnsRecord", "summary": "Permanently delete one DNS record from a zone — zone itself is preserved", "description": "Removes the record identified by `recordId` from zone `domainId`. The zone itself remains intact — only the one record is dropped. **Permanent** — applied to PowerDNS immediately, but resolvers continue to answer with cached values until the previous TTL expires. Use to surgically remove an A/AAAA/MX/TXT etc. record; to drop the entire zone and all its records, use `deleteDnsDomain`. Sibling ops: `getDnsDomain` (verify after deletion), `deleteDnsDomain`, `updateDnsRecord`.\n\n**Path params:**\n- `domainId` (integer, required) — zone ID from `getDnsList.id`.\n- `recordId` (integer, required) — record ID from `getDnsDomain.id`.\n\n**Returns:** `{success: true, text: \"domain record deleted\"}`.\n\n**Auth:** Session/API key. Zone ownership enforced via `get_dns_domain($domainId)`.\n\n**Errors:**\n- `401` — unauthenticated.\n- `invalid or missing domain or record id` — zone/record not found or not owned.\n- `error removing domain record` — underlying DB delete failed.\n\n**Related calls:**\n- **Verify after delete:** `getDnsDomain`.\n- **Recreate:** `addDnsRecord`.\n- **Delete entire zone instead:** `deleteDnsDomain`.\n" }, "parameters": [ { "name": "domainId", "description": "The DNS domain ID. Use the `id` from `GET /dns` to identify the domain.", "schema": { "type": "integer" }, "in": "path", "required": true }, { "name": "recordId", "description": "The DNS record ID within the domain. Use the record `id` from `GET /dns/{id}` to identify the record.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/domains": { "get": { "tags": [ "Domains" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/DomainRow" } }, "examples": { "DomainsExample": { "value": [ { "domain_id": "418295", "domain_hostname": "unixsrv10.com", "domain_expire_date": "", "cost": "11.00", "domain_status": "canceled" }, { "domain_id": "592337", "domain_hostname": "detain.dev", "domain_expire_date": "2023-08-14T00:59:38.000Z", "cost": "18.00", "domain_status": "active" } ] } } } }, "links": { "getDomainInfo": { "operationId": "getDomainInfo", "parameters": { "id": "$response.body#/0/domain_id" }, "description": "Use the `domain_id` from any item in the response array to fetch full service details via `GET /domains/{id}`." } }, "description": "The listing of `Domains` services on your account." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDomainsList", "summary": "List every domain registration on the account with billing and registration metadata", "description": "Enumerates every domain registration owned by the authenticated customer — hostname, expiry, recurring cost, status. The canonical entry point for finding a `domain_id` to pass into other Domains endpoints. Empty array means the account has no domains (not an error). Sibling ops: `getDomainInfo`, `getNewDomain`, `getDomainLookup`, `addDomain`, `CancelDomain`.\n\n**Path/Query/Body:** None.\n\n**Returns:** Array of `DomainRow`:\n- `domain_id` (string) — canonical id; pass to every `/domains/{id}/*` endpoint.\n- `domain_hostname` (string) — registered FQDN.\n- `domain_expire_date` (string ISO 8601 or empty) — registry expiry; empty when not yet activated or unknown.\n- `cost` (decimal string) — recurring renewal cost in the domain's billing currency.\n- `domain_status` (string enum) — `pending` / `active` / `expired` / `canceled` / `pending-transfer`.\n\n**Auth:** Session/API key. Filtered by `domain_custid`.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Per-domain detail:** `getDomainInfo`.\n- **Manage:** `getDomainContact` / `updateDomainContact`, `getDomainNameservers` / `updateDomainNameservers`, `getDomainDnssec` / `addDomainDnssec`, `getDomainWhoisPrivacy` / `updateDomainWhoisPrivacy`.\n- **Renew / transfer:** `getDomainRenewal` / `postDomainRenewal`, `getDomainTransfer`.\n- **Order a new domain:** `getDomainLookup` → `getNewDomain` → `addDomain`.\n- **Cancel:** `CancelDomain`.\n" } }, "/domains/lookup/{name}": { "get": { "tags": [ "Domains" ], "parameters": [ { "name": "name", "description": "The full domain name to look up (for example `example.com`).", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainLookupResponse" } } }, "links": { "addDomain": { "operationId": "addDomain", "description": "Use the pricing and field metadata from this lookup response to populate the order request for `POST /domains/order`." } }, "description": "Availability, pricing, and field metadata for the requested domain." }, "401": { "$ref": "#/components/responses/Unauthorized" }, "422": { "$ref": "#/components/responses/InvalidDomain" } }, "operationId": "getDomainLookup", "summary": "Check availability, premium status, and pricing for a specific domain", "description": "Looks up a single FQDN against OpenSRS: returns availability, premium-name flag, current new/renewal/transfer prices, per-TLD order field metadata, and multi-currency quotes. **Public** endpoint — no auth required (rate-limited via `domainlookup` cache). Repeated lookups within a short window may return cached results from the `domainlookup` table. Use as step 1 of an order: discover availability and pricing, then call `addDomain` to commit. Sibling ops: `getDomainSearch` (suggestions), `getNewDomain` (catalog), `addDomain`, `postDomainSearch`.\n\n**Path param:**\n- `name` (string, required) — full FQDN (e.g. `example.com`).\n\n**Returns** (schema `DomainLookupResponse`):\n- `available` (bool) — registerable now.\n- `premium` (bool) — premium-name pricing (often > $100).\n- `website` (bool) — same hostname is already a webhosting service on this account.\n- `domain_service` (bool) — same hostname is already a domain on this account.\n- `service` (object) — `services_id`, `services_name`, `services_cost`, `services_field1` (TLD), `services_module`.\n- `whois_privacy` (bool) — privacy add-on available for this TLD.\n- `new`, `renewal`, `transfer` (float) — base USD prices (with profit markup).\n- `fields` (object) — per-TLD order form schema (labels, options, current account values).\n- `currencies` (object) — `{: {services_cost, new, renewal, transfer}}` converted to each enabled currency.\n\n**Auth:** Public (no auth required).\n\n**Errors:**\n- `422 Invalid Domain` — `valid_domain()` rejected input.\n\n**Related calls:**\n- **Brainstorm alternatives:** `getDomainSearch`.\n- **Place order:** `addDomain` with the resolved `service.services_id` and `fields`.\n- **TLD catalog:** `getNewDomain`.\n" } }, "/domains/search/{name}": { "get": { "tags": [ "Domains" ], "parameters": [ { "name": "name", "description": "The base domain name to search (for example `example` or `example.com`).", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainSearchResponse" } } }, "description": "Suggested and lookup results for the supplied search term." }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/DomainSearchNoResults" } }, "operationId": "getDomainSearch", "summary": "Get registrar-suggested domain alternatives and bulk availability for a search term", "description": "Returns registrar-suggested alternatives plus bulk availability data from OpenSRS for the supplied search term. Useful when a customer is brainstorming names. Pair with `getDomainLookup` to get full pricing and per-TLD order fields for any specific chosen result. Sibling ops: `postDomainSearch`, `getDomainLookup`, `getNewDomain`, `addDomain`.\n\n**Path param:**\n- `name` (string, required) — search term (e.g. `example` or `example.com`).\n\n**Returns** (schema `DomainSearchResponse`):\n- `success` (bool) — registrar call succeeded.\n- `response_text` (string) — registrar response message.\n- `response_time` (float) — registrar latency (seconds).\n- `lookup` (array) — exact-match availability across the searched TLD set.\n- `suggest` (array) — registrar's recommended alternative names with availability.\n- `tlds` (array) — TLDs queried.\n\n**Auth:** Public.\n\n**Errors:**\n- `422 Invalid Search Response!` — registrar returned no usable results.\n\n**Related calls:**\n- **Single-domain detail:** `getDomainLookup`.\n- **One-shot order preview from a search term:** `postDomainSearch`.\n" }, "post": { "tags": [ "Domains" ], "parameters": [ { "name": "name", "description": "The base domain name to search (for example `example` or `example.com`).", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "description": "Domain availability and pricing check results." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postDomainSearch", "summary": "Get the full order form data for a hostname in one round-trip (search → order preview)", "description": "Returns the complete order-form payload — pricing, service catalog entry, per-TLD order fields — for the hostname in a single POST. Equivalent to calling `getDomainLookup` + `getNewDomain` + `putDomains` and merging the results, but with one round-trip. The path `name` is moved server-side into `$_POST['hostname']` and passed to `getOrderDomainData(true)`. Sibling ops: `getDomainSearch`, `getDomainLookup`, `getNewDomain`, `addDomain`.\n\n**Path param:**\n- `name` (string, required) — hostname (e.g. `example.com`).\n\n**Body:** None.\n\n**Returns:** Combined order-data response — pricing, service catalog entry, form fields ready to populate for `addDomain`.\n\n**Auth:** Session/API key (path is `client_api`, but called publicly).\n\n**Errors:**\n- `4xx` — hostname cannot be resolved to a TLD service.\n\n**Related calls:**\n- **Place order:** `addDomain` with the returned fields.\n" }, "parameters": [ { "name": "name", "description": "The base domain name to search (for example `example` or `example.com`).", "schema": { "type": "string" }, "in": "path", "required": true } ] }, "/domains/order": { "get": { "tags": [ "Domains" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainOrder" } } }, "description": "Domain registration order information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewDomain", "summary": "Read the buyable domain TLD service catalog and Whois privacy pricing", "description": "Returns the catalog of buyable TLD services and the base Whois-privacy add-on pricing. Use to resolve a hostname's TLD to a `service_id` for ordering, or to render a TLD picker. Pair with `getDomainLookup` for per-domain pricing and `addDomain` to commit. Sibling ops: `getDomainLookup`, `putDomains`, `patchDomains`, `addDomain`.\n\n**Path/Query/Body:** None.\n\n**Returns** (schema `DomainOrder`):\n- `whoisPrivacyCost` (float) — base per-year privacy cost (`OPENSRS_PRIVACY_COST` constant).\n- `whoisPrivacyCostTotal` (object) — privacy cost per TLD multiplied by that TLD's term length: `{: }`.\n- `services` (object) — `{: {services_name, services_cost, services_field1 (tld), ...}}`. `services_ourcost` is stripped.\n- `tldServices` (object) — TLD → `services_id` lookup map (e.g. `{\"com\": 100, \"net\": 101, \"io\": 234}`).\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Per-domain pricing:** `getDomainLookup`.\n- **Preview order fields:** `putDomains`.\n- **Validate fields:** `patchDomains`.\n- **Place order:** `addDomain`.\n" }, "put": { "tags": [ "Domains" ], "responses": { "200": { "description": "Validate Domain Order response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "putDomains", "summary": "Preview per-TLD field requirements for a domain order — no commit", "description": "Pre-flight that returns the per-TLD field schema required to register or transfer the supplied hostname. The schema varies significantly by TLD: `.us` requires nexus codes, `.ca` requires CIRA legal type, `.eu` has residency rules, `.fr` requires VAT for orgs, etc. Values pre-populate from the account profile when possible. No commit — use `patchDomains` to validate filled values, then `addDomain` to place the order. Sibling ops: `getNewDomain`, `getDomainLookup`, `patchDomains`, `addDomain`.\n\n**Body fields:**\n- `hostname` (string, required) — FQDN.\n- `type` (string, optional, default `register`) — `register` or `transfer`.\n- `coupon` (string, optional) — coupon code.\n\n**Returns:** `{domainFields: {: {label, type, options, value, required, ...}}}` — schema for the dynamic order form.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `400 Missing hostname parameter`.\n- `400 Unable to determine service type for this domain TLD.` — unknown TLD.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Catalog first:** `getNewDomain`.\n- **Validate filled values:** `patchDomains`.\n- **Place order:** `addDomain`.\n" }, "post": { "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/ServiceOrderPostResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Register or transfer a domain. Returns invoice IDs for checkout.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addDomain", "summary": "Place a new domain registration or transfer order, generate billing invoice", "description": "Places a new domain registration or transfer order. Resolves the TLD to a `services_id`, runs `validate_buy_domain()` (hostname, TLD service, fields, coupon, whois-privacy add-on), then calls `place_buy_domain()` to create the `Repeat_Invoice` recurring billing row, generate the initial `invoices` row, and (when `whois_privacy=enable`) an additional add-on `Repeat_Invoice` for privacy. **Real money** — call `putDomains` then `patchDomains` first to preview and validate. Sibling ops: `getDomainLookup`, `getNewDomain`, `putDomains`, `patchDomains`, `initiatePayment`.\n\n**Body fields (JSON or form):**\n- `hostname` (string, required) — FQDN to register or transfer.\n- `type` (string, optional, default `register`) — `register` or `transfer`.\n- `whois_privacy` (string, optional) — `enable` to add the privacy add-on (separate recurring invoice).\n- `coupon` (string, optional) — coupon code.\n- All per-TLD contact/registration fields from `putDomains.domainFields` (registrant contact details, TLD-specific fields like nexus codes, EPP `auth_info` for transfers, etc.).\n\n**Returns** (schema `ServiceOrderPostResponse`): `{total_cost, iid, iids, real_iids, serviceid (new domain_id), invoice_description, cj_params, payUrl}` — pass `real_iids` to `initiatePayment` to fund the order.\n\n**Side effects:**\n- Inserts `domains` service row in `pending` status.\n- Inserts `repeat_invoices` row for recurring renewal.\n- Inserts `invoices` row for the first-period charge.\n- When `whois_privacy=enable`: inserts a separate add-on `repeat_invoices` row + its initial invoice.\n- For transfers: stores `auth_info` and marks `service_extra` as `transfer`.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `400 Missing hostname parameter`.\n- `400 Unable to determine service type for this domain TLD.`.\n- `401` — unauthenticated.\n- `422` — validation failure (e.g. coupon invalid, required TLD field missing, hostname not registerable). Response body is the combined `errors` array from `validate_buy_domain()`.\n\n**Related calls:**\n- **Prerequisites:** `getDomainLookup` → `getNewDomain` → `putDomains` → `patchDomains`.\n- **Pay:** `initiatePayment` with `real_iids`.\n- **Verify activation:** `getDomainInfo` (poll for `domain_status='active'`).\n- **Track in-progress transfer:** `getDomainTransfer`.\n- **For pending transfers needing EPP/auth_info:** `updateDomainContact` (set `auth_info`).\n\n**Example happy path (register):**\n```text\nGET /apiv2/domains/lookup/example.com -> available, pricing, fields\nPUT /apiv2/domains/order { hostname, type } -> domainFields\nPATCH /apiv2/domains/order { hostname, ...fields } -> \"success\"\nPOST /apiv2/domains/order { hostname, type, ...fields } -> { serviceid, real_iids }\nGET /apiv2/billing/pay/cc/{real_iids[0]} -> pay\nGET /apiv2/domains/{serviceid} -> poll until domain_status==\"active\"\n```\n" }, "patch": { "tags": [ "Domains" ], "responses": { "200": { "description": "Validate Domain order response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "patchDomains", "summary": "Validate posted domain-order field values before committing — dry run", "description": "Validates posted contact/registration field values via `validate_domain_fields()`. Enforces per-TLD requirements (nexus codes, postal formats, registrant org rules, EPP `auth_info` syntax for transfers, etc.). Use as the last step before `addDomain` to surface form errors cheaply. No commit — no invoice, no service record. Sibling ops: `putDomains`, `addDomain`, `getDomainLookup`, `getNewDomain`.\n\n**Body fields:**\n- `hostname` (string, required).\n- `type` (string, optional, default `register`) — `register` or `transfer`.\n- All per-TLD fields from `putDomains.domainFields`.\n\n**Returns:** `\"success\"` (string) when all fields validate; otherwise an `errors` object describing the failing fields and per-field validation messages.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `400 Missing hostname parameter`.\n- `400 Unable to determine service type for this domain TLD.`.\n- `401` — unauthenticated.\n- Validation error object — fields-level failures.\n\n**Related calls:**\n- **Schema:** `putDomains` (returns the field set to validate).\n- **Commit:** `addDomain`.\n" } }, "/domains/{id}": { "get": { "tags": [ "Domains" ], "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Domain" } } }, "links": { "getDomainContact": { "operationId": "getDomainContact", "parameters": { "id": "$response.body#/serviceInfo/domain_id" }, "description": "Retrieve the registrant and admin contact details for this domain." }, "getDomainDnssec": { "operationId": "getDomainDnssec", "parameters": { "id": "$response.body#/serviceInfo/domain_id" }, "description": "Retrieve the DNSSEC DS records for this domain." }, "getDomainInvoices": { "operationId": "getDomainInvoices", "parameters": { "id": "$response.body#/serviceInfo/domain_id" }, "description": "Retrieve the billing invoices for this domain order." }, "getDomainWhoisPrivacy": { "operationId": "getDomainWhoisPrivacy", "parameters": { "id": "$response.body#/serviceInfo/domain_id" }, "description": "Retrieve the Whois privacy status for this domain." } }, "description": "Domain Information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDomainInfo", "summary": "Read full billing, registrar, and service detail for one domain", "description": "Returns the full `ViewDomain` payload for one domain — billing summary, registration status, lock state, expiry date, contact summary, and `client_links` for related dashboard actions. Read-only. Internal `admin_links`, `settings`, `csrf` are stripped before return. Use to render a domain detail page, verify ownership before mutating, or poll `domain_status` after `addDomain`. Sibling ops: `getDomainContact`, `getDomainNameservers`, `getDomainDnssec`, `getDomainWhoisPrivacy`, `getDomainInvoices`, `updateDomainInfo`, `CancelDomain`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Returns** (schema `Domain`):\n- `serviceInfo` — `domain_id`, `domain_hostname`, `domain_status`, `domain_expire_date`, lock state, registrar metadata.\n- `serviceType` — TLD service row.\n- `client_links` (array) — `{name, link, icon}` for renew/transfer/contact/DNSSEC/whois-privacy actions. URLs pre-resolved.\n\n**Auth:** Session/API key. Ownership enforced via `domain_custid`.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n\n**Related calls:**\n- **Contact:** `getDomainContact` / `updateDomainContact`.\n- **Nameservers:** `getDomainNameservers` / `updateDomainNameservers`.\n- **DNSSEC:** `getDomainDnssec` / `addDomainDnssec` / `deleteDomainDnssec`.\n- **Whois privacy:** `getDomainWhoisPrivacy` / `updateDomainWhoisPrivacy`.\n- **Billing:** `getDomainInvoices`, `getDomainRenewal` / `postDomainRenewal`.\n- **Transfer status:** `getDomainTransfer`.\n- **Cancel:** `CancelDomain`.\n" }, "post": { "tags": [ "Domains" ], "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateDomainInfo", "summary": "POST mutation hook for the domain detail page (use dedicated ops where possible)", "description": "Account-level write-back hook for the domain service record. Runs the same `View::go()` handler as `getDomainInfo` — it does NOT push registrar-side changes by itself. **For specific changes use the dedicated endpoints** — they push to OpenSRS where appropriate. Sibling ops: `getDomainInfo`, `updateDomainContact`, `updateDomainNameservers`, `addDomainDnssec`, `updateDomainWhoisPrivacy`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Body:** Form fields matching the domain service record.\n\n**Returns:** `SuccessTextResponse`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n\n**Prefer these dedicated endpoints:**\n- **Registrant/admin contact:** `updateDomainContact` (pushes to OpenSRS).\n- **Nameservers:** `updateDomainNameservers`, `addDomainNameserver`, `deleteDomainNameserver`.\n- **DNSSEC:** `addDomainDnssec`, `deleteDomainDnssec`.\n- **Whois privacy:** `updateDomainWhoisPrivacy`.\n- **Renew:** `postDomainRenewal`.\n- **Cancel:** `CancelDomain`.\n" }, "delete": { "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/DomainsCancelResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "CancelDomain", "summary": "Cancel a domain order in the billing system to stop auto-renewals", "description": "Stops billing and auto-renewal for a domain in the customer account by setting the service to `canceled` via the shared `Billing\\CancelService::go($id)` flow with `module='domains'`. **Important:** this only stops billing on InterServer's side — the domain registration at the registrar (OpenSRS) typically remains active until its current expiration date. To release the domain back to the public pool, let it expire OR submit a release request via support ticket. Sibling ops: `getDomainInfo` (verify status), `getDomainsList`, `postDomainRenewal` (re-activate before expiry).\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Returns:** `DomainsCancelResponse` — confirmation envelope.\n\n**Side effects:**\n- Sets `domain_status='canceled'`.\n- Marks the `repeat_invoices` row non-renewing — no future renewal invoices generated.\n- Does **not** call the registrar — the registration remains active at OpenSRS until natural expiry.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — already canceled.\n\n**Related calls:**\n- **Re-activate before expiry:** `postDomainRenewal`.\n- **Verify status:** `getDomainInfo`.\n- **Sibling cancels on other modules:** `VPSCancel`, `mailCancel`, `webhostingCancel`, etc. (same `CancelService` handler).\n" }, "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/domains/{id}/contact": { "get": { "tags": [ "Domains" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainContactDetails" } } }, "description": "The registrant/admin contact details for the domain." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDomainContact", "summary": "Read the current registrant/admin/tech/billing contact field set for a domain", "description": "Returns the current contact field set (registrant/admin/tech/billing) with current values for the domain — schema and values mirror what was set at registration. For pending transfer services, the response also includes a `transfer` selector and the EPP `auth_info` code so the client can resubmit. Read-only. Sibling ops: `updateDomainContact` (push changes to OpenSRS), `getDomainInfo`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Returns** (schema `DomainContactDetails`):\n- `firstname`, `lastname`, `email`.\n- `address`, `address2`, `address3`, `city`, `state`, `zip`, `country`.\n- `phone`, `fax` (E.164 format expected).\n- `company` (optional).\n- `auth_info` (string) — EPP/transfer code (present on transfer services).\n- `transfer` (string `yes`/`no`) — selector for pending transfer services.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n\n**Related calls:**\n- **Update:** `updateDomainContact`.\n- **Transfer status:** `getDomainTransfer`.\n" }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainContactDetails" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/DomainContactDetails" } } }, "required": true }, "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateDomainContact", "summary": "Update registrant/admin contact details and push them to OpenSRS", "description": "Pushes updated contact data to the registrar via OpenSRS `provModify`, applied to admin/tech/billing/owner contact roles via `also_apply_to`. Active services apply changes immediately at the registrar; pending services may trigger `queue_process_payment` when the order is paid. **Domain must not be locked** — locked domains return an error directing the user to unlock first. **Note:** registrant-name changes on some TLDs (e.g. `.com`, `.net`) require a 60-day transfer lock per ICANN rules. Sibling ops: `getDomainContact`, `getDomainInfo`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Body fields (JSON or multipart, schema `DomainContactDetails`):**\nSame fields returned by `getDomainContact`: `firstname`, `lastname`, `email`, `address`/`2`/`3`, `city`, `state`, `zip`, `country`, `phone`, `fax`, `company`, optional `auth_info`, optional `transfer`.\n\n**Returns:** `SuccessTextResponse`.\n\n**Side effects:**\n- Calls OpenSRS `provModify` with `also_apply_to=admin,tech,billing,owner`.\n- May trigger ICANN 60-day transfer lock for registrant-name changes on legacy TLDs.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — domain is locked (unlock first).\n- Registrar error (e.g. OpenSRS error code 465 / 466) surfaced as 4xx.\n\n**Related calls:**\n- **Read first:** `getDomainContact`.\n- **Transfer status:** `getDomainTransfer`.\n" }, "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/domains/{id}/dnssec": { "get": { "tags": [ "Domains" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainDnssecRecords" } } }, "description": "DNSSEC records currently applied to the domain." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDomainDnssec", "summary": "Read the DNSSEC DS record set currently registered with the registrar", "description": "Returns the DNSSEC DS record set currently registered for the domain at OpenSRS. Empty array means DNSSEC is not configured. Use to mirror existing settings or as a baseline before `addDomainDnssec` (which replaces the set). Sibling ops: `addDomainDnssec`, `deleteDomainDnssec`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Returns** (schema `DomainDnssecRecords`):\n- `records` (array) — DS entries:\n - `algorithm` (integer) — DNSKEY algorithm (e.g. 8 for RSASHA256, 13 for ECDSAP256SHA256).\n - `key_tag` (integer, < 65536).\n - `digest_type` (integer) — `1` (SHA-1), `2` (SHA-256), `3` (GOST), `4` (SHA-384).\n - `digest` (string, hex) — length depends on `digest_type`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `domain_status != \"active\"`.\n\n**Related calls:**\n- **Replace records:** `addDomainDnssec`.\n- **Clear all records:** `deleteDomainDnssec`.\n" }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainDnssecRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/DomainDnssecRequest" } } }, "required": true }, "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "addDomainDnssec", "summary": "Register DNSSEC DS records on the domain at OpenSRS", "description": "Registers one or more DNSSEC DS records at the registrar. Body uses parallel arrays indexed per record. **Propagation caveat:** DNSSEC publication is asynchronous at the registry — a 200 here does not guarantee the records have propagated; re-call `getDomainDnssec` to verify. **Sets, not adds:** this replaces the full DS record set in one transaction; to remove all DS records use `deleteDomainDnssec`. Sibling ops: `getDomainDnssec`, `deleteDomainDnssec`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Body fields (JSON or multipart, parallel arrays — `algorithm[0]` pairs with `key_tag[0]`, etc., schema `DomainDnssecRequest`):**\n- `algorithm[]` (integer) — DNSKEY algorithm (e.g. 8 = RSASHA256, 13 = ECDSAP256SHA256).\n- `key_tag[]` (integer) — must be < 65536.\n- `digest_type[]` (integer) — `1` (SHA-1, 40 hex chars), `2` (SHA-256, 64), `3` (GOST, 64), `4` (SHA-384, 96).\n- `digest[]` (string) — hex digest; length must match `digest_type[i]`.\n\n**Returns:** `SuccessTextResponse` on registrar confirmation.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `domain_status != \"active\"` or registrar refused.\n- `422` — `key_tag >= 65536` or digest length mismatch.\n\n**Related calls:**\n- **Verify propagation:** `getDomainDnssec`.\n- **Clear all records:** `deleteDomainDnssec`.\n" }, "delete": { "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteDomainDnssec", "summary": "Clear all DNSSEC DS records on the domain (disable DNSSEC at the registrar)", "description": "Disables DNSSEC at the registrar by removing the entire DS record set in one call. **Propagation caveat:** DNSSEC removal can fail at the registry even after a 200 response — propagation is asynchronous; re-check with `getDomainDnssec` to confirm. To remove records selectively, replace the set via `addDomainDnssec` instead. Sibling ops: `getDomainDnssec`, `addDomainDnssec`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Body:** None — removes the full DS record set.\n\n**Returns:** `SuccessTextResponse`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `domain_status != \"active\"`.\n- Registrar error surfaced as 4xx.\n\n**Related calls:**\n- **Verify propagation:** `getDomainDnssec`.\n- **Replace records selectively:** `addDomainDnssec`.\n" }, "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/domains/{id}/invoices": { "get": { "tags": [ "Domains" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDomainInvoices", "summary": "List all billing invoices scoped to one domain order", "description": "Returns the billing history for one domain — initial registration/transfer invoice, recurring renewal invoices, Whois privacy add-on invoices. Extends `Billing\\InvoicesList::go()` with `module='domains'`. Use to render a per-domain billing-history view or find an unpaid renewal/privacy invoice to pass to `initiatePayment`. Sibling ops: `getDomainInfo`, `postDomainRenewal`, `updateDomainWhoisPrivacy`, `initiatePayment`, `getBillingInvoice`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Returns:** `ChargeInvoiceRows` — array of `{id, amount, paid, description, date, due_date, currency, module: \"domains\", service: }`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid Service` — `id` not owned by caller.\n\n**Related calls:**\n- **Pay an unpaid invoice:** `initiatePayment`.\n- **Renew:** `postDomainRenewal`.\n- **Account-wide history:** `getBillingInvoices`.\n" }, "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/domains/{id}/renew": { "get": { "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDomainRenewal", "summary": "Read renewal pricing, expiry, and whether a renewal invoice already exists", "description": "Returns renewal pricing, current expiry, Whois privacy availability, and whether an unpaid renewal invoice already exists for the domain. Use before triggering `postDomainRenewal` to render a renewal form and prevent duplicate invoices. Costs are converted to the customer's preferred currency. Sibling ops: `postDomainRenewal`, `getDomainInvoices`, `getDomainInfo`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Returns:**\n- `renewCost` (float) — renewal cost in `currency`.\n- `whoisCost` (float) — Whois privacy renewal cost.\n- `whoisAvailable` (bool) — privacy supported on this TLD.\n- `currency` (string), `currencySymbol` (string).\n- `expiryDate` (string).\n- `alreadyInvoiced` (bool) — a renewal `Repeat_Invoice` already produced an invoice.\n- `invoicePaid` (bool) — whether that invoice is paid.\n- `tld` (string).\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `domain_status != \"active\"`.\n- `4xx` — renewal not available for this TLD.\n\n**Related calls:**\n- **Submit renewal:** `postDomainRenewal`.\n- **Pay existing renewal invoice:** `getDomainInvoices` → `initiatePayment`.\n" }, "post": { "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postDomainRenewal", "summary": "Submit a domain renewal request and generate the renewal invoice", "description": "Generates a renewal invoice for the domain (and optionally the Whois privacy add-on). Updates the domain's `Repeat_Invoice` cost/frequency/currency to the current price, then calls `Repeat_Invoice::invoice()` to produce a fresh invoice. **Real money.** If a prior unpaid renewal invoice already exists, returns an error directing the user to pay that one instead — prevents double-billing. Renewal is not supported for some TLDs. Sibling ops: `getDomainRenewal`, `getDomainInvoices`, `initiatePayment`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Body fields:**\n- `whois_privacy` (string, optional) — `enable` to add or keep the privacy add-on; otherwise the existing privacy `Repeat_Invoice` is marked `deleted=1` on renewal.\n\n**Returns:** `{text, invoices, invoiceIds, payUrl}` — pass `invoiceIds` to `initiatePayment` to settle.\n\n**Side effects:**\n- Updates `repeat_invoices` cost/frequency/currency.\n- Inserts a new `invoices` row for the renewal period.\n- When `whois_privacy=enable`: extends the privacy add-on `repeat_invoices` and creates its renewal invoice.\n- When `whois_privacy` not enabled: marks the existing privacy `repeat_invoices` row `deleted=1`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `domain_status != \"active\"`, or unpaid renewal invoice already exists, or already-paid renewal exists.\n- Registrar errors surfaced as 4xx.\n\n**Related calls:**\n- **Preview:** `getDomainRenewal`.\n- **Pay:** `initiatePayment` with the returned `invoiceIds`.\n- **Cancel auto-renew:** `CancelDomain`.\n" }, "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/domains/{id}/transfer": { "get": { "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDomainTransfer", "summary": "Read OpenSRS transfer status for an in-progress domain transfer order", "description": "Returns the OpenSRS transfer state for a domain order flagged as a transfer in `service_extra`. Use to poll an in-progress transfer; `pending_owner` means the customer must click the approval link in the email sent by OpenSRS to the registrant. Sibling ops: `postDomainTransfer` (re-poll), `getDomainContact` (set `auth_info`), `addDomain` (initiate new transfer).\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Returns:**\n- When not a transfer: `{transfer: false, message: \"...\"}`.\n- When a transfer: `{transfer: true, info: {status, statusText, type, transferrable, reason}}` where `status` is one of:\n - `pending` — submitted to OpenSRS, awaiting state change.\n - `pending_owner` — **customer action required** (approve the OpenSRS email).\n - `pending_admin` — InterServer staff review.\n - `pending_registry` — registry processing.\n - `declined` — transfer rejected (see `reason`).\n - `completed` — transfer landed.\n - `undef` — unknown.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `domain_status != \"active\"`.\n- Registrar communication failures returned as errors.\n\n**Related calls:**\n- **Re-poll:** `postDomainTransfer`.\n- **Update auth_info:** `updateDomainContact`.\n- **Initiate new transfer:** `addDomain` with `type=transfer`.\n" }, "post": { "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postDomainTransfer", "summary": "Re-poll OpenSRS transfer status for a domain order via POST", "description": "Re-polls OpenSRS transfer state. Behaves identically to `getDomainTransfer` (same `go()` handler) — provided so dashboards can refresh via a form-action pattern. **This endpoint does not initiate transfers** — to start a transfer, use `addDomain` with `type=transfer`. Sibling ops: `getDomainTransfer`, `addDomain` (initiate), `getDomainContact` (set `auth_info`).\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Body:** None.\n\n**Returns:** Same payload as `getDomainTransfer`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `domain_status != \"active\"`.\n\n**Related calls:**\n- **Read:** `getDomainTransfer`.\n- **Initiate new transfer:** `addDomain` with `type=transfer`.\n" }, "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/domains/{id}/welcome_email": { "get": { "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDomainsWelcomeEmail", "summary": "Resend the domain welcome email with registration details and management instructions", "description": "Resends the domain welcome email (registration details, management instructions, EPP code where applicable) to the customer's address on file. Idempotent — safe to call multiple times. Sibling welcome-email endpoints: `getVpsWelcomeEmail`, `getWebsitesWelcomeEmail`, `getMailWelcomeEmail`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Body:** None.\n\n**Returns:** `{text: \"Welcome Email has been resent.\"}`.\n\n**Side effects:**\n- Sends an email to the account's billing email address.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid Service Passed` — `id` not owned by caller.\n- `409 Service is not active` — `domain_status != \"active\"`.\n\n**Related calls:**\n- **Domain detail:** `getDomainInfo`.\n- **Contact info:** `getDomainContact`.\n" }, "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/domains/{id}/whois": { "get": { "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getDomainWhoisPrivacy", "summary": "Read Whois privacy availability, current state, and add-on pricing for a domain", "description": "Returns Whois privacy state for the domain — whether the TLD supports privacy, whether it's currently enabled at OpenSRS, and the add-on cost. Some TLDs (e.g. `.us`, `.uk`, country-code variants) do not allow privacy regardless of pricing. Sibling op: `updateDomainWhoisPrivacy` (order/enable/disable).\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Returns:**\n- `available` (bool) — privacy supported for this TLD (via `get_domain_tld_whois_privacy()`).\n- `cost` (float) — annual privacy cost in `currency`.\n- `currency` (string), `currencySymbol` (string).\n- `whoisPrivacy` (string enum) — `enabled` / `disabled` (live OpenSRS state).\n- `repeatInvoice` (object|null) — current privacy add-on `Repeat_Invoice` row, if one exists.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n\n**Related calls:**\n- **Order/enable/disable:** `updateDomainWhoisPrivacy`.\n- **Billing:** `getDomainInvoices`.\n" }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/DomainWhoisPrivacyRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/DomainWhoisPrivacyRequest" } } }, "required": true }, "tags": [ "Domains" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateDomainWhoisPrivacy", "summary": "Order, enable, or cancel the Whois privacy add-on for a domain", "description": "Manages the Whois privacy add-on. Behavior branches on `action`:\n- **`order`**: creates an add-on `Repeat_Invoice` and emits the first invoice; pass the returned `payUrl` to the customer or use `initiatePayment` with `invoiceId`. **Real money.**\n- **`enable`**: activates Whois privacy at OpenSRS — call after the invoice is paid (calls `post_payment_processing_new`).\n- **`disableCancel`**: disables Whois privacy at OpenSRS and marks the add-on `Repeat_Invoice` `deleted=1`.\n- **(no action)**: returns current state — same shape as `getDomainWhoisPrivacy`.\n\nSibling ops: `getDomainWhoisPrivacy`, `getDomainInvoices`, `initiatePayment`.\n\n**Path param:**\n- `id` (integer, required) — `domain_id` from `getDomainsList`.\n\n**Body fields (JSON or multipart, schema `DomainWhoisPrivacyRequest`):**\n- `action` (string, optional) — one of `order` / `enable` / `disableCancel`. Omit for status.\n\n**Returns:** (varies by action)\n- `order`: `{text, invoiceId, repeatInvoiceId, payUrl}`.\n- `enable` / `disableCancel`: `{text}`.\n- No action: `{whoisPrivacy, cost, currency, currencySymbol}`.\n\n**Side effects:**\n- `order`: inserts add-on `repeat_invoices` + `invoices` rows.\n- `enable`: OpenSRS `provModify` with privacy=on; calls `post_payment_processing_new`.\n- `disableCancel`: OpenSRS `provModify` with privacy=off; marks add-on `repeat_invoices.deleted=1`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `domain_status != \"active\"` or TLD doesn't support privacy.\n- `4xx` — no add-on found for `enable` / `disableCancel`.\n\n**Related calls:**\n- **Read state:** `getDomainWhoisPrivacy`.\n- **Pay the order invoice:** `initiatePayment` (`method=cc|paypal|...`).\n- **Renew with privacy:** `postDomainRenewal` with `whois_privacy=enable`.\n" }, "parameters": [ { "name": "id", "description": "The domain service ID. Use `domain_id` from `GET /domains`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/floating_ips": { "get": { "tags": [ "Floating_IPs" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "type": "object" } } } }, "links": { "getFloatingIpInfo": { "operationId": "getFloatingIpInfo", "description": "Use an ID from the response array to fetch full details via `GET /floating_ips/{id}`." } }, "description": "The listing of `Floating IPs` services on your account." }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "operationId": "getFloatingIpsList", "summary": "List all Floating IP services on the authenticated customer's account", "description": "Use to enumerate every Floating IP the caller owns before drilling into a specific one. Read-only; safe to call frequently. No params, no body. Returns an array of rows: `floating_ip_id`, `repeat_invoices_cost` (recurring price), `floating_ip_ip` (the portable IP), `floating_ip_target_ip` (the IP it currently routes to), `floating_ip_status` (active/pending/canceled/etc.), `services_name` (package label). Empty array if the account owns no Floating IPs. Errors: 401 if unauthenticated. Use returned IDs with `getFloatingIpInfo`, `postFloatingIpsChangeIp`, `getFloatingIpInvoices`, `getFloatingIpsWelcomeEmail`, or `floating_ipsCancel`. To order a new one see `getNewFloatingIp` / `addFloatingIp`.\n\nSibling ops: `getFloatingIpInfo`, `getNewFloatingIp` (catalog), `addFloatingIp` (order)." } }, "/floating_ips/order": { "get": { "tags": [ "Floating_IPs" ], "responses": { "200": { "content": { "application/json": { "schema": { "description": "Floating IP ordering options and pricing.", "type": "object" } } }, "description": "Available options and pricing for ordering a Floating IP." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewFloatingIp", "summary": "Get pricing and service-type options for ordering a new Floating IP", "description": "Use before showing a Floating IP order form, or before calling `addFloatingIp`, to discover which service types (`serviceTypes`) and prices (`packageCosts`, keyed by `services_id` in the customer's currency) are currently buyable. Read-only; no side effects. No params, no body. Returns `{ packageCosts: { : }, serviceTypes: [ ... ] } `. Costs are `services.services_cost` filtered to `services_buyable=1` for module `floating_ips`. Errors: 401 if unauthenticated. Next steps: validate the chosen `serviceType` with `putFloating_ips`, then place the order with `addFloatingIp`. Floating IPs are portable IPv4 addresses that route to a target IP on one of the customer's active services.\n\nSibling ops: `putFloating_ips` (validate), `addFloatingIp` (commit), `getFloatingIpsList` (existing IPs)." }, "put": { "tags": [ "Floating_IPs" ], "responses": { "200": { "description": "Validate Floating IPs order response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "putFloating_ips", "summary": "Validate a Floating IP order and price it without charging the customer", "description": "Dry-run for `addFloatingIp` — runs `validate_buy_floating_ip` to apply coupons, compute intro/repeat pricing, and surface errors before committing. No charge, no service created. Body fields (form-encoded): `serviceType` (required, `services_id` from `getNewFloatingIp.packageCosts`), `coupon` (optional code). Returns `{ continue, errors, serviceType, serviceCost, originalCost, repeatServiceCost, password, introFrequency, coupon, couponCode }`. `continue=true` means the order would succeed; `continue=false` plus populated `errors[]` means it would not. Errors: 401 if unauthenticated; 422-style soft errors arrive in the `errors` array. Use the returned `serviceType` and `couponCode` when calling `addFloatingIp`.\nSibling ops: `getNewFloatingIp` (catalog), `addFloatingIp` (commit)." }, "post": { "tags": [ "Floating_IPs" ], "responses": { "200": { "$ref": "#/components/responses/ServiceOrderPostResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Provision a floating IPv4 address. Returns invoice IDs for checkout.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addFloatingIp", "summary": "Place a real Floating IP order, create billing records, and provision the service", "description": "Charges the customer and creates a new Floating IP service via `place_buy_floating_ip`. Validate first with `putFloating_ips` to avoid surprise failures. Body (form-encoded): `serviceType` (required, `services_id`), `coupon` (optional), `comment` (optional internal note). On success returns `{ continue:true, errors, total_cost, iid, iids, real_iids, serviceId, invoice_description, cj_params }` — `iid` is the master invoice ID, `serviceId` is the new `floating_ip_id`. On validation failure returns `{ continue:false, errors:[...] }` with no charge. Errors: 401 if unauthenticated; soft errors in `errors[]`. The newly-issued IP starts unassigned — point it at a target with `postFloatingIpsChangeIp` once the service is `active`.\n\nSibling ops: `getNewFloatingIp` (catalog), `putFloating_ips` (validate), `getFloatingIpInfo` (poll), `postFloatingIpsChangeIp` (route), `getBillingInvoice` + `initiatePayment` (settle invoice), `floating_ipsCancel`." } }, "/floating_ips/{id}": { "get": { "tags": [ "Floating_IPs" ], "parameters": [ { "name": "id", "description": "The Floating IP service ID. Use the ID from `GET /floating_ips`.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "description": "Floating IP service details.", "type": "object" } } }, "description": "Detailed Floating IP service information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getFloatingIpInfo", "summary": "Fetch full details for one Floating IP service, including current target IP", "description": "Use for a Floating IP detail screen, or to read `floating_ip_ip` / `floating_ip_target_ip` before calling `postFloatingIpsChangeIp`. Read-only. Path param `id` (integer, `floating_ip_id` from `getFloatingIpsList`). No body. Returns the `ViewFloatingIp.getDetails()` payload — service info, billing/cost summary, status, target IP, and `client_links` (action URLs the UI can render). Internal-only fields (`admin_links`, `settings`, `csrf`) are stripped. Errors: 401 if unauthenticated; effectively 404 / cross-customer hidden when `id` is not owned by the caller (`get_service` filters by custid). Siblings: `postFloatingIpsChangeIp`, `updateFloatingIpInfo`, `getFloatingIpInvoices`, `getFloatingIpsWelcomeEmail`, `floating_ipsCancel`." }, "post": { "tags": [ "Floating_IPs" ], "parameters": [ { "name": "id", "description": "The Floating IP service ID. Use the ID from `GET /floating_ips`.", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateFloatingIpInfo", "summary": "Update a Floating IP service's editable settings (label / metadata)", "description": "Stub edit endpoint that delegates to the same handler as `getFloatingIpInfo` — currently used for label/metadata edits surfaced by `ViewFloatingIp`. To re-route the IP to a different target use the dedicated `postFloatingIpsChangeIp` instead; this op does not change routing. Path param `id` (`floating_ip_id`). Body: form-encoded fields exposed by the Floating IP edit form (label/comment style). Returns the standard success-text response. Errors: 401 if unauthenticated; effectively 404 if `id` not owned by the caller. Read state first with `getFloatingIpInfo`.\n\nSibling ops: `getFloatingIpInfo` (read), `postFloatingIpsChangeIp` (re-route), `floating_ipsCancel`." }, "delete": { "tags": [ "Floating_IPs" ], "responses": { "200": { "$ref": "#/components/responses/FloatingIpsCancelResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "floating_ipsCancel", "summary": "Cancel a Floating IP service and release the IP — destructive, billing stops", "description": "Cancels the Floating IP via the shared `Api\\Billing\\CancelService` flow — flips status to canceled, halts recurring billing, and releases the IP back to the pool so it can no longer be re-routed. Not reversible: the customer cannot recover the same IP after release. Path param `id` (`floating_ip_id` from `getFloatingIpsList`). No body. Returns the `FloatingIpsCancelResponse` shape (success text / cancellation outcome). Errors: 401 if unauthenticated; 404 / cross-customer hidden when `id` is not owned by the caller; 409 if already canceled or otherwise non-cancelable. Confirm with the customer before calling — for routing changes use `postFloatingIpsChangeIp` instead of cancel-and-reorder.\n\nSibling ops: `getFloatingIpInfo` (status), `getFloatingIpInvoices` (outstanding charges), `postFloatingIpsChangeIp` (re-route instead of cancel), `addFloatingIp` (re-order)." }, "parameters": [ { "name": "id", "description": "The Floating IP service ID. Use the ID from `GET /floating_ips`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/floating_ips/{id}/change_ip": { "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/IpObject" } }, "application/json": { "schema": { "$ref": "#/components/schemas/IpObject" } } }, "required": true }, "tags": [ "Floating_IPs" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postFloatingIpsChangeIp", "summary": "Re-point a Floating IP to a different target IP on one of the customer's services", "description": "Reattaches the Floating IP by removing the old static route on the source switch and adding a new one on the destination switch (via `Sshwitch`), then updates `floating_ip_target_ip`. Use to move a portable IP between the customer's VPS / Quickservers / websites / dedicated servers without renumbering apps. Path param `id` (`floating_ip_id`). Body: `{ ip: }` (also accepts multipart form). Returns `{ success:true, text:'IP Changed' }`. Errors (returned via `json_error`): invalid IP format; IP not in our datacenter; IP not in use by an active service of this customer; service not active; another Floating IP already points to that target; switch lookup failures; route still present after removal. 401 if unauthenticated.\n\nSibling ops: `getFloatingIpInfo` (read current target), `getFloatingIpsList`, `floating_ipsCancel`. Read current target with `getFloatingIpInfo` first." }, "parameters": [ { "name": "id", "description": "The Floating IP service ID. Use the ID from `GET /floating_ips`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/floating_ips/{id}/invoices": { "get": { "tags": [ "Floating_IPs" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getFloatingIpInvoices", "summary": "List all billing invoices charged against a specific Floating IP service", "description": "Use for a per-service billing history view — pulls the standard `Api\\Billing\\InvoicesList` rows scoped to this Floating IP. Read-only. Path param `id` (`floating_ip_id` from `getFloatingIpsList`). No body. Returns the `ChargeInvoiceRows` schema: array of invoice rows with id, date, amount, status, etc. Use the invoice IDs with the global billing endpoints (`getBillingInvoice`, `initiatePayment`) for line-item detail. Errors: 401 if unauthenticated; effectively 404 / cross-customer hidden when `id` is not owned by the caller. Siblings: `getFloatingIpInfo` (service details), `getFloatingIpsWelcomeEmail`." }, "parameters": [ { "name": "id", "description": "The Floating IP service ID. Use the ID from `GET /floating_ips`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/floating_ips/{id}/welcome_email": { "get": { "tags": [ "Floating_IPs" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getFloatingIpsWelcomeEmail", "summary": "Resend the Floating IP welcome / setup email to the account contact", "description": "Triggers `floating_ip_welcome_email($id)` to re-deliver the original setup email (the IP, routing instructions, etc.) to the customer's on-file address. Useful when the email was lost or the customer needs the IP/setup details again. No body, no params besides path `id` (`floating_ip_id`). Returns `{ text: 'Welcome Email has been resent.' }`. Errors: 401 if unauthenticated; 404 (`Invalid Service Passed`) if `id` is not owned by the caller; 409 (`Service is not active`) if status is not `active`. Side effect: sends an outbound email — avoid in tight loops. Read state first via `getFloatingIpInfo` if unsure of status.\n\nSibling ops: `getFloatingIpInfo` (status), `addFloatingIp` (new order), `floating_ipsCancel`." }, "parameters": [ { "name": "id", "description": "The Floating IP service ID. Use the ID from `GET /floating_ips`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/home": { "get": { "tags": [ "Account" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Home" } } }, "description": "General information for use on the home page." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getHome", "summary": "Aggregate dashboard payload — service counts, recent activity, alerts", "description": "Use to render the post-login client portal home/dashboard. No body, no params. Returns the structure produced by `getClientHomeData()` — counts of active services per module (vps, webhosting, domains, mail, ssl, licenses, backups, floating_ips, scrub_ips, quickservers, servers), recent invoices, payment due alerts, ticket activity summaries, abuse/maintenance announcements, and account-level banners. Designed for one-shot dashboard hydration so individual modules don't each issue list calls. Cached implementation lives in `function_requirements('client_home')` -> `getClientHomeData()`. Errors: 401 if session is invalid or expired (unauthenticated). Sibling ops: `getSearch` (autocomplete), `getAccountInfo`, plus per-module list ops like `getVpsList`, `getDomainsList`, `getBillingInvoices`." } }, "/search": { "get": { "tags": [ "Account" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SearchAutocompleteResponse" } } }, "description": "Search autocomplete results for the account." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getSearch", "summary": "Global autocomplete across the caller's services, domains, and records", "description": "Use to power the global search box in the client portal — typeahead across services, domains, hostnames, IPs, and ticket subjects scoped to the current account (cross-account leakage is impossible). No body, no path params. Query string is conventionally `q=` though the underlying `getSearchAutoComplete($custid)` may match against multiple fields. Returns a `SearchAutocompleteResponse` object grouping hits by category (vps, domains, websites, mail, tickets, invoices, etc.) so the UI can render section headers. Optimized for low latency — does NOT replace per-module list ops for paginated browsing. Errors: 401 unauthenticated. Sibling ops: `getHome`, `getAccountInfo`, plus per-module list ops (`getVpsList`, `getDomainsList`, `getMailList`, `getTicketsList`)." } }, "/info": { "get": { "tags": [ "Public" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ServicesInfo" } } }, "description": "The modules and services information from the server." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "security": [ {} ], "operationId": "getInfo", "summary": "Discover available modules, service packages, categories, and types", "description": "Enumerates what services this MyAdmin install sells before placing orders or building a signup UI. Public — no auth required. Sibling ops: `getNewVps`, `getNewWebsite`, `getNewMail`, `getNewSsl`, `getNewLicense`, `getNewBackup`, `getNewQs`, `getNewServer` — each module's catalog op for buyable-package details.\n\n**Path/Query/Body:** None.\n\n**Returns:** `{ modules, services, serviceTypes, serviceCategories }`.\n- `modules` (array) — enabled plugin modules (`vps`, `webhosting`, `domains`, `ssl`, etc.).\n- `services` (object) — map of `services_id` → row from the `services` table, filtered to `services_buyable=1 AND services_hidden=0`, with `services_ourcost` / `services_hidden` stripped, and `services_id` / `services_category` / `services_type` cast to int and `services_cost` cast to float.\n- `serviceTypes` (object) — joins service rows to human-readable type names.\n- `serviceCategories` (object) — joins service rows to category names.\n\n**Auth:** None.\n\n**Errors:** No documented error path; 401 only if a stricter auth layer is added upstream.\n\n**Related calls:**\n- **Module-specific order catalog:** `getNewVps`, `getNewWebsite`, `getNewMail`, `getNewSsl`, `getNewLicense`, `getNewBackup`, `getNewQs`, `getNewServer`.\n- **Deeper health probe:** `pingServer`.\n" } }, "/licenses": { "get": { "tags": [ "Licenses" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/LicenseRow" } } } }, "links": { "getLicenseInfo": { "operationId": "getLicenseInfo", "parameters": { "id": "$response.body#/0/license_id" }, "description": "Use the `license_id` from any item in the response array to fetch full service details via `GET /licenses/{id}`." } }, "description": "The listing of `Licenses` services on your account." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getLicenseList", "summary": "List all software licenses owned by the authenticated customer", "description": "Lists every software license service (cPanel, Plesk, LiteSpeed, CloudLinux, etc.) on the authenticated customer's account. Use this as the entry point for license management to discover the license_id needed by every other Licenses endpoint. Returns an array of rows including license_id, hostname, bound IP, services_name (license type), recurring cost, status (pending/active/canceled), and last invoice date/paid state. No path or query parameters; the customer scope is taken from the session. Errors: 401 when the session is missing or expired. Caveats: list is unpaginated, includes canceled rows so callers should filter by status. Sibling: getLicenseInfo for full details on one license." } }, "/licenses/order": { "get": { "tags": [ "Licenses" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/LicensesOrder" } } }, "description": "License ordering information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewLicense", "summary": "Get available license types, packages, and pricing for ordering", "description": "Returns the catalog needed to build the license-order form: service categories (category_id->name), buyable service types (services_id, name, cost, billing frequency), package costs map keyed by services_id, the customer's currency symbol, and per-package field metadata via get_license_fields. Use this before addLicense to render type/package pickers and to validate a chosen package_id exists and is buyable (services_hidden=0, services_buyable=1). No path params or body. Returns LicensesOrder schema. Errors: 401 if unauthenticated. Sibling endpoints: putLicenses (validate selection), addLicense (place order). Note: pricing is converted to the session currency; coupon/IP/frequency are evaluated in the validate step, not here." }, "put": { "tags": [ "Licenses" ], "responses": { "200": { "description": "Validate Licenses order response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "putLicenses", "summary": "Validate a software license order before placing it (dry run preview)", "description": "Dry-runs validate_buy_license against the same payload addLicense will accept, returning a structured result with continue=true/false plus errors[], normalized package, ip, service_cost, original_cost, coupon_code, custid, currency and service_extra. Always call this before addLicense to surface package/IP/coupon/TOS issues without creating an invoice. Body fields (form or JSON): package (services_id), ip, frequency (billing cycle months), coupon, comment, tos. No path params. Returns the validation object. Errors: 401 unauthenticated; 422-style errors are returned inside the body with continue=false rather than as HTTP errors. Caveat: a valid PUT does not reserve inventory; addLicense re-validates. Sibling: addLicense, getNewLicense." }, "post": { "tags": [ "Licenses" ], "responses": { "200": { "$ref": "#/components/responses/ServiceOrderPostResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Order a software license (cPanel, Plesk, etc.). Returns invoice IDs for checkout.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addLicense", "summary": "Order a new software license and create the recurring invoice", "description": "Places an order for a new software license (cPanel, Plesk, LiteSpeed, etc.). Re-runs validate_buy_license then place_buy_license, which creates the repeat_invoices row, the first invoice, and queues payment processing. Always call putLicenses first to surface validation errors cheaply; addLicense re-validates and returns error JSON if continue=false. Body (form or JSON): package (services_id from getNewLicense), ip (target server IP the license binds to), frequency (billing months), coupon, comment, tos (truthy). No path params. Returns ServiceOrderPostResponse with the new service id and invoice info. Errors: 401 unauthenticated; validation or payment failures return json_error with the underlying message. Caveat: provisioning is asynchronous — poll getLicenseInfo for status.\n\nSibling ops: `getNewLicense` (catalog), `putLicenses` (validate), `getLicenseInfo` (poll status), `getLicenseInvoices`, `getBillingInvoice` + `initiatePayment` (settle invoice), `licensesCancel`." } }, "/licenses/{id}": { "get": { "tags": [ "Licenses" ], "parameters": [ { "name": "id", "description": "The license service ID. Use `license_id` from `GET /licenses`.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/License" } } }, "links": { "postLicenseChangeIp": { "operationId": "postLicenseChangeIp", "parameters": { "id": "$response.body#/serviceInfo/license_id" }, "description": "Change the IP address assigned to this license." }, "getLicenseInvoices": { "operationId": "getLicenseInvoices", "parameters": { "id": "$response.body#/serviceInfo/license_id" }, "description": "Retrieve the billing invoices for this license service." } }, "description": "License information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getLicenseInfo", "summary": "Get full details for one license including status, IP, and links", "description": "Returns rich detail for a single license service: serviceInfo row (license_id, hostname, license_ip, license_status, license_type), the underlying services row (name, cost, frequency), client_links for self-service actions (change IP, cancel, resend welcome email, view invoices), and provisioning state. Use after getLicenseList to drill into a specific license, or as the canonical lookup before postLicenseChangeIp / licensesCancel / getLicenseInvoices. Path: id (license_id from list). No body. Errors: 401 unauthenticated; 404 if id is invalid or owned by a different customer. Caveat: admin_links/settings/csrf are stripped — use admin endpoints for those. Sibling endpoints: updateLicenseInfo (mutate fields), postLicenseChangeIp." }, "post": { "tags": [ "Licenses" ], "parameters": [ { "name": "id", "description": "The license service ID. Use `license_id` from `GET /licenses`.", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateLicenseInfo", "summary": "Update mutable fields on a license service (e.g. assigned IP)", "description": "Updates settings on an existing license service. The primary mutable field is the bound IP, but the endpoint shares routing with View::go so other future fields flow through here. For IP changes prefer postLicenseChangeIp which has explicit semantics and triggers vendor rebinding. Path: id (license_id). Body: fields to update (form or JSON); shape varies by license type. Returns SuccessTextResponse. Errors: 401 unauthenticated; 404 if id is invalid or not owned; 409 if license is not active. Caveats: vendor-side propagation (cPanel store, LiteSpeed key server, etc.) is asynchronous; some IP/hostname changes incur a fee per vendor policy. Sibling: getLicenseInfo (read), postLicenseChangeIp (dedicated)." }, "delete": { "tags": [ "Licenses" ], "responses": { "200": { "$ref": "#/components/responses/LicensesCancelResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "licensesCancel", "summary": "Cancel a license service and stop future billing (irreversible)", "description": "Cancels a license service: invokes cancel_service which marks the service canceled, deactivates the license key with the upstream vendor, and stops the recurring invoice so no further charges occur. Use carefully — once vendor-side deactivation propagates the key stops working on the bound machine. Path: id (license_id from getLicenseList). No body. Returns LicensesCancelResponse with success and a translated text message. Errors: 401 unauthenticated; the underlying handler returns success=false JSON if the service id is invalid or cancellation fails (contact support path). Caveats: no prorated refund by default; pre-paid time is forfeited per TOS. Sibling endpoints: getLicenseInfo, getLicenseInvoices for billing history before cancelling." }, "parameters": [ { "name": "id", "description": "The license service ID. Use `license_id` from `GET /licenses`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/licenses/{id}/change_ip": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/IpObject" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/IpObject" } } }, "required": true }, "tags": [ "Licenses" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postLicenseChangeIp", "summary": "Rebind a license to a new IP address (may incur a vendor fee)", "description": "Changes the IP address that the license is bound to and triggers re-issuance with the upstream vendor (cPanel store, LiteSpeed key server, Plesk, etc.). The service must be active. Use getLicenseInfo first to read the current license_ip, then submit the new IP. Path: id (license_id). Body (JSON or multipart): IpObject with the new ip field. Returns SuccessTextResponse on success. Errors: 401 unauthenticated; 404 invalid id or not owned; 409 if status != active; 422-style failures from the vendor are returned via json_error with the upstream status_text. Caveats: many vendors charge a per-change fee and rate-limit changes (e.g. cPanel allows limited free changes per period); the new IP must be reachable for license verification. Sibling: updateLicenseInfo." }, "parameters": [ { "name": "id", "description": "The license service ID. Use `license_id` from `GET /licenses`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/licenses/{id}/invoices": { "get": { "tags": [ "Licenses" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getLicenseInvoices", "summary": "List all billing invoices tied to one software license service", "description": "Returns the full invoice history for a single license service: the original setup invoice plus every recurring renewal invoice generated by the repeat_invoices entry. Use this for billing reconciliation, to display past charges in the customer UI, or to confirm a renewal posted before contacting support. Path: id (license_id from getLicenseList). No body. Returns ChargeInvoiceRows: an array of invoice rows with id, date, amount, paid status, and payment method. Errors: 401 unauthenticated; returns success=false with HTTP 400 if the service id is invalid or owned by a different customer. Caveat: only invoices linked via repeat_invoices_id are included — manual one-off charges from staff may not appear here. Sibling endpoints: getLicenseInfo, licensesCancel." }, "parameters": [ { "name": "id", "description": "The license service ID. Use `license_id` from `GET /licenses`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/licenses/{id}/welcome_email": { "get": { "tags": [ "Licenses" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getLicensesWelcomeEmail", "summary": "Resend the license welcome email with the key and activation steps", "description": "Resends the welcome email for an active license to the account email on file. The email contains the license key, the bound IP, and vendor-specific activation instructions (e.g. cPanel /usr/local/cpanel/cpkeyclt, LiteSpeed lswsctrl). Use this when the customer lost the original email or rotated mailboxes — the key itself is unchanged. Path: id (license_id). No body. Returns SuccessTextResponse with a translated confirmation. Errors: 401 unauthenticated; 404 if the id is invalid or not owned by the session customer; 409 if the license status is not active (cancelled licenses cannot resend). Caveat: delivery is best-effort — check the email log if it does not arrive. Sibling endpoints: getLicenseInfo, postLicenseChangeIp." }, "parameters": [ { "name": "id", "description": "The license service ID. Use `license_id` from `GET /licenses`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/oauth": { "summary": "OAuth Authentication", "description": "Authenticate using third-party OAuth providers such as Google. Use GET to initiate the OAuth redirect, POST to handle the callback, and PATCH to complete two-factor verification if required.", "get": { "tags": [ "Public" ], "parameters": [ { "name": "provider", "description": "The OAuth provider name (e.g. `Google`).", "schema": { "type": "string" }, "in": "query", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "redirect_url": { "description": "The URL to redirect the user to for OAuth authentication.", "type": "string" } } } } }, "links": { "postOauthCallback": { "operationId": "postOauthCallback", "description": "After the user completes OAuth authorization at the redirect URL, call `POST /oauth` with the provider to handle the callback." } }, "description": "OAuth redirect URL for the requested provider." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "security": [ {} ], "operationId": "getOauthRedirect", "summary": "Begin OAuth login flow — redirect user to provider for authentication", "description": "Use as step 1 of social login. Navigate the browser (typically a popup) to `/apiv2/oauth?provider=X` so the provider authenticates the user, then handle the postMessage from the popup. Public — no auth required.\nQuery params: `provider` (required, case-sensitive: `Google`/`GitHub`/`Facebook`/`Twitter`), `origin` (optional, opener window origin used to target postMessage instead of `*`).\nThe endpoint redirects directly to the provider rather than returning JSON. After the provider callback, the popup posts one of: `oauth_success` (logged in), `oauth_2fa_required` (call `patchOauthTwoFactor` with the `oauth_token`), `oauth_link_required` (call `postOauthCallback` to link or create), or `oauth_error`.\nSiblings: `postOauthCallback`, `patchOauthTwoFactor`, `submitLogin` (password flow)." }, "post": { "requestBody": { "content": { "application/json": { "schema": { "type": "object", "properties": { "provider": { "description": "The OAuth provider name (e.g. `Google`).", "type": "string" } } } }, "multipart/form-data": { "schema": { "type": "object", "properties": { "provider": { "description": "The OAuth provider name (e.g. `Google`).", "type": "string" } } } } } }, "tags": [ "Public" ], "parameters": [ { "name": "provider", "description": "The OAuth provider name (e.g. `Google`).", "schema": { "type": "string" }, "in": "query", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "login": { "description": "Whether the user was logged in to an existing account.", "type": "boolean" }, "signup": { "description": "Whether a new account was created.", "type": "boolean" }, "linked": { "description": "Whether the OAuth provider was linked to an existing account.", "type": "boolean" }, "account_id": { "description": "The account ID associated with the OAuth login.", "type": "integer" }, "error_code": { "description": "Error code if additional verification is needed (e.g. `2fa_required`).", "type": "string" } } } } }, "links": { "patchOauthTwoFactor": { "operationId": "patchOauthTwoFactor", "parameters": { "account_id": "$response.body#/account_id" }, "description": "When the response contains `error_code: \"2fa_required\"`, use the returned `account_id` with `PATCH /oauth` to complete two-factor verification." } }, "description": "OAuth callback result." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "security": [ {} ], "operationId": "postOauthCallback", "summary": "Complete OAuth login by linking provider to existing or new account", "description": "Step 3 of the OAuth login flow. Called after `getOauthRedirect` returned `oauth_link_required` via the popup's `window.postMessage()`. Either links the OAuth identity to an existing account (verifying password) or creates a new account. Public — no auth required. Sibling ops: `patchOauthTwoFactor` (2FA follow-up), `getOauthRedirect` (start the flow), `submitSignup`, `submitLogin`.\n\n**Body fields** (JSON or form):\n- `oauth_token` (string, required) — signed token from the popup's `window.postMessage()` payload; 10-minute expiry.\n- `login` (string, required) — email.\n- `password` (string, required).\n- `create` (boolean, optional) — set `true` to create a new account instead of linking.\n- `email_confirmation` (string, conditional) — 8-char code emailed on the first `create=true` attempt; server returns 422 `email_verification_required` until provided.\n- `tfa` (string, conditional) — 6-digit TOTP when the existing account has 2FA enabled (after the first attempt returns 422 `2fa_required`).\n\n**Returns:** `{ login|signup|linked: true, sessionId, account_id, account_lid, ima, name, gravatar }`.\n\n**Errors:**\n- `400` — invalid / expired `oauth_token`.\n- `401` — bad password or wrong 2FA code.\n- `409` — account already exists (when `create: true`).\n- `422` — missing field; `email_verification_required`; `2fa_required`.\n\n**Related calls:**\n- **Prerequisite:** `getOauthRedirect` to initiate the popup flow.\n- **Follow-up when 2FA required:** `patchOauthTwoFactor`.\n- **Alternate entry points:** `submitLogin`, `submitSignup`.\n" }, "patch": { "requestBody": { "content": { "application/json": { "schema": { "required": [ "account_id", "code" ], "type": "object", "properties": { "account_id": { "description": "The account ID returned from the POST callback.", "type": "integer" }, "code": { "description": "The 6-digit two-factor authentication code.", "type": "string" } } } }, "multipart/form-data": { "schema": { "required": [ "account_id", "code" ], "type": "object", "properties": { "account_id": { "description": "The account ID returned from the POST callback.", "type": "integer" }, "code": { "description": "The 6-digit two-factor authentication code.", "type": "string" } } } } }, "required": true }, "tags": [ "Public" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "login": { "description": "Whether the 2FA verification succeeded and the user is now logged in.", "type": "boolean" } } } } }, "description": "OAuth 2FA verification result." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "security": [ {} ], "operationId": "patchOauthTwoFactor", "summary": "Submit 2FA code to finish OAuth login when account has 2FA enabled", "description": "Final step of the OAuth login flow when the account has 2FA enabled. Called after `postOauthCallback` (or the popup's `window.postMessage()` handshake) returned `2fa_required`. Verifies the TOTP against the account's stored Google Authenticator secret and creates the session. Public — no auth required. Sibling ops: `postOauthCallback` (prior step), `getOauthRedirect` (entry point), `getAccountTfaSetup` (enroll 2FA), `submitLogin`.\n\n**Body fields** (JSON or form):\n- `code` (string, required) — 6-digit TOTP from the authenticator app.\n- `account_id` (integer, required) — returned by the prior `postOauthCallback`.\n- `oauth_token` (string, optional) — signed token from the original `postMessage` payload, type `2fa`, 10-minute expiry. When present, its embedded OAuth profile data is merged into the account (name / picture / phone / address) for any fields still empty.\n\n**Returns:** `{ login: true, sessionId, account_id, account_lid, ima, name, gravatar }`.\n\n**Errors:**\n- `400` — invalid / expired `oauth_token` or no pending verification.\n- `401` — invalid 2FA code.\n- `409` — 2FA not enabled on the account.\n- `422` — missing `code`.\n\n**Related calls:**\n- **Prerequisite:** `postOauthCallback`.\n- **Enroll 2FA on the account first:** `getAccountTfaSetup` → `updateAccountTfa`.\n- **Alternate login:** `submitLogin`.\n" } }, "/login": { "summary": "Log In to the system and create a session.", "description": "Submit your login credentials to generate a session id which can be used for validating requests.", "get": { "tags": [ "Public" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/LoginInfo" }, "examples": { "LoginInfoExample": { "value": { "logo": "//my.interserver.net/images/logos/mystaging.png", "captcha": "data:image/jpeg;base64,/9j/", "language": "en-US", "counts": { "vps": 290201, "websites": 205172, "servers": 27940 } } } } } }, "description": "Various pieces of information useful for rendering a login page." }, "403": { "$ref": "#/components/responses/LoginResponseError" } }, "security": [ {} ], "operationId": "getLoginInfo", "summary": "Fetch logo, captcha, language, and stats for rendering a login page", "description": "Bootstraps an unauthenticated login page in one round-trip — branding logo, fresh captcha challenge, auto-detected user language, and live counts of VPS / websites / servers managed by the system (often used as marketing stats). Public — no auth required. Sibling ops: `submitLogin` (consume the captcha), `getCaptcha` (refresh captcha only), `getAccountLocales`, `submitSignup`.\n\n**Path/Query/Body:** None.\n\n**Returns** `{ logo, captcha, language, counts }`:\n- `logo` (string) — URL; uses the `LOGO` constant or a default.\n- `captcha` (string) — `data:image/jpeg;base64,...` image; phrase is stored server-side under `$_SESSION['captcha']` (also aliased to `$_SESSION['captchaSignup']` and `$_SESSION['captchaFP']`) — the browser's `PHPSESSID` cookie carries the phrase to `submitLogin` / `submitSignup`.\n- `language` (string) — BCP-47 locale (e.g. `en-US`).\n- `counts` (object) — `{ vps: int, websites: int, servers: int }` from live `SELECT COUNT(*)` on the underlying tables.\n\n**Auth:** None.\n\n**Errors:** `403` per `LoginResponseError` if a stricter login gate is configured upstream.\n\n**Related calls:**\n- **Next:** `submitLogin` (login form post) or `submitSignup` (new account).\n- **Captcha refresh only:** `getCaptcha`.\n- **OAuth alternative:** `getOauthRedirect`.\n" }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/LoginSubmissionExample" } }, "application/json": { "schema": { "$ref": "#/components/schemas/LoginSubmissionExample" }, "examples": { "LoginSubmissionExampleExample": { "value": { "login": "user@domain.com", "passwd": "mypassword", "remember": "true", "g-recaptcha-response": { "__v_isShallow": false, "dep": { "w": 0, "n": 0 }, "__v_isRef": true, "_rawValue": "zzzzz", "_value": "zzzzz" } } } } } }, "required": true }, "tags": [ "Public" ], "responses": { "200": { "$ref": "#/components/responses/LoginSuccessResponse" }, "402": { "$ref": "#/components/responses/LoginResponseError" }, "default": { "description": "Default response" } }, "security": [ {} ], "operationId": "submitLogin", "summary": "Authenticate with email + password and return a session token", "description": "Primary password→session-token exchange. Pass the returned session id back as the `sessionid` HTTP header on subsequent calls. Public — no auth required. Sibling ops: `getLoginInfo` (captcha + branding), `getOauthRedirect` (social login), `submitSignup`, `updateAccountApiKey` (rotate API key once logged in).\n\n**Body fields** (JSON or form):\n- `login` (string, required) — email.\n- `passwd` (string, required) — password.\n- `tfa` (string, conditional) — 6-digit TOTP when the account has 2FA enabled.\n- `verify` (string, conditional) — 8-char email-confirmation code returned via email when logging in from a new IP. Triggered automatically when the IP has no `acquittal` trial record yet (see `Trial` ORM, type `verify_email`).\n- `remember` (boolean / `'true'` / `'yes'` / `'1'`, optional) — extends cookie lifetime.\n\n**Returns:** `{ sessionId, account_id, account_lid, ima, name, gravatar }`. The `sessionId` value is the credential to send on every subsequent authenticated request.\n\n**Errors:**\n- `401` — bad credentials or wrong 2FA / verify code.\n- `422` — missing `login` / `passwd` / `tfa` / `verify`; response body's `field` indicates which input is required next.\n- `429` — too many failed attempts (login-log rate-limit) or max code retries reached.\n\n**Related calls:**\n- **Prerequisite:** `getLoginInfo` to fetch the captcha challenge and counts.\n- **Alternate:** `getOauthRedirect` → `postOauthCallback` for social login.\n- **After login:** `updateAccountApiKey`.\n" } }, "/logout": { "get": { "tags": [ "Account" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "Logout", "summary": "Destroy the current API/web session — token becomes unusable", "description": "DESTRUCTIVE: invalidates the caller's session record and appsession bag. After this returns the session id can no longer authenticate requests; the client must discard it and prompt the user to log in again. Idempotent — calling with an already-invalid session returns `200` (no-op when `App::accounts()->data` is empty). API keys (`updateAccountApiKey`) and persistent OAuth links are NOT affected — only this session token. Sibling ops: `updateAccountPassword`, `updateAccountApiKey`, `logoutAccountOauth`, `deleteAccountOauthName`.\n\n**Path/Query/Body:** None.\n\n**Returns:** `{ success: true, text: 'Logged Out' }`.\n\n**Side effects:** calls `App::session()->destroy()` only when `api_check_auth_limits()` passes for the current account, so a locked account is short-circuited gracefully without further error.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — only on a completely malformed auth header.\n\n**Related calls:**\n- **Re-login:** `submitLogin` or `getOauthRedirect`.\n- **Per-provider OAuth sign-out (does NOT invalidate the session):** `logoutAccountOauth`.\n" } }, "/mail": { "get": { "tags": [ "Mail" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/MailRow" } } } }, "links": { "getMailInfo": { "operationId": "getMailInfo", "parameters": { "id": "$response.body#/0/mail_id" }, "description": "Use the `mail_id` from any item in the response array to fetch full service details via `GET /mail/{id}`." } }, "description": "The listing of `Mail` services on your account." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getMailList", "summary": "List every Mail Baby SMTP relay service on the account", "description": "Enumerates every Mail Baby SMTP relay service owned by the authenticated customer. Canonical entry point for finding a `mail_id` to pass to other Mail endpoints. Filtered server-side by `mail_custid`. Sibling ops: `getMailInfo`, `getStats`, `viewMailLog`, `getMailDeliverability`, `getMailBlocks`, `getMailInvoices`, `addMail`.\n\n**Path/Query/Body:** None.\n\n**Returns:** Array of `MailRow`:\n- `mail_id` (integer) — canonical id.\n- `mail_username` (string) — SMTP username (e.g. `mb1234`).\n- `mail_status` (string enum) — `active` / `pending` / `canceled` / `suspended`.\n- `services_name` (string) — plan label.\n- `repeat_invoices_cost` (decimal string) — recurring cost.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Per-service detail:** `getMailInfo`.\n- **Send mail:** `sendMail` / `sendAdvMail`.\n- **Reputation:** `getMailDeliverability` / `getMailBlocks` / `getMailDelist`.\n- **Order a new service:** `getNewMail` → `putMail` → `addMail`.\n" } }, "/mail/order": { "get": { "tags": [ "Mail" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MailOrder" } } }, "description": "Mail ordering information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewMail", "summary": "Read the Mail Baby order catalog — plans, package costs, service-type metadata", "description": "Step 1 of the Mail Baby order flow. Returns the catalog used to bootstrap an order form: `packageCosts` keyed by `services_id` (only buyable services where `services_buyable=1`) and the full `serviceTypes` map. Read-only. Pricing is normalized to the customer's currency via `getCurrency()`. Sibling ops: `putMail`, `addMail`, `getMailList`.\n\n**Path/Query/Body:** None.\n\n**Returns** (schema `MailOrder`):\n- `packageCosts` (object) — `{: }` per buyable plan.\n- `serviceTypes` (object) — full service-types registry (plan metadata).\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Next:** `putMail` (validate + quote — no charge), `addMail` (place order).\n" }, "put": { "tags": [ "Mail" ], "responses": { "200": { "description": "Validate Mail order response." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "putMail", "summary": "Validate Mail Baby order, quote pricing, and verify coupon — no charge", "description": "Step 2 of the Mail Baby order flow. Dry-runs the order through `validate_buy_mail()` without creating invoices. Returns the cost preview, coupon resolution, and validation errors. The endpoint also auto-generates an SMTP password preview the order will use. Use to surface live pricing in the UI before `addMail`. Sibling ops: `getNewMail`, `addMail`.\n\n**Body fields:**\n- `serviceType` (integer, required) — plan id from `getNewMail.packageCosts` keys.\n- `coupon` (string, optional) — coupon code.\n\n**Returns:**\n- `continue` (bool) — `true` if order can safely be POSTed.\n- `errors` (array) — validation messages.\n- `serviceType`, `serviceCost`, `originalCost`, `repeatServiceCost` (numeric).\n- `password` (string) — auto-generated SMTP password preview.\n- `introFrequency` (integer).\n- `coupon`, `couponCode` (string/integer) — resolved coupon.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `200` with `continue=false` and `errors[]` — validation problems.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Prerequisite:** `getNewMail` (catalog).\n- **Place order:** `addMail`.\n" }, "post": { "tags": [ "Mail" ], "responses": { "200": { "$ref": "#/components/responses/ServiceOrderPostResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Order a mail.baby relay/transactional mail service. Returns invoice IDs for checkout.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addMail", "summary": "Place a new Mail Baby order, generate invoice, and queue provisioning", "description": "Step 3 of the Mail Baby order flow. Revalidates via `validate_buy_mail()`, then calls `place_buy_mail()` to create a `Repeat_Invoice` recurring billing row, an initial `invoices` row, and a `mail` service record in pending status. SMTP credentials become active once the activation worker runs the welcome email (after the invoice is paid). **Real money** — call `putMail` first. Sibling ops: `getNewMail`, `putMail`, `getMailInfo`, `initiatePayment`.\n\n**Body fields:**\n- `serviceType` (integer, required) — plan id from `getNewMail`.\n- `coupon` (string, optional).\n- `comment` (string, optional) — saved on the order row.\n\n**Returns** (on success): `{continue: true, total_cost, iid, iids, real_iids, serviceId (new mail_id), invoice_description, cj_params}` — pass `real_iids` to `initiatePayment`. On validation failure: `{continue: false, errors: [...]}` with HTTP 200.\n\n**Side effects:**\n- Inserts `mail` service row in `pending` status.\n- Inserts `repeat_invoices` + `invoices` rows.\n\n**Auth:** Session/API key.\n\n**Errors:**\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Pay:** `initiatePayment` with `real_iids`.\n- **Confirm activation:** `getMailInfo` (poll until `mail_status=='active'`).\n- **Resend credentials:** `getMailWelcomeEmail`.\n\n**Full ordering happy path:**\n```text\nGET /mail/order -> catalog (getNewMail)\nPUT /mail/order { serviceType, coupon? } -> quote (putMail)\nPOST /mail/order { serviceType, coupon?, comment? } -> { serviceId, real_iids }\nGET /billing/pay/cc/{real_iids[0]} -> pay (initiatePayment)\nGET /mail/{serviceId} -> poll until mail_status=='active'\n```\n" } }, "/mail/{id}": { "get": { "tags": [ "Mail" ], "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MailSchema" } } }, "links": { "getMailBlocks": { "operationId": "getMailBlocks", "parameters": { "id": "$response.body#/serviceInfo/mail_id" }, "description": "Retrieve blocked email addresses for this mail service." }, "getMailAlerts": { "operationId": "getMailAlerts", "parameters": { "id": "$response.body#/serviceInfo/mail_id" }, "description": "Retrieve the alert configuration for this mail service." }, "getMailInvoices": { "operationId": "getMailInvoices", "parameters": { "id": "$response.body#/serviceInfo/mail_id" }, "description": "Retrieve the billing invoices for this mail service." } }, "description": "Mail Information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getMailInfo", "summary": "Read full detail for one Mail Baby service including SMTP credentials", "description": "Returns the full `ViewMail` payload for one Mail Baby service — `serviceInfo`, `serviceType`, and `client_links` (URLs rewritten to API paths, e.g. `view_mail_log` → `log`). Admin fields (`admin_links`, `settings`, `csrf`) stripped. Use to render a service dashboard or retrieve SMTP host/username for MTA configuration. Sibling ops: `getMailList`, `updateMailInfo`, `mailCancel`, `resetMailPassword`, `getMailWelcomeEmail`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Returns** (schema `MailSchema`):\n- `serviceInfo` — `mail_id`, `mail_username` (e.g. `mb1234`), `mail_status`, `mail_invoice`, `mail_custid`, dates, currency.\n- `serviceType` — plan row (`services_ourcost` stripped).\n- `client_links` (array) — action URLs (log, alerts, blocks, etc.).\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n\n**Related calls:**\n- **Send:** `sendMail` / `sendAdvMail`.\n- **Rotate password:** `resetMailPassword`.\n- **Reset credentials:** `getMailWelcomeEmail`.\n- **Cancel:** `mailCancel`.\n" }, "post": { "tags": [ "Mail" ], "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateMailInfo", "summary": "POST mutation hook for the Mail Baby service detail page", "description": "POST mutation hook for the Mail Baby service detail page. Currently delegates to the same `View::go()` handler as `getMailInfo` — placeholder for future field updates. Does NOT rotate credentials (use `resetMailPassword`) and does NOT change billing (use `/billing` endpoints). Sibling ops: `getMailInfo`, `mailCancel`, `resetMailPassword`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Body:** Form fields.\n\n**Returns:** `SuccessTextResponse`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `mail_status != \"active\"`.\n\n**Related calls:**\n- **Read:** `getMailInfo`.\n- **Rotate password:** `resetMailPassword`.\n" }, "delete": { "tags": [ "Mail" ], "responses": { "200": { "$ref": "#/components/responses/MailCancelResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "mailCancel", "summary": "Cancel a Mail Baby service and stop the recurring invoice", "description": "Cancels the Mail Baby service through the shared `Billing\\CancelService::go($id)` flow with `module='mail'`. SMTP credentials are deactivated, the service transitions to canceled, the `repeat_invoice` is stopped, and queued submissions stop being accepted. **Irreversible via API** — re-activation requires placing a new order via `addMail`. Sibling ops: `getMailInfo`, `getMailInvoices`, `addMail`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Returns:** `MailCancelResponse`.\n\n**Side effects:**\n- Sets `mail_status='canceled'`.\n- Marks `repeat_invoices` non-renewing.\n- ZoneMTA-side: stops accepting new submissions for `mb{mail_id}`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n\n**Related calls:**\n- **Sibling cancels:** `VPSCancel`, `CancelDomain`, `webhostingCancel`, etc.\n- **Re-provision:** `addMail`.\n" }, "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/mail/{id}/blocks": { "get": { "tags": [ "Mail" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MailBlocks" }, "examples": { "MailBlocksExample": { "value": { "local": [ { "date": "2023-08-07", "from": "user@domain.com", "messageId": "pFaRqFUEWkucjhTuIzYuoAgWU@domain.com", "subject": "Test Email", "to": "['client@site.com']" } ], "mbtrap": [ { "date": "2023-08-07", "from": "user@domain.com", "messageId": "pFaRqFUEWkucjhTuIzYuoAgWU@domain.com", "subject": "Test Email", "to": "['client@site.com']" } ], "subject": [ { "from": "user@domain.com", "subject": "Test Email" } ] } } } } }, "links": { "delistBlockLink": { "operationId": "delistBlock", "parameters": { "email": "$response.body#/local/0/from" }, "description": "The `from` value returned in the response can be used as the `email` parameter in `DELETE /mail/{id}/blocks`." } }, "description": "OK" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "404": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getMailBlocks", "summary": "List recent local-blocklist hits and spam-trap captures for the mail user", "description": "Returns relay-side block events for the SMTP user behind `mail_id` — the last 24 hours of `LOCAL_BL_RCPT` and `MBTRAP` rspamd hits, plus a 3-day window of suspicious-subject hits (credential-leak heuristic firing on subjects containing `@` / `smtp` / `socks5` / `socks4` more than 4 times). Use the `from` value with `delistBlock` or `postMailDelist` to clear a block. Sibling ops: `delistBlock`, `getMailDelist`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Returns** (schema `MailBlocks`):\n- `local` (array) — rspamd `LOCAL_BL_RCPT` hits: `{date, from, messageId, subject, to}`.\n- `mbtrap` (array) — spam-trap captures (`MBTRAP` symbol): same shape.\n- `subject` (array) — senders flagged by subject-line heuristic: `{from, subject}`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404` — `id` not owned by caller.\n- `409` — `mail_status != \"active\"`.\n\n**Related calls:**\n- **Clear a block:** `delistBlock` (POST `/mail/{id}/blocks/delete`).\n- **Broader delist UI:** `getMailDelist`, `postMailDelist`.\n" }, "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/mail/{id}/alerts": { "get": { "tags": [ "Mail" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MailAlertsResponse" } } }, "description": "Alert configuration for the mail service." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getMailAlerts", "summary": "List configured delivery/bounce/quota alerts for one Mail Baby service", "description": "Returns every alert row from `alerts` matching this service. Each row carries `alert_id` (use with PUT/DELETE), `alert_type`, `alert_value` (threshold), `alert_to` (notification email), `alert_enabled`, and timestamps. Sibling ops: `createMailAlert`, `updateMailAlert`, `deleteMailAlert`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Returns** (schema `MailAlertsResponse`): array of alert rows.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** `401`, `404`, `409 not active`.\n" }, "put": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MailAlertUpdateRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/MailAlertUpdateRequest" } } }, "required": true }, "tags": [ "Mail" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateMailAlert", "summary": "Update an existing Mail Baby alert by alert_id", "description": "Updates a single alert row by `alert_id`. Handler verifies the alert belongs to this service+module before writing. Sibling ops: `getMailAlerts`, `createMailAlert`, `deleteMailAlert`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Body fields (schema `MailAlertUpdateRequest`):**\n- `alert_id` (integer, required) — from `getMailAlerts`.\n- `type` (string, required).\n- `value` (string/numeric, required) — threshold.\n- `to` (string, required) — notification email; validated via `FILTER_VALIDATE_EMAIL`.\n- `enabled` (bool, optional).\n\n**Returns:** `SuccessTextResponse`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** `Invalid alert!` (alert not owned), field-level errors for missing/invalid body, `401`, `404`, `409 not active`.\n" }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MailAlertRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/MailAlertRequest" } } }, "required": true }, "tags": [ "Mail" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "createMailAlert", "summary": "Create a new Mail Baby alert for delivery, bounce, or quota events", "description": "Inserts a new alert row via the `Alert` ORM. The new `alert_id` is retrievable via `getMailAlerts`. Sibling ops: `getMailAlerts`, `updateMailAlert`, `deleteMailAlert`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Body fields (schema `MailAlertRequest`):**\n- `type` (string, required).\n- `value` (string/numeric, required) — threshold.\n- `to` (string, required) — notification email; validated via `FILTER_VALIDATE_EMAIL`.\n- `enabled` (bool, optional).\n\n**Returns:** `SuccessTextResponse`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** field-level errors for missing/invalid body, `401`, `404`, `409 not active`.\n" }, "delete": { "requestBody": { "content": { "application/json": { "schema": { "type": "object", "required": [ "alert_id" ], "properties": { "alert_id": { "description": "The ID of the alert to delete.", "type": "integer" } } } }, "multipart/form-data": { "schema": { "type": "object", "required": [ "alert_id" ], "properties": { "alert_id": { "description": "The ID of the alert to delete.", "type": "integer" } } } } }, "required": true }, "tags": [ "Mail" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteMailAlert", "summary": "Delete a Mail Baby alert by alert_id (hard delete — no recovery)", "description": "Hard-deletes a single alert row. Handler verifies the alert belongs to this service+module before deleting. **Irreversible** — no history is preserved; recreate via `createMailAlert` if needed. Sibling ops: `getMailAlerts`, `createMailAlert`, `updateMailAlert`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Body fields:**\n- `alert_id` (integer, required) — from `getMailAlerts`.\n\n**Returns:** `SuccessTextResponse`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** `Invalid alert!` (alert not owned), `401`, `404`, `409 not active`.\n" }, "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/mail/{id}/delist": { "get": { "tags": [ "Mail" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MailDelistResponse" } } }, "description": "Blocklist entries and delist details for the mail service." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getMailDelist", "summary": "Read blocklist diagnostics and find senders eligible for delisting", "description": "Returns a richer diagnostic snapshot than `getMailBlocks` — intended for the delist UI. Use any `SMTPFrom`/`from` value as the `unblock` field for `postMailDelist`. Sibling ops: `postMailDelist`, `getMailBlocks`, `delistBlock`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Returns** (schema `MailDelistResponse`):\n- `id` (integer) — `mail_id` echo.\n- `local`, `mbtrap` (array) — last 24h rspamd hits with capitalized keys (`Date`, `SMTPFrom`, `MessageId`, `Subject`, `MimeRecipients`).\n- `subject` (array) — credential-leak-heuristic firings (3-day window).\n- `manual` (array) — manually added blocks.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** `401`, `404`, `409 not active`.\n" }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MailDelistRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/MailDelistRequest" } } }, "required": true }, "tags": [ "Mail" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postMailDelist", "summary": "Delist a sender from rspamd / mailchannels / mailbaby block lists", "description": "Removes all block rows for one sender email across three reputation stores: `rspamd` (by `fromemail`), `mailchannels` (by `email`), `mailbaby` (by `emailfrom`). Effect is global per-address across all three tables; takes effect immediately for new submissions. Sibling ops: `getMailDelist`, `delistBlock` (alias at `/mail/{id}/blocks/delete`), `getMailBlocks`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Body fields (schema `MailDelistRequest`):**\n- `unblock` (string, required) — sender email from `getMailDelist`/`getMailBlocks`.\n\n**Returns:** `SuccessTextResponse`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** `Missing parameter unblock`, `401`, `404`, `409 not active`.\n" }, "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/mail/{id}/deliverability": { "get": { "tags": [ "Mail" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/MailDeliverabilityResponse" } } }, "description": "Deliverability metrics for the mail service." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getMailDeliverability", "summary": "Read delivered vs bounced totals broken down by sender (or by recipient domain)", "description": "Returns deliverability analytics from `MailDeliveryStats` (Dragonfly cache) for the SMTP user behind `mail_id`. Default pivot is by sender; pass `?filter_domain=1` to pivot by recipient domain for the current year instead. Use to drive analytics dashboards. Sibling ops: `getStats`, `viewMailLog`, `getMailBlocks`, `getMailDelist`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Query params:**\n- `filter_domain` (string `1`, optional) — pivot by recipient domain instead of sender.\n\n**Returns** (schema `MailDeliverabilityResponse`):\n- `stat`: `{delivered, bounced, percent}` — totals and bounce ratio.\n- `header` (string), `col1` (string) — table headers.\n- `table_data` (array) — rows of `[, bounced, delivered, bouncePercent]`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** `401`, `404`, `409 not active`.\n" }, "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/mail/{id}/invoices": { "get": { "tags": [ "Mail" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getMailInvoices", "summary": "List billing invoices linked to this Mail Baby service", "description": "Returns every invoice associated with this `mail_id` via the shared `InvoicesList` workflow. Use to render per-service billing history or find unpaid invoices to pay via `initiatePayment`. Sibling ops: `getBillingInvoice`, `initiatePayment`, `addMail`, `mailCancel`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Returns:** `ChargeInvoiceRows` — array of `{id, amount, currency, paid, date, due_date, description, module: \"mail\", service}`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** `401`, `404 Invalid Service`.\n" }, "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/mail/{id}/reset_password": { "get": { "tags": [ "Mail" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "resetMailPassword", "summary": "Rotate the SMTP password and email the new credential to the account owner", "description": "Generates a new 20-char SMTP password (lower/upper/digits via `generate_password`), writes it to the ZoneMTA Mongo `users` collection for username `mb{mail_id}`, logs the change to `App::history()`, and emails the result to the account-on-file via `client_email.tpl`. **Any MTA, app, or saved client still using the old password will start failing auth immediately.** The new password is **not** returned in the response — fetch via `getMailWelcomeEmail` or `getMailInfo`. Sibling ops: `getMailWelcomeEmail`, `getMailInfo`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Returns:** `SuccessTextResponse`.\n\n**Side effects:**\n- Mongo update on ZoneMTA `users` for `mb{mail_id}`.\n- `App::history()` audit entry.\n- Email sent to account owner.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** Mongo update modified 0 rows → error text; `401`, `404`, `409 not active`.\n" }, "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/mail/{id}/welcome_email": { "get": { "tags": [ "Mail" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getMailWelcomeEmail", "summary": "Resend the Mail Baby welcome email with SMTP credentials and setup info", "description": "Re-runs the `mail_welcome_email` plugin function — composes and sends the standard welcome email (SMTP host `relay.mailbaby.net`, port, username `mb{mail_id}`, current password, configuration tips) to the account-on-file. Use after `resetMailPassword` to redeliver the rotated credential, or when a customer reports losing the original setup email. Idempotent. Sibling ops: `resetMailPassword`, `getMailInfo`. Cross-module welcome-email endpoints: `getVpsWelcomeEmail`, `getWebsitesWelcomeEmail`, `getDomainsWelcomeEmail`.\n\n**Path param:**\n- `id` (integer, required) — `mail_id` from `getMailList`.\n\n**Returns:** `{text: \"Welcome Email has been resent.\"}`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:** `401`, `404`, `409 not active`.\n" }, "parameters": [ { "name": "id", "description": "The mail service ID. Use `mail_id` from `GET /mail`.", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/billing/pay/{method}/{invoices}": { "get": { "tags": [ "Billing" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "type": { "description": "The response type indicating how to handle the payment. Possible values: `redirect` (redirect user to a URL), `submit` (submit a form to a URL), `single` (immediate result).", "enum": [ "redirect", "submit", "single" ], "type": "string" }, "redirect": { "description": "URL to redirect the user to for payment (when type is `redirect`).", "type": "string" }, "action": { "description": "Form action URL (when type is `submit`).", "type": "string" }, "method": { "description": "HTTP method for the form submission (when type is `submit`).", "type": "string" }, "items": { "description": "Form field name-value pairs to submit (when type is `submit`).", "type": "object" }, "text": { "description": "Status or result text.", "type": "string" } } } } }, "description": "Payment initiation response with redirect or form data." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "charge", "method": "card", "amount": 0, "currency": "USD", "description": "Pay one or more invoices using the chosen method (cc, paypal, btcpay, coinbase, payu, ccavenue, cashfree, payssion, prepay).", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "initiatePayment", "summary": "Pay invoices through the chosen gateway — returns the next-step action", "description": "Universal payment trigger — the final step in every order/checkout flow. Use after any order endpoint (`addVps`, `addQs`, `addBackup`, `addMail`, `addBillingPrepay`) returns an invoice id, or after `getBillingInvoices` surfaces unpaid invoices. Resolves the chosen gateway class under `include/Api/Billing/Pay/`, populates it with the invoices, and returns one of three response shapes the client must act on: `redirect` (send the user to the gateway URL), `submit` (POST a form with the supplied items), or `single` (processed synchronously). Sibling ops: `getBillingCart`, `getBillingInvoices`, `getBillingInvoice`, `addBillingPrepay`, `updateBillingPaymentMethod`, `addBillingCreditCard`.\n\n**Path params:**\n- `method` (string enum, required) — one of `cc`, `paypal`, `prepay`, `payssion`, `payu`, `ccavenue`, `cashfree`, `coinbase`, `btcpay`. Rejected with 400 otherwise.\n- `invoices` (string, required) — comma-separated identifiers. Each identifier may be:\n - a bare integer invoice id (e.g. `25296600`);\n - `INV` (e.g. `INVvps25296600`) — strict invoice lookup;\n - `SERVICE` (e.g. `SERVICEvps12345`) — picks the most recent unpaid invoice for that service;\n - `RINV` (e.g. `RINVvps78901`) — picks the most recent unpaid invoice for that repeat-invoice row;\n - `PREPAYIDINV` — explicit prepay-funding invoice.\n\n**Query params:**\n- `redirectUrl` (string, optional) — override the gateway return-URL. Defaults to `https://my.interserver.net/pay/`.\n\n**Returns** (one of three shapes — branch on `type`):\n- **type=`redirect`:** `{type: \"redirect\", redirect: \"\", text: \"...\"}` — send the user to `redirect`.\n- **type=`submit`:** `{type: \"submit\", action: \"\", method: \"POST\", items: {field: value, ...}}` — render a form with those fields, POST to `action`.\n- **type=`single`:** `{type: \"single\", text: \"...\"}` — payment already processed; surface `text` to the customer.\n\n**Side effects:**\n- Creates a `payment_requests` row tracking the attempt (via `addPaymentRequest`).\n- On `single`-mode success (`cc`, `prepay`): marks the underlying `invoices.invoices_paid=1`, triggers `queue_process_payment($iid)` → service activation.\n- On `redirect`/`submit`-mode: nothing is paid yet; the gateway IPN/callback handler in `confirm()` (in each `Pay/*.php` subclass) runs `queue_process_payment` after the gateway notifies us of success.\n\n**Auth:** Session/API key. Ownership of every referenced invoice is enforced through the `setInvoices()` lookup (filters by session `account_id`).\n\n**Errors:**\n- `400 Invalid payment method` — unrecognized `method`.\n- `402` / gateway-specific text — card declined, balance insufficient, etc. Returned as `{error: \"\"}`.\n- `422 Invalid Invoice Tag` — identifier format not recognized.\n- `401` — unauthenticated.\n- Method-specific:\n - `cc`: card not verified (use `addBillingCreditCard` → `patchBillingCreditCardVerify` → `postBillingCreditCardVerify` first; verify via `updateBillingPaymentMethod`).\n - `prepay`: insufficient prepay balance (use `addBillingPrepay` to top up first).\n\n**Related calls:**\n- **Get an invoice id to pass:** `addVps` / `addQs` / `addBackup` / `addMail` / `addBillingPrepay` / `getBillingInvoices`.\n- **Confirm invoice detail first:** `getBillingInvoice`.\n- **Set up payment methods:** `addBillingCreditCard`, `patchBillingCreditCardVerify`, `postBillingCreditCardVerify`, `updateBillingPaymentMethod`.\n- **After payment:** poll the originating service endpoint (e.g. `getVpsInfo` for VPS) until status flips to `active`.\n\n**Example happy-path (VPS):**\n```text\n# 1) Order created — POST /vps/order returned {serviceid: 12345, real_iids: [\"25296600\"]}\n# 2) Pay with stored credit card:\nGET /apiv2/billing/pay/cc/25296600\n# 3) Response:\n{\"type\": \"single\", \"text\": \"Payment processed.\"}\n# 4) Poll service:\nGET /apiv2/vps/12345 -> {\"vps_status\": \"active\", ...}\n```\n**Example PayPal flow:**\n```text\nGET /apiv2/billing/pay/paypal/25296600\n{\"type\": \"redirect\", \"redirect\": \"https://www.paypal.com/...\", \"text\": \"...\"}\n# Client redirects user; PayPal IPN later marks invoice paid and activates service.\n```\n" }, "parameters": [ { "name": "method", "description": "The payment method to use. Valid values: `cc` (credit card), `paypal`, `prepay`, `payssion`, `payu`, `ccavenue`, `cashfree`, `coinbase`, `btcpay`.", "schema": { "enum": [ "cc", "paypal", "prepay", "payssion", "payu", "ccavenue", "cashfree", "coinbase", "btcpay" ], "type": "string" }, "in": "path", "required": true }, { "name": "invoices", "description": "A comma-separated list of invoice IDs or invoice Tags to pay. These IDs are returned by order endpoints (e.g. `/backups/order`, `/vps/order`) and by `/billing/invoices`. Invoice tags accepted are SERVICE, RINV, INV, PREPAY, and .", "schema": { "type": "string" }, "in": "path", "required": true } ] }, "/ping": { "get": { "tags": [ "Public" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "string" }, "examples": { "pingResponse": { "value": "\"pong\"" } } } }, "description": "A simple response of \"pong\" for use with simple tests to see if a service is up. " }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Something is wrong" } }, "security": [ {} ], "operationId": "pingServer", "summary": "Liveness check — returns the JSON string \"pong\" to confirm API is up", "description": "Trivial GET that returns the JSON string `\"pong\"` so AI agents and monitors can verify the API endpoint is reachable. Public — no auth required, no params, no body. Does not exercise the database, queue, or any plugin modules. Sibling ops: `getInfo` (richer probe that touches MySQL).\n\n**Path/Query/Body:** None.\n\n**Returns:** JSON-encoded string `\"pong\"` with HTTP 200.\n\n**Auth:** None (public endpoint).\n\n**Errors:** No documented error path under normal operation — a non-200 or absent response indicates the API is down, the host is unreachable, or upstream routing is broken.\n\n**Use when:**\n- Bootstrapping a new client and want to confirm the API is reachable.\n- Smoke-testing in CI/health-check pipelines.\n- Diagnosing connectivity issues before higher-cost calls.\n\n**Related calls:**\n- **Deeper health probe:** `getInfo` (exercises the DB layer).\n" } }, "/qs": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/QuickserverRow" } } } }, "links": { "GetQuickServerDetails": { "operationId": "getQsInfo", "parameters": { "id": "$response.body#/0/qs_id" }, "description": "Use the `qs_id` from any item in the response array to fetch full QuickServer details." } }, "description": "The listing of `Quickservers` services on your account." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsList", "summary": "List QuickServer rapid-deploy dedicated servers on the account", "description": "Use to enumerate the caller's QuickServers (quick-provision physical dedicated boxes that share the VPS billing model). No params, no body. Each row has `qs_id`, `qs_name`, `qs_hostname`, `qs_status`, `qs_comment`, and `cost`. Feed `qs_id` into `getQsInfo` for full details, or any per-server action (`doQsStart`, `doQsStop`, `doQsRestart`, `getQsBackups`, etc.).\nReturns: array of QuickServer rows. Errors: 401 if unauthenticated.\nSiblings: `getVpsList` (virtual VPS surface), `getQsInfo`, `getNewQs` for ordering metadata." } }, "/qs/order": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/QuickserverOrder" } } }, "description": "Quickserver Ordering information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewQs", "summary": "Get QuickServer order form metadata and available plans/templates", "description": "Use before placing or validating a QuickServer order to retrieve pricing, available servers, OS templates, and form fields. Read-only — no params, no body, no charge.\nReturns: `QuickserverOrder` schema with plan/template/server options used to build the order payload for `putQs` (validate) or `addQs` (place). Errors: 401 if unauthenticated.\nSiblings: `putQs` (dry-run validation), `addQs` (commits and invoices), `getNewVps` (virtual VPS ordering surface)." }, "put": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "Validate QuickServer Order response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "putQs", "summary": "Validate a QuickServer order without charging or provisioning", "description": "Dry-run the order payload before calling `addQs`. No invoice is created and no service is provisioned. Use to surface form errors, compute the price, and resolve the chosen `server`/`os`/`distro` against the master pool.\nBody (form): `server` (master ID), `password`, `os` (template), `comment`, `tos`. Returns the `validate_buy_qs` result with `continue` flag, normalized fields, `service_cost`, and `errors` array. Errors: 401 if unauthenticated; validation errors are returned in the body, not as 4xx.\nSiblings: `addQs` (commits the order), `getNewQs` (form metadata), `putVps` (VPS equivalent)." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/ServiceOrderPostResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Order a QuickServer instance. Returns invoice IDs for checkout.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addQs", "summary": "Place a QuickServer order, generating a real invoice and queuing provisioning", "description": "Commits the validated order: creates the service row, generates a real invoice, and queues provisioning. Body fields match `putQs` (`server`, `password`, `os`, `comment`, `tos`) — call `putQs` first to catch errors. On `validation.continue=false`, returns the joined error string with no charge.\nReturns: `ServiceOrderPostResponse` with the new service ID and invoice info. Pay via `getBillingInvoice`/`initiatePayment`. Errors: 401 if unauthenticated, 4xx with message on validation failure.\nSiblings: `putQs` (validate first), `getNewQs`, `addVps` (VPS equivalent)." } }, "/qs/{id}": { "get": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Quickserver" } } }, "links": { "GetQuickServerInvoices": { "operationId": "getQsInvoices", "parameters": { "id": "$request.path.id" }, "description": "Retrieve billing invoices for this QuickServer." }, "RestartQuickServer": { "operationId": "doQsRestart", "parameters": { "id": "$request.path.id" }, "description": "Restart this QuickServer." }, "StartQuickServer": { "operationId": "doQsStart", "parameters": { "id": "$request.path.id" }, "description": "Power on this QuickServer." }, "StopQuickServer": { "operationId": "doQsStop", "parameters": { "id": "$request.path.id" }, "description": "Power off this QuickServer." }, "BackupQuickServer": { "operationId": "postQsBackup", "parameters": { "id": "$request.path.id" }, "description": "Create a backup of this QuickServer." }, "ListQuickServerBackups": { "operationId": "getQsBackups", "parameters": { "id": "$request.path.id" }, "description": "List available backups for this QuickServer." }, "ReinstallQuickServerOS": { "operationId": "getQsReinstallOs", "parameters": { "id": "$request.path.id" }, "description": "View available OS templates for reinstalling this QuickServer." }, "GetReverseDns": { "operationId": "getQsReverseDns", "parameters": { "id": "$request.path.id" }, "description": "View reverse DNS entries for this QuickServer." } }, "description": "Quickserver details" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsInfo", "summary": "Get full details for one QuickServer including credentials and links", "description": "Returns the QuickServer dashboard payload — service info, IPs, hostname, OS, status, billing, and the list of available `client_links` (action endpoints the caller is allowed to invoke). Path param: `id` (integer QuickServer ID).\nReturns: `Quickserver` schema. Use response links to drive `doQsStart`, `doQsStop`, `doQsRestart`, `getQsBackups`, `getQsReinstallOs`, `getQsReverseDns`, `getQsInvoices`. Errors: 401 if unauthenticated, 404 if `id` is not owned by caller.\nSiblings: `updateQsInfo` (mutate), `quickserversCancel` (delete), `getVpsInfo` (VPS equivalent)." }, "post": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateQsInfo", "summary": "Update QuickServer order metadata or stored settings without OS impact", "description": "Mutates QuickServer-level settings (comment, stored notes) without affecting the running OS. Path param: `id`. Body fields are module-specific and processed by the shared `View::go` handler.\nReturns: `SuccessTextResponse`. Errors: 401 if unauthenticated, 404 if not owned by caller.\nFor server-side actions use the dedicated endpoints — hostname via `postQsChangeHostname`, password via `postQsChangeRootPassword`, OS via `postQsReinstallOs`. Siblings: `getQsInfo` (read), `quickserversCancel` (delete)." }, "delete": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QuickserversCancelResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "quickserversCancel", "summary": "Cancel a QuickServer service at the end of the current billing cycle", "description": "Schedules deprovisioning. The server keeps running until the current billing period ends, then is canceled and the recurring invoice stops. Path param: `id` (integer).\nReturns: `{ success: bool, text: string }`. Errors: 401 if unauthenticated, 404 if not owned by caller. Reversible only by support before the cycle closes — use `getQsInvoices` to check the next invoice date first.\nSiblings: `getQsInfo`, `VPSCancel` (VPS equivalent), `serversCancel` (dedicated equivalent)." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/backup": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsBackup", "summary": "Queue creation of a new QuickServer backup snapshot (note: GET triggers job)", "description": "Note: GET on `/qs/{id}/backup` triggers a backup job — despite the verb, this is a state-changing action. Queues a `backup` operation; backup name is auto-generated. Path param: `id` (integer).\nReturns: `{ text, queueId }`. Async — backup completes in minutes to hours depending on disk size. Poll `getQsBackups` to see when it appears. Errors: 401 if unauthenticated, 404 if not owned by caller, 409 if status != `active`.\nSiblings: `getQsBackups` (list), `postQuickServerRestore`, `downloadQsBackup`, `deleteQsBackup`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/backups": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/VpsBackupRows" } } }, "description": "The listing of available backups for the QuickServer." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsBackups", "summary": "List available QuickServer backups across Swift, MinIO, and ZFS storage", "description": "Returns all backups visible to the caller for this QuickServer across the three backup backends. Path param: `id` (integer). Optional query `all=1` lists every backup the customer owns, not just this server's.\nReturns: `VpsBackupRows` array — each row has `name`, `type` (swift/minio/zfs), `size`, `service`, `path`. Use `name` (not a numeric ID) with `downloadQsBackup` (PATCH), `deleteQsBackup` (DELETE), or `postQuickServerRestore`. Errors: 401, 404 if not owned by caller.\nSiblings: `getQsBackup` (create), `postQuickServerRestore`." }, "delete": { "tags": [ "QuickServers" ], "parameters": [ { "name": "file", "description": "The backup filename to delete.", "schema": { "type": "string" }, "in": "query", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteQsBackup", "summary": "Permanently delete a QuickServer backup file from object storage", "description": "Removes the backup from its storage backend. Irreversible — the backup cannot be recovered. Path param: `id`. Required: `file` (the backup `name` from `getQsBackups`, in query or form body).\nWorks for `swift` and `minio` backups; `zfs` snapshots cannot be deleted via this endpoint (returns an error pointing to support). Returns: `SuccessTextResponse` with the removed name. Errors: 401, 404 if not owned, error message if backup type is unsupported or the storage operation fails.\nSiblings: `getQsBackups` (list), `downloadQsBackup` (PATCH), `postQuickServerRestore`." }, "patch": { "requestBody": { "content": { "application/json": { "schema": { "required": [ "file" ], "type": "object", "properties": { "file": { "description": "The backup filename to download.", "type": "string" } } } }, "multipart/form-data": { "schema": { "required": [ "file" ], "type": "object", "properties": { "file": { "description": "The backup filename to download.", "type": "string" } } } } }, "required": true }, "tags": [ "QuickServers" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "text": { "type": "string" }, "url": { "description": "A pre-signed download URL valid for 24 hours.", "type": "string" } } } } }, "description": "Download URL for the backup file." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "downloadQsBackup", "summary": "Generate a 24-hour pre-signed download URL for a QuickServer backup", "description": "Returns a temporary signed URL to fetch the backup directly from object storage. Path param: `id`. Body (JSON or form): `file` (the backup `name` from `getQsBackups`).\nOnly available for `minio`-type backups; `swift` and `zfs` backups return an error directing the caller to contact support. URL expires in 24 hours. Returns: `{ text, url }`. Errors: 401, 404 if not owned, error message for unsupported backup type or sharing failure.\nSiblings: `getQsBackups` (list, get `name`), `deleteQsBackup`, `postQuickServerRestore`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true }, { "name": "all", "description": "Set to `1` to list all backups across all services, not just the ones for the given QuickServer.", "schema": { "enum": [ "0", "1" ], "type": "string" }, "in": "query" } ] }, "/qs/{id}/block_smtp": { "get": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doQsBlockSmtp", "summary": "Block outbound SMTP traffic on a QuickServer to halt mail abuse", "description": "Queues a firewall rule that drops outbound port 25 traffic, used to halt spam/abuse without taking the server offline. Path param: `id` (integer). No body.\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes via the queue worker, which also re-runs VNC setup. Errors: 401, 404 if not owned by caller, 409 if status != `active`. Reversible only by support — there is no `unblock_smtp` endpoint.\nSiblings: `doVpsBlockSmtp`, `getQsInfo`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/change_hostname": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "QuickServer Change Hostname info response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsChangeHostname", "summary": "Get current QuickServer hostname plus change rules and platform support", "description": "Read-only probe before calling `postQsChangeHostname`. Path param: `id` (integer). Returns the current hostname and the validation rules the new hostname must satisfy.\nReturns: object with hostname metadata. Errors: 401, 404 if not owned by caller, 409 if status != `active`. Note: hostname changes are only supported on OpenVZ/Virtuozzo platforms — `postQsChangeHostname` rejects KVM/dedicated types with an explanatory error.\nSiblings: `postQsChangeHostname`, `getVpsChangeHostname`." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsChangeHostname", "summary": "Change a QuickServer's system hostname (OpenVZ/Virtuozzo only)", "description": "Updates the hostname and the matching reverse DNS entry. Path param: `id`. Body (JSON or form): `hostname` (must pass `valid_hostname`, must differ from current).\nOnly supported on OpenVZ/Virtuozzo platforms — KVM/dedicated returns a 4xx with a contact-support message. Pending services update the DB row directly (`{ text }`); active services queue the change (`{ text, queueId }`, ~2 min). Errors: 401, 404 if not owned, 409 if status != `active`, validation error for bad hostname or no change.\nSiblings: `getQsChangeHostname`, `postVpsChangeHostname`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/change_root_password": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "QuickServer Change Root Password response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsChangeRootPassword", "summary": "Get metadata for QuickServer root/OS password change requirements", "description": "Read-only probe before calling `postQsChangeRootPassword`. Path param: `id` (integer). Use to surface password complexity rules and confirm the QuickServer accepts root password changes.\nReturns: object with reset metadata. Errors: 401, 404 if not owned by caller, 409 if status != `active`.\nNote: this changes the OS root password (Linux) — for the Webuzo control panel password use `postQsChangeWebuzoPassword`. Siblings: `postQsChangeRootPassword`, `postQsResetPassword` (random password), `getVpsChangeRootPassword`." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsChangeRootPassword", "summary": "Change QuickServer root/administrator password to a chosen value", "description": "Queues a root password change. Path param: `id`. Body (JSON or form): `password` (the new password — required, no server-side complexity validation here).\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes. Both queue and history entries are written. Errors: 401, 404 if not owned, 409 if status != `active`, 400 if `password` is missing.\nFor a randomly generated password use `postQsResetPassword` instead. For Webuzo panel password use `postQsChangeWebuzoPassword`. Siblings: `getQsChangeRootPassword`, `postVpsChangeRootPassword`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/change_timezone": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "type": "string" } }, "examples": { "TimeZones": { "value": [ "America/New_York", "America/Nome", "America/Noronha", "America/North_Dakota/Beulah", "America/North_Dakota/Center" ] } } } }, "description": "QuickServer Change Timezone info response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsChangeTimezone", "summary": "List timezones the QuickServer can be set to via change_timezone", "description": "Returns the system timezone catalog (parsed from `/usr/share/zoneinfo/zone.tab`) for use with `postQsChangeTimezone`. Path param: `id` (integer). Read-only — no queue, no charge.\nReturns: array of timezone strings (e.g. `America/New_York`, `Europe/London`). Errors: 401, 404 if not owned by caller, 409 if status != `active` (handler labels these errors as `Invalid VPS Passed` / `VPS is not active` due to shared code).\nSiblings: `postQsChangeTimezone` (commit), `getVpsChangeTimezone`, `getQsChangeHostname` (also informational)." }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/TimezoneUpdate" } }, "application/json": { "schema": { "$ref": "#/components/schemas/TimezoneUpdate" } } }, "required": true }, "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsChangeTimezone", "summary": "Change the system timezone on a QuickServer to a catalog entry", "description": "Queues a timezone change. Path param: `id`. Body (JSON or form): `timezone` (must be one of the strings returned by `getQsChangeTimezone`).\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes by the queue worker. Errors: 401, 404 if not owned, 409 if status != `active`, 422 if `timezone` is not in the catalog.\nSiblings: `getQsChangeTimezone` (call first to get valid options), `postVpsChangeTimezone`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/change_webuzo_password": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "QuickServer Change Webuzo Password info response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsChangeWebuzoPassword", "summary": "Get metadata for changing the Webuzo control panel admin password", "description": "Read-only probe before `postQsChangeWebuzoPassword`. Path param: `id` (integer). Webuzo is a control panel optionally installed on QuickServers — its admin password is separate from the OS root password.\nReturns: object with change instructions. Errors: 401, 404 if not owned by caller, 409 if status != `active`.\nSiblings: `postQsChangeWebuzoPassword`, `postQsChangeRootPassword` (OS root password), `postQsResetPassword`." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsChangeWebuzoPassword", "summary": "Change Webuzo control panel admin password live (synchronous, not queued)", "description": "Calls the Webuzo SDK directly on the server to change the panel `admin` password, then emails the new credentials. Path param: `id`. Body: `password` (new Webuzo password, must pass `valid_password`), `login_password` (caller's account login password — verified via md5 hash).\nSynchronous — no queue ID. Requires a prior Webuzo-Details history entry. Returns: success message string. Errors: 401, 404 if not owned, 409 if status != `active`, validation errors for missing fields, wrong login password, weak new password, or SDK failure.\nSiblings: `getQsChangeWebuzoPassword`, `postQsChangeRootPassword` (OS root)." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/disable_cd": { "get": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doQsDisableCd", "summary": "Disable the virtual CD/DVD drive device on a QuickServer", "description": "Queues removal of the virtual CD/DVD device from the QuickServer (full disable, not just eject). Path param: `id` (integer). No body.\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes; queue worker also re-runs VNC setup. Errors: 401, 404 if not owned by caller, 409 if status != `active`.\nSiblings: `doQsEjectCd` (eject the ISO but keep drive), `postQsInsertCd` (mount an ISO), `getQsInsertCd` (list available ISOs)." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/disable_quota": { "get": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doQsDisableQuota", "summary": "Disable disk-quota enforcement at OS level on a QuickServer", "description": "Queues a job to turn off disk-quota enforcement at the OS level. Use when quota errors block legitimate writes or before resizing disk space. Path param: `id` (integer). No body.\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes; queue worker also re-runs VNC setup. Errors: 401, 404 if not owned by caller, 409 if status != `active`. Re-enable later with `doQsEnableQuota`.\nSiblings: `doQsEnableQuota` (re-enable), `doVpsDisableQuota` (VPS equivalent)." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/eject_cd": { "get": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doQsEjectCd", "summary": "Eject the currently mounted ISO from a QuickServer's virtual CD drive", "description": "Queues an eject — drive remains attached but no media. Path param: `id` (integer). No body.\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes. The queue worker also re-runs VNC setup so the console reflects the change. Errors: 401, 404 if `id` is not owned by caller. Note: this handler does not validate `active` status.\nSiblings: `postQsInsertCd` (mount an ISO), `getQsInsertCd` (list ISOs), `doQsDisableCd` (remove the drive itself)." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/enable_quota": { "get": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doQsEnableQuota", "summary": "Enable disk-quota enforcement at OS level on a QuickServer", "description": "Queues a job to turn on disk-quota enforcement at the OS level. Pair with `doQsDisableQuota` when re-enabling after maintenance, disk resizing, or restoring a backup. Path param: `id` (integer). No body.\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes; queue worker also re-runs VNC setup. Errors: 401, 404 if not owned by caller, 409 if status != `active`.\nSiblings: `doQsDisableQuota` (turn off), `doVpsEnableQuota` (VPS equivalent)." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/insert_cd": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "QuickServer Insert CD info response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsInsertCd", "summary": "List ISO images available to mount on a QuickServer's virtual CD", "description": "Returns the catalog of bootable ISOs the caller can mount via `postQsInsertCd`. Path param: `id` (integer). Read-only — no queue, no charge.\nReturns: object with available ISO entries (URLs/labels) keyed for the QuickServer's hardware type. Errors: 401 if unauthenticated. Note: this handler does not validate ownership or active status — pair with `getQsInfo` first if you need those checks before presenting options to a user.\nSiblings: `postQsInsertCd` (mount the chosen URL), `doQsEjectCd`, `doQsDisableCd`, `getVpsInsertCd`." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsInsertCd", "summary": "Mount an ISO image as the QuickServer's virtual CD via URL", "description": "Queues an `insert_cd` job that attaches the given ISO URL to the QuickServer's virtual CD drive (typically for OS reinstalls or rescue boots). Path param: `id`. Body (JSON or form): `url` (the ISO URL — pick one from `getQsInsertCd`).\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes. Errors: 401, 404 if not owned by caller. The action is idempotent in effect (latest mount wins).\nSiblings: `getQsInsertCd` (list options), `doQsEjectCd` (unmount), `doQsDisableCd`, `postQsReinstallOs` (template-based)." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/invoices": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsInvoices", "summary": "List billing invoices charged for one QuickServer service", "description": "Returns invoices charged for this QuickServer (initial setup + recurring). Path param: `id` (integer).\nReturns: `ChargeInvoiceRows` — each row has invoice ID, amount, status (paid/unpaid), date. Use the invoice ID with `getBillingInvoice` for full detail or `initiatePayment` to settle. Errors: 401 if unauthenticated, 404 if not owned by caller.\nSiblings: `getQsInfo`, `getVpsInvoices`, `getBillingInvoice`, `quickserversCancel` (check next-invoice date before canceling)." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/reinstall_os": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/VpsTemplatesList" } } }, "description": "QuickServer Reinstall OS info response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsReinstallOs", "summary": "List OS templates available for a QuickServer reinstall", "description": "Returns the OS template catalog filtered to the QuickServer's hardware/template type. Path param: `id` (integer). Read-only — no provisioning happens.\nReturns: `{ templates: [...] }` — each template has `template_file`, `template_name`, `template_version`. Use `template_file` with `postQsReinstallOs`. Non-admin callers only see templates with `template_available=1`. Errors: 401 if unauthenticated.\nSiblings: `postQsReinstallOs` (commit, destructive), `getVpsReinstallOs`." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsReinstallOs", "summary": "Reinstall the operating system on a QuickServer (DESTRUCTIVE — wipes disk)", "description": "Wipes the disk and reinstalls the chosen OS template. All data, configs, and snapshots are erased. Path param: `id`. Body: `template` (a `template_file` from `getQsReinstallOs`), `password` (new root password — required for non-Windows templates).\nFor active services, queues `reinstall_os` (~2 min). For inactive services, just stores the OS preference for next activation. Updates `qs_status` to `Reinstalling` and clears screenshots. Returns flash messages — typical envelope. Errors: 401, invalid template name returns error flash.\nSiblings: `getQsReinstallOs` (list options), `postVpsReinstallOs`, `postQuickServerRestore` (recover from backup instead)." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/reset_password": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "QuickServer Reset password info" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsResetPassword", "summary": "Get options for QuickServer randomized root password reset", "description": "Read-only probe before `postQsResetPassword`. Path param: `id` (integer). Use to confirm the QuickServer is in a state that allows password resets.\nReturns: object with reset configuration. Errors: 401, 404 if not owned by caller, 409 if status != `active`.\nNote: `postQsResetPassword` generates a random password — for a chosen value use `postQsChangeRootPassword`. Siblings: `postQsResetPassword`, `postQsChangeRootPassword`, `getVpsResetPassword`." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsResetPassword", "summary": "Reset QuickServer root password to a server-generated random value", "description": "Queues a `reset_password` job that generates a new root password and emails it to the account owner. Path param: `id` (integer). No body — password is generated server-side.\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes. Errors: 401, 404 if not owned by caller, 409 if status != `active`.\nFor a chosen password use `postQsChangeRootPassword` instead; for the Webuzo panel password use `postQsChangeWebuzoPassword`. Siblings: `getQsResetPassword`, `postVpsResetPassword`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/restart": { "get": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doQsRestart", "summary": "Reboot a QuickServer with a graceful OS-level restart", "description": "Queues a graceful restart — equivalent to `reboot` inside the OS. Path param: `id` (integer). No body. Use to recover from a hung service or apply pending kernel/config changes.\nReturns: `{ text, queueId }`. Async — server is back online within ~2 minutes; queue worker also re-runs VNC setup. Errors: 401, 404 if not owned by caller. Note: handler does not gate on `active` status — restarts work even on suspended services.\nSiblings: `doQsStart`, `doQsStop`, `doVpsRestart`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/reverse_dns": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ReverseDnsEntries" } } }, "description": "QuickServer Reverse DNS info response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsReverseDns", "summary": "Get reverse DNS (PTR) records for all of a QuickServer's IPs", "description": "Returns the current PTR record for the primary IP and any additional IPs assigned to the QuickServer. Path param: `id` (integer). Read-only — looks up live DNS, no queue.\nReturns: `{ ips: { \"\": \"\", ... } }`. Use the keys with `postQsReverseDns` to update entries. Errors: 401 if unauthenticated. Note: handler does not gate on ownership/active status.\nSiblings: `postQsReverseDns`, `getVpsReverseDns`." }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ReverseDnsEntries" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/ReverseDnsEntries" } } }, "required": true }, "tags": [ "QuickServers" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TextResponse" } } }, "description": "Update QuickServer Reverse DNS response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsReverseDns", "summary": "Update reverse DNS (PTR) records for a QuickServer's IPs", "description": "Sets PTR records for one or more of the QuickServer's IPs. Path param: `id`. Body (form): `ips` — keyed by IP, value is the desired hostname (must be valid).\nReturns: `{ message: \"DNS Updated\", success: true }`. Caveat: in the current implementation the body is parsed but the per-IP update loop is a no-op shell — verify with `getQsReverseDns` after calling, and use the support channel if changes don't propagate. Errors: 401 if unauthenticated.\nSiblings: `getQsReverseDns`, `postVpsReverseDns`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/setup_vnc": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "Get QuickServer Setup VNC Information" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsSetupVnc", "summary": "Get current VNC console connection details for a QuickServer", "description": "Read-only probe for the VNC tunnel that exposes the server's console (host, port, credentials). Path param: `id` (integer).\nReturns: object with VNC connection info. Errors: 401 if unauthenticated, 404 if `id` is not owned by caller, 409 if service is not `active`. Note: this endpoint is currently a stub — the `// todo: return vnc info` line indicates the response body may be empty until completed.\nSiblings: `postQsSetupVnc` (configure access IP), `getVpsSetupVnc`." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsSetupVnc", "summary": "Configure the source IP allowed to reach a QuickServer's VNC console", "description": "Sets the IP allowed to reach the VNC tunnel and queues a `setup_vnc` to apply it. Path param: `id`. Body (JSON or form): `vnc` (a valid IPv4 address — only this address can reach the console).\nReturns: `{ text, queueId }`. Async — applied within ~2 minutes. Errors: 401, 404 if not owned, 409 if status != `active`. Returns an inline `Invalid IP` message when `vnc` fails `validIp`. The VPS-style helper also runs after the DB update.\nSiblings: `getQsSetupVnc` (read), `postVpsSetupVnc`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/start": { "get": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doQsStart", "summary": "Power on a QuickServer that is currently stopped or pending boot", "description": "Queues a `start` command to bring the QuickServer online. Path param: `id` (integer). No body. Idempotent in practice — re-running on an already-on server is a no-op at the worker.\nReturns: `{ text, queueId }`. Async — typically online within ~2 minutes; queue worker re-runs VNC setup. Errors: 401, 404 if not owned by caller. Note: handler does not gate on status, so it can be issued even for non-active services.\nSiblings: `doQsStop`, `doQsRestart`, `getQsInfo`, `doVpsStart`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/stop": { "get": { "tags": [ "QuickServers" ], "parameters": [ { "name": "id", "description": "QuickServer ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doQsStop", "summary": "Power off a QuickServer with a graceful shutdown command", "description": "Queues a `stop` command. Path param: `id` (integer). No body. Use before maintenance, snapshot, or to halt traffic — billing continues regardless of power state, so use `quickserversCancel` to also stop charges.\nReturns: `{ text, queueId }`. Async — typically off within ~2 minutes; queue worker re-runs VNC setup. Errors: 401, 404 if not owned by caller. Note: handler does not gate on status.\nSiblings: `doQsStart`, `doQsRestart`, `doVpsStop`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/traffic_usage": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "Get QuickServer Traffic usage" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsTrafficUsage", "summary": "Get bandwidth usage for the QuickServer's current billing period", "description": "Returns the inbound/outbound bandwidth totals and time-series points for the QuickServer's current cycle. Path param: `id` (integer). Read-only.\nReturns: bandwidth-data object from `qs_bandwidth_data` (totals, daily/hourly points, overage flag). Errors: 401 if unauthenticated. Note: handler does not gate on ownership or active status.\nSiblings: `postQsTrafficUsage` (same data, accessible via POST for filtered queries), `getVpsTrafficUsage`." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "Submit QuickServer Traffic Usage" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsTrafficUsage", "summary": "Query QuickServer bandwidth usage via POST (filtered variant)", "description": "Functional duplicate of `getQsTrafficUsage` exposed under POST so clients can pass a filter body. Path param: `id` (integer). Body fields are accepted but the current handler ignores them and returns the full current-cycle dataset.\nReturns: same bandwidth-data object as `getQsTrafficUsage`. Errors: 401 if unauthenticated. No active-status or ownership gate.\nSiblings: `getQsTrafficUsage`, `postVpsTrafficUsage`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/qs/{id}/view_desktop": { "get": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "Get QuickServer View Desktop Information" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getQsViewDesktop", "summary": "Get the full QuickServer dashboard view payload (rich format)", "description": "Returns the same rich payload the AdminLTE UI uses — service info, billing, available client_links, resource graphs. Heavier than `getQsInfo` and intended for desktop dashboards. Path param: `id` (integer).\nReturns: object with `serviceInfo`, `client_links`, etc. (admin-only fields stripped). Errors: 401 if unauthenticated. Note: handler does not gate on ownership/active status.\nSiblings: `getQsInfo` (lighter), `postQsViewDesktop` (mutate variant), `getVpsViewDesktop`." }, "post": { "tags": [ "QuickServers" ], "responses": { "200": { "description": "Submit QuickServer View Desktop Information" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postQsViewDesktop", "summary": "Submit changes and re-fetch the QuickServer dashboard view payload", "description": "Same handler as `getQsViewDesktop` but accessible via POST so callers can pass body fields alongside re-fetching the view. Path param: `id`. Body fields are accepted by the underlying View handler.\nReturns: refreshed dashboard object — `serviceInfo`, `client_links`, etc. Errors: 401 if unauthenticated.\nFor structured updates prefer the dedicated endpoints (`postQsChangeHostname`, `postQsReverseDns`, `postQsSetupVnc`, etc.) which return queue IDs. Siblings: `getQsViewDesktop`, `postVpsViewDesktop`." }, "parameters": [ { "name": "id", "description": "QuickServer ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/scrub_ips": { "get": { "tags": [ "Scrub Ips" ], "responses": { "200": { "$ref": "#/components/responses/scrubIpsLists" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "operationId": "getScrubIpsList", "summary": "List all Scrub IP DDoS protection services on the authenticated account", "description": "Returns every Scrub IP service belonging to the authenticated customer with status, protected IP, plan name, and recurring cost. Use this for dashboards, picking a service ID for downstream calls (getScrubIpDetails, enableScrub, createRule, getScrubIpLogs), or auditing which IPs are routed through DDoS scrubbing. No path/query/body parameters; service ownership is enforced via session account_id. Returns an array of {id, repeat_invoices_cost, ip, status, services_name}; empty array if no scrub services. Errors: 401 unauthenticated. Caveat: only customer-owned services are visible. Siblings: getScrubIpDetails, getOrderDetail, placeScrubOrder, cancelScrubIp." } }, "/scrub_ips/{id}": { "get": { "tags": [ "Scrub Ips" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "serviceInfo": { "type": "object", "properties": { "scrub_ip_id": { "type": "string" }, "scrub_ip_type": { "type": "string" }, "scrub_ip_custid": { "type": "string" }, "scrub_ip_order_date": { "type": "string" }, "scrub_ip_ip": { "type": "string" }, "scrub_ip_service_id": { "type": "string" }, "scrub_ip_service_module": { "type": "string" }, "scrub_ip_status": { "enum": [ "active", "pending", "canceled", "expired" ], "type": "string" }, "scrub_ip_invoice": { "type": "string" }, "scrub_ip_currency": { "type": "string" }, "scrub_ip_coupon": { "type": "string" }, "scrub_ip_comment": { "type": "string" } } }, "client_links": { "type": "array", "items": { "properties": { "label": { "type": "string" }, "link": { "type": "string" }, "icon": { "type": "string" }, "icon_text": { "type": "string" }, "help_text": { "type": "string" }, "other_attr": { "type": "string" } } } }, "billingDetails": { "type": "object", "properties": { "service_last_invoice_date": { "type": "string" }, "service_payment_status": { "type": "string" }, "service_frequency": { "type": "string" }, "next_date": { "type": "string" }, "service_next_invoice_date": { "type": "string" }, "service_currency": { "type": "string" }, "service_currency_symbol": { "type": "string" }, "service_cost_info": { "type": "string" } } }, "custCurrency": { "type": "string" }, "custCurrencySymbol": { "type": "string" }, "package": { "type": "string" }, "extraInfoTables": { "type": "object", "properties": { "scrub_ips": { "type": "object", "properties": { "title": { "type": "string" }, "rows": { "type": "array", "items": { "properties": { "desc": { "type": "string" }, "value": { "type": "string" } } } } } } } }, "filter_firewall": { "type": "object", "properties": { "rules": { "type": "array", "items": { "properties": { "id": { "type": "string" }, "source_ip": { "type": "string" }, "destination_ip": { "type": "string" }, "protocol_id": { "type": "string" }, "source_port": { "type": "string" }, "destination_port": { "type": "string" }, "xdp_action": { "type": "string" }, "global_drop": { "type": "string" } } } }, "filters": { "type": "array", "items": { "properties": { "daddr": { "type": "string" }, "dest": { "type": "string" }, "filter_name": { "type": "string" }, "destination_ip": { "type": "string" }, "filter": { "type": "string" } } } }, "scrub_enabled": { "type": "integer" } } } }, "example": { "serviceInfo": { "scrub_ip_id": "123", "scrub_ip_type": "11552", "scrub_ip_custid": "456", "scrub_ip_order_date": "2025-12-26 08:24:02", "scrub_ip_ip": "11.24.11.23", "scrub_ip_service_id": "11111", "scrub_ip_service_module": "servers", "scrub_ip_status": "active", "scrub_ip_invoice": "654321", "scrub_ip_currency": "USD", "scrub_ip_coupon": "0", "scrub_ip_comment": "" }, "client_links": [ { "label": "Invoices", "link": "invoices", "icon": "fas fa-file-invoice-dollar fa-w-12", "icon_text": "", "help_text": "Invoice History" }, { "label": "Cancel Scrub IPs", "link": "cancel", "icon": "fas fa-times", "icon_text": "", "help_text": "Cancel Scrub IPs" }, { "label": "Disable Scrub", "link": "scrub_action", "icon": "fa fa-shield text-lg", "icon_text": "", "help_text": "Enable/Disable Scrub", "other_attr": "" }, { "label": "Scrub Documentation", "link": "https://www.interserver.net/tips/kb/scrub/", "icon": "fa fa-file text-lg", "icon_text": "", "help_text": "Scrub Documentation", "other_attr": "target= \"_blank\"" } ], "billingDetails": { "service_last_invoice_date": "December 26, 2025", "service_payment_status": "Paid", "service_frequency": "Monthly", "next_date": "2026-01-26 08:24:02", "service_next_invoice_date": "January 26, 2026", "service_currency": "USD", "service_currency_symbol": "$", "service_cost_info": "5.00" }, "custCurrency": "USD", "custCurrencySymbol": "$", "package": "Current IP + Scrub", "extraInfoTables": { "scrub_ips": { "title": "Connection Information", "rows": [ { "desc": "IP", "value": "11.12.12.12" }, { "desc": "Scrub", "value": "Enabled" } ] } }, "filter_firewall": { "rules": [], "filters": [ { "daddr": "2331742347", "dest": "80", "filter_name": "dns", "destination_ip": "11.12.12.12", "filter": "Dns" }, { "daddr": "2331742347", "dest": "443", "filter_name": "dns", "destination_ip": "11.12.12.12", "filter": "Dns" } ], "scrub_enabled": 21104 } } } } }, "links": { "GetScrubIpInvoices": { "operationId": "getScrubIpInvoices", "parameters": { "id": "$request.path.id" }, "description": "Retrieve billing invoices for this Scrub IP service." }, "EnableScrub": { "operationId": "enableScrub", "parameters": { "id": "$request.path.id" }, "description": "Enable DDoS scrubbing protection on this IP." }, "DisableScrub": { "operationId": "disableScrub", "parameters": { "id": "$request.path.id" }, "description": "Disable DDoS scrubbing protection on this IP." }, "GetScrubIpLogs": { "operationId": "getScrubIpLogs", "parameters": { "id": "$request.path.id" }, "description": "View activity logs for this Scrub IP service." } }, "description": "Scrub IP service details including firewall rules and filters." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getScrubIpDetails", "summary": "Get full Scrub IP service detail (rules + geo + filters)", "description": "Returns the full service-detail payload for one Scrub IP — used to render the dashboard or before mutating rules/filters. Includes `serviceInfo` (status, scrubbed IP, custid), `billingDetails` (cost, frequency), `client_links` (allowed self-service actions), and `filter_firewall` with the active firewall `rules`, geographic `geo_rules`, and traffic `filters`. Each rule/filter row carries its own `id` used by the delete endpoints. Sibling ops: `getScrubIpsList`, `enableScrub`, `disableScrub`, `createRule`, `scrubIpsDeleteRule`, `createGeoRule`, `scrubIpsDeleteGeoRule`, `createFilter`, `deleteFilter`, `getScrubIpInvoices`, `getScrubIpLogs`, `cancelScrubIp`.\n\n**Path:** `id` (integer, required) — service ID from `getScrubIpsList`.\n\n**Body / query:** None.\n\n**Returns:** object with `serviceInfo`, `billingDetails`, `client_links`, `filter_firewall` (`rules` / `geo_rules` / `filters`).\n\n**Auth:** Session/API key. Ownership enforced via `scrub_ips_custid`.\n\n**Errors:**\n- `401` — unauthenticated.\n- `Invalid Service` — `id` is not owned by the session account.\n\n**Caveat:** rule/filter IDs are regenerated after recreate — re-fetch before calling a delete endpoint.\n\n**Related calls:**\n- **Mutations:** `enableScrub`, `disableScrub`, `createRule`, `createGeoRule`, `createFilter`.\n- **Deletes:** `scrubIpsDeleteRule`, `scrubIpsDeleteGeoRule`, `deleteFilter`.\n- **Billing / activity:** `getScrubIpInvoices`, `getScrubIpLogs`.\n- **Cancel:** `cancelScrubIp`.\n" }, "delete": { "tags": [ "Scrub Ips" ], "responses": { "200": { "content": { "application/json": { "schema": { "required": [ "success", "text" ], "type": "object", "properties": { "success": { "type": "boolean", "example": true }, "text": { "type": "string", "example": "Scrub Ips is canceled." } } } } }, "description": "Request OK" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "cancelScrubIp", "summary": "Cancel a Scrub IP service and stop its recurring DDoS billing", "description": "Cancels the Scrub IP DDoS protection service. The protected IP is removed from the scrubbing infrastructure and the recurring invoice is closed; protection stops at end of the current billing cycle. Use only when the customer no longer needs DDoS scrubbing for the IP. Path param: `id` (integer, required) — service ID from getScrubIpsList. No request body. Returns {success: true, text: 'Scrub Ips is canceled.'}. Errors: 401 unauthenticated; 404/Invalid Service if id is not owned by the session account; 409 if the service is not in a cancellable state. Caveat: leaves the underlying VPS/server IP exposed to attacks once protection ends; contact billing for refund handling. Siblings: getScrubIpDetails, disableScrub, getScrubIpInvoices." }, "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/scrub_ips/{id}/invoices": { "get": { "tags": [ "Scrub Ips" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getScrubIpInvoices", "summary": "List recurring and one-time invoices billed for this Scrub IP service", "description": "Returns the recurring and one-time invoices generated for the Scrub IP service so the caller can verify billing status, present a payment history, or initiate payment on an unpaid invoice. Use after placeScrubOrder (to find the new invoice id) or before cancelScrubIp (to surface outstanding balance). Path param: `id` (integer, required) — service ID from getScrubIpsList. No body/query parameters. Returns ChargeInvoiceRows (array of invoice objects with id, amount, status, due dates). Errors: 401 unauthenticated; empty result if id is not owned by the session account. Caveat: paid invoices remain in history; filter on status client-side. Siblings: getScrubIpDetails, placeScrubOrder, cancelScrubIp." }, "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/scrub_ips/filter_types": { "get": { "tags": [ "Scrub Ips" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ScrubIpFilterTypes" } } }, "description": "Supported scrub filter types for building firewall rules." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getScrubIpFilterTypes", "summary": "List enabled traffic filter profiles available for createFilter", "description": "Returns the catalog of scrub filter profiles (e.g. dns, http, synproxy) currently enabled on the scrubbing platform, keyed by filter_name with a humanized display `name` and `desc`. Call this to populate a dropdown before invoking createFilter — the `filter_type` field on that endpoint must be one of the keys returned here. Not service-scoped: no path/query/body parameters and the same set applies to every Scrub IP. Returns {success: true, filters: {: {name, desc}, ...}}. Errors: 401 unauthenticated. Caveat: only filters with enabled=1 are returned; profile semantics are platform-defined (synproxy uses different request shape internally). Siblings: createFilter, deleteFilter, getScrubIpDetails." } }, "/scrub_ips/{id}/enable": { "get": { "tags": [ "Scrub Ips" ], "responses": { "200": { "content": { "application/json": { "schema": { "required": [ "success", "text" ], "type": "object", "properties": { "success": { "type": "boolean", "example": true }, "text": { "type": "string", "example": "Scrub is enabled on your IP." } } } } }, "description": "Request OK" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "content": { "application/json": { "schema": { "required": [ "success", "text" ], "type": "object", "properties": { "success": { "type": "boolean", "example": false }, "text": { "type": "string", "example": "Unable to enable Scrub on your IP." } } } } }, "description": "Internal Server Error" } }, "operationId": "enableScrub", "summary": "Enable DDoS scrubbing (BGP announcement) on the service's protected IP", "description": "Routes the service's protected IP through the Wanguard scrubbing infrastructure by creating a BGP announcement, so inbound traffic passes through filtering before reaching the backend. Call after placeScrubOrder activation, after disableScrub, or whenever the announcement was lost. Path param: `id` (integer, required) — service ID from getScrubIpsList. No request body (HTTP GET). Returns {success: true, text: 'Scrub is enabled on your IP.'} on 201 from Wanguard, persisted into the service's `extra` column. Errors: 400 Invalid Service if id is not owned by the session account; 401 unauthenticated; 500 if the upstream Wanguard call fails. Caveat: enabling re-routes live traffic and can briefly disrupt active sessions. Siblings: disableScrub, getScrubIpDetails, getScrubIpLogs." }, "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/scrub_ips/{id}/disable": { "get": { "tags": [ "Scrub Ips" ], "responses": { "200": { "content": { "application/json": { "schema": { "required": [ "success", "text" ], "type": "object", "properties": { "success": { "type": "boolean", "example": true }, "text": { "type": "string", "example": "Scrub is disabled on your IP." } } } } }, "description": "Request OK" }, "400": { "content": { "application/json": { "schema": { "required": [ "success", "text" ], "type": "object", "properties": { "success": { "type": "boolean", "example": false }, "text": { "type": "string", "example": "Scrub is not enabled in this service." } } } } }, "description": "Bad request" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "content": { "application/json": { "schema": { "required": [ "success", "text" ], "type": "object", "properties": { "success": { "type": "boolean", "example": false }, "text": { "type": "string", "example": "Unable to disable scrub on your IP." } } } } }, "description": "Internal Server Error" } }, "operationId": "disableScrub", "summary": "Disable DDoS scrubbing and remove the BGP announcement on the IP", "description": "Withdraws the BGP announcement from Wanguard so the IP stops being routed through scrubbing; traffic resumes flowing directly to the backend. Use for maintenance windows or migration off scrub. Path param: `id` (integer, required) — service ID from getScrubIpsList. No body (HTTP GET). The endpoint reads the stored Wanguard `href` from the service's `extra` JSON to know which announcement to delete; clears `extra` on success. Returns {success: true, text: 'Scrub is disabled on your IP.'}. Errors: 400 Invalid Service if id is not owned, or 'Scrub is not enabled in this service.' if there is no active announcement; 401 unauthenticated; 500 if upstream delete fails. Caveat: leaves the IP unprotected against DDoS until enableScrub is called. Siblings: enableScrub, cancelScrubIp, getScrubIpDetails." }, "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/scrub_ips/{id}/create_rule": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateFirewallRule" } } }, "required": true }, "tags": [ "Scrub Ips" ], "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "201": { "$ref": "#/components/responses/CreateFirewallResponse" }, "400": { "$ref": "#/components/responses/CreateFirewall400Err" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/CreateFirewall500Err" } }, "operationId": "createRule", "summary": "Add an L3/L4 firewall rule (allow/drop by IP, port, and protocol)", "description": "Creates an XDP firewall rule on the scrubber for the service's protected IP. Use to whitelist a known good source, block an abusive source, or restrict a destination port. Path param: `id` (integer, required) — service ID. Body (CreateFirewallRule): `source_ip` (IPv4, 0 = any), `source_port` (int, 0 = any), `destination_port` (int, 0 = any), `protocol_id` (1 ICMP or 2 TCP/UDP — must be 1 or 2), `xdp_action` (0 allow, 1 drop). Destination IP is locked to the service IP server-side. Returns 201 {success: true} when created. Errors: 400 with `errors[]` for invalid source_ip/protocol_id/xdp_action or Invalid Service; 401 unauthenticated; 500 if upstream Scrub::firewallCreate fails. Caveat: rules are stateless and may interact with active filters. Siblings: scrubIpsDeleteRule, createGeoRule, createFilter." } }, "/scrub_ips/{id}/delete_rule": { "post": { "requestBody": { "content": { "application/json": { "schema": { "title": "Delete Firewall Rule", "description": "Delete firewall rule for your ip", "required": [ "rule_id" ], "type": "object", "properties": { "rule_id": { "type": "integer", "example": 2045 } } } } }, "required": true }, "tags": [ "Scrub Ips" ], "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/DeleteFirewallResponse" }, "400": { "$ref": "#/components/responses/DeleteFirewall400Err" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/DeleteFirewall500Err" } }, "operationId": "scrubIpsDeleteRule", "summary": "Delete an L3/L4 firewall rule by rule_id from getScrubIpDetails", "description": "Removes a previously created L3/L4 firewall rule from the Scrub IP service. The rule_id must come from the `filter_firewall.rules[].id` array returned by getScrubIpDetails — the endpoint validates the id belongs to this service before deleting. Path param: `id` (integer, required) — Scrub IP service ID. Body (JSON): {`rule_id`: integer, required}. Returns {success: true, text: 'Firewall Rule has been deleted.'}. Errors: 400 Invalid Service, 'rule_id is required.' or 'Invalid rule id' (rule does not belong to this service); 401 unauthenticated; 500 if upstream Scrub::firewallDelete fails. Caveat: if the rule was the only protection against a specific source, deleting it re-exposes the IP. Siblings: createRule, scrubIpsDeleteGeoRule, deleteFilter, getScrubIpDetails." } }, "/scrub_ips/{id}/create_geo_rule": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateGeoFirewallRule" } } }, "required": true }, "tags": [ "Scrub Ips" ], "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "201": { "$ref": "#/components/responses/CreateFirewallResponse" }, "400": { "$ref": "#/components/responses/CreateGeoFirewall400Err" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/CreateFirewall500Err" } }, "operationId": "createGeoRule", "summary": "Add a geographic firewall rule (block/allow by country code or ASN)", "description": "Creates a geo-based XDP rule on the scrubber for the service's protected IP. Use to block traffic from specific countries or ASNs (botnet source regions) or to allow only known regions. Path param: `id` (integer, required) — service ID. Body (CreateGeoFirewallRule): `country_code` (int, country numeric ID) OR `asn` (int) — at least one is required, `destination_port` (int, defaults 80), `xdp_action` (0 allow, 1 drop, defaults 1). Destination IP is locked to the service IP server-side. Returns 201 {success: true} when created. Errors: 400 errors[] 'Country or Asn is required.' or Invalid Service; 401 unauthenticated; 500 if upstream Scrub::geoFirewallCreate fails. Caveat: country_code is an internal numeric ID, not ISO-3166. Siblings: scrubIpsDeleteGeoRule, createRule, createFilter." } }, "/scrub_ips/{id}/delete_geo_rule": { "post": { "requestBody": { "content": { "application/json": { "schema": { "title": "Delete Geo Firewall Rule", "description": "Delete geo firewall rule for your scrub ip", "required": [ "rule_id" ], "type": "object", "properties": { "rule_id": { "type": "integer", "example": 2045 } } } } }, "required": true }, "tags": [ "Scrub Ips" ], "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/DeleteFirewallResponse" }, "400": { "$ref": "#/components/responses/DeleteFirewall400Err" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/DeleteFirewall500Err" } }, "operationId": "scrubIpsDeleteGeoRule", "summary": "Delete a geo firewall rule by rule_id from getScrubIpDetails", "description": "Removes a previously created geographic firewall rule from the Scrub IP service. The rule_id must come from the `filter_firewall.geo_rules[].id` array returned by getScrubIpDetails — the endpoint validates the id belongs to this service before deleting. Path param: `id` (integer, required) — Scrub IP service ID. Body (JSON): {`rule_id`: integer, required}. Returns {success: true, text: 'Firewall Rule has been deleted.'}. Errors: 400 Invalid Service, 'Rule Id is required.' or 'Invalid rule id' (rule does not belong to this service); 401 unauthenticated; 500 if upstream Scrub::geoFirewallDelete fails. Caveat: removing a country/ASN block re-admits that traffic. Siblings: createGeoRule, scrubIpsDeleteRule, deleteFilter, getScrubIpDetails." } }, "/scrub_ips/{id}/create_filter": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateFilter" } } }, "required": true }, "tags": [ "Scrub Ips" ], "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "201": { "$ref": "#/components/responses/CreateFilterResponse" }, "400": { "$ref": "#/components/responses/CreateFilter400Err" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/CreateFilter500Err" } }, "operationId": "createFilter", "summary": "Apply a predefined scrubbing filter (DNS/HTTP/synproxy) to a port", "description": "Attaches a named scrubbing profile to a destination port on the protected IP, applying protocol-aware mitigation (DNS amplification protection, HTTP rate limiting, synproxy SYN-cookies). Call getScrubIpFilterTypes first to list valid `filter_type` values. Path param: `id` (integer, required) — service ID. Body (CreateFilter): `filter_type` (string, required, one of getScrubIpFilterTypes keys), `port` (int, required, >= 0). Destination IP is locked to the service IP server-side; synproxy uses a different shape internally. Returns 201 {success: true, text: 'New filter has been created.'}. Errors: 400 'Filter type is empty/invalid', 'Port is invalid', or Invalid Service; 401 unauthenticated; 500 if upstream Scrub::filterCreate fails. Siblings: deleteFilter, getScrubIpFilterTypes, createRule." } }, "/scrub_ips/{id}/delete_filter": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/CreateFilter" } } }, "required": true }, "tags": [ "Scrub Ips" ], "parameters": [ { "name": "id", "description": "ScrubIp ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/DeleteFilterResponse" }, "400": { "$ref": "#/components/responses/DeleteFilter400Err" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "500": { "$ref": "#/components/responses/DeleteFilter500Err" } }, "operationId": "deleteFilter", "summary": "Remove a scrubbing filter by matching filter_type and port", "description": "Removes a previously attached scrubbing profile from the protected IP. Identification is by composite key, not `rule_id` — pass the same `filter_type` and `port` that were used in `createFilter`. The endpoint splits `filter_type` on `_` to dispatch to the correct delete shape (synproxy vs generic). Sibling ops: `createFilter`, `getScrubIpFilterTypes`.\n\n**Path:** `id` (integer, required) — Scrub IP service ID.\n\n**Body fields:**\n- `filter_type` (string, required) — must match an enabled type from `getScrubIpFilterTypes`.\n- `port` (integer, required) — must be `> 0`.\n\n**Returns:** `{ success: true, text: 'Filter is deleted.' }`.\n\n**Errors:**\n- `400` — `'Filter is required.'` / `'Port is required.'` / `'Invalid filter'` / `Invalid Service`.\n- `401` — unauthenticated.\n- `500` — upstream `Scrub::filterDelete` failed.\n\n**Caveat:** the port loses its protocol-specific scrubbing protection until `createFilter` is called again with the same composite key.\n" } }, "/scrub_ips/order": { "get": { "tags": [ "Scrub Ips" ], "responses": { "200": { "$ref": "#/components/responses/OrderScrubGetResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getOrderDetail", "summary": "Get plans, pricing, and eligible IPs for a new Scrub IP order", "description": "Returns the data needed to render a new-order form: `packageCosts` (default services_id and recurring price in customer currency with symbol), `serviceTypes` (each buyable plan with services_id, services_name, services_cost, services_module), and `ips` (the customer's existing VPS/server/floating IPs eligible to be put behind a scrubber, each with service_id, service_module, service_hostname). Use as a precursor to putScrubIps (validate) or placeScrubOrder (commit). No path/query/body parameters. Returns object. Errors: 401 unauthenticated. Caveat: ips list is filtered to the session account; pricing is converted to the customer's currency. Siblings: putScrubIps, placeScrubOrder, getScrubIpsList." }, "put": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ScrubIpPlaceOrder" } } }, "required": true }, "tags": [ "Scrub Ips" ], "responses": { "200": { "description": "Scrub IP order validation result.", "content": { "application/json": { "schema": { "type": "object", "properties": { "continue": { "type": "boolean" }, "errors": { "type": "array", "items": { "type": "string" } }, "serviceType": { "type": "integer" }, "serviceCost": { "type": "number" }, "originalCost": { "type": "number" }, "repeatServiceCost": { "type": "number" } } } } } }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "putScrubIps", "summary": "Validate a Scrub IP order and return effective pricing without billing", "description": "Dry-runs a Scrub IP purchase via validate_buy_scrub_ip and returns whether the order would succeed plus the resolved pricing — without creating an invoice. Use to render a real-time price/error panel as the user picks options. No path parameters. Body (ScrubIpPlaceOrder): `serviceType` (services_id from getOrderDetail.serviceTypes), `ip` (one of getOrderDetail.ips), optional `coupon`. Returns {continue: bool, errors: [], serviceType, serviceCost, originalCost, repeatServiceCost}. Errors: 401 unauthenticated; validation failures appear in `errors`, not as HTTP 4xx. Caveat: idempotent — call as often as needed; 422 on invalid coupon surfaces in the errors array. Siblings: getOrderDetail, placeScrubOrder, getScrubIpsList." }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ScrubIpPlaceOrder" } } }, "required": true }, "tags": [ "Scrub Ips" ], "responses": { "201": { "$ref": "#/components/responses/ScrubIpPlaceOrder" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Order a DDoS-mitigated scrub IP. Returns invoice IDs for checkout.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "placeScrubOrder", "summary": "Place a new Scrub IP DDoS protection order and generate an invoice", "description": "Commits the order: re-runs validate_buy_scrub_ip then place_buy_scrub_ip which creates the service row, repeat_invoice, and a one-time invoice for the prorated charge. Use putScrubIps first to surface errors without billing. No path parameters. Body (ScrubIpPlaceOrder): `serviceType` (services_id), `ip` (eligible IP from getOrderDetail). Returns 201 {success: true, text: 'ScrubIp order is placed.', order_details: {total_cost, service_id, invoice_id, invoice_description, cj_params}}. Errors: 400 {success: false, text: 'Unable to place order.', errors: []} on validation; 401 unauthenticated; 422 on invalid serviceType/ip; 409 if the IP is already protected. Caveat: invoice is unpaid at creation — pay via Pay endpoints to activate. Siblings: putScrubIps, getOrderDetail, enableScrub, getScrubIpInvoices." } }, "/scrub_ips/{id}/logs": { "get": { "tags": [ "Scrub Ips" ], "responses": { "200": { "$ref": "#/components/responses/ScrubIpLogs" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getScrubIpLogs", "summary": "Get last 50000 packet/event log entries for the protected IP", "description": "Pulls scrubbing telemetry directly from the SCRUBLOGS clickhouse-style backend: timestamp, source IP, target IP, target port, protocol (ICMP/IGMP/TCP/UDP/etc.), byte_count, action (Allow/Drop/Challenge), and the matching filter label. Use for incident analysis, validating new firewall rules, or proving a DDoS attack hit the scrubber. Path param: `id` (string, required) — service ID. No body/query parameters. Timestamps are converted to the customer's timezone. Returns array of log rows (ScrubIpsLogRowSchema), most recent first, capped at 50000. Errors: 401 unauthenticated; returns false if id is not owned or upstream returns no data — not a 404. Caveat: large response; logs are not real-time and source IPs are reverse-byte-ordered. Siblings: getScrubIpDetails, enableScrub, createRule." }, "parameters": [ { "examples": { "ScrubOrderIdExample": { "value": "413232 " } }, "name": "id", "description": "Scrub Order ID", "schema": { "type": "string" }, "in": "path", "required": true } ] }, "/servers": { "get": { "tags": [ "Servers" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/ServerRow" } } } }, "links": { "GetServerDetails": { "operationId": "getServerInfo", "parameters": { "id": "$response.body#/0/server_id" }, "description": "Use the `server_id` from any item in the response array to fetch full server details." } }, "description": "The listing of `Servers` services on your account." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getServerList", "summary": "List all dedicated servers owned by the authenticated customer", "description": "Use to enumerate physical bare-metal dedicated servers on the calling account. No params, no body. Filters `servers` by session `account_id`.\nReturns: array of `{ server_id, account_lid, server_hostname, server_status }`. Use `server_id` with `getServerInfo` for full hardware/network/IPMI details, `getServerInvoices` for billing, or `serverIpmiPowerGet` for chassis power state. Errors: 401 if not authenticated; empty array if account owns no servers.\nSibling ops: `getServerInfo` (details), `getVpsList` (virtual instead of physical hardware), `getMPServers` (purchasable inventory, not owned). For IPMI status across many servers in one call, prefer `serverBulkIpmiPowerGet`." } }, "/servers/order": { "get": { "tags": [ "Servers" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ServerOrder" } } }, "description": "Server Ordering details" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewServer", "summary": "Get custom dedicated server ordering options, regions, and pricing", "description": "Use before placing a fully custom (non-Rapid-Deploy) dedicated server order to discover available CPUs, drives, memory tiers, OS images, control panels, RAID levels, bandwidth packages, IP blocks, and regions with monthly prices. No params, no body.\nReturns: object with `config_li` keyed by category (`cpu_li`, `hd_li`, `memory_li`, `bandwidth_li`, `ips_li`, `os_li`, `cp_li`, `raid_li`) plus `regions`. Use returned IDs as POST values for `addServer`. Note `hd_li` and `memory_li` are nested by `cpu` id — the chosen CPU constrains valid drive/memory options. Errors: 401 if not authenticated.\nSibling ops: `addServer` (commits the order), `buyItNowServerOrder` (pre-built marketplace alternative), `getMPServers` (browse marketplace)." }, "post": { "tags": [ "Servers" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "text": { "description": "Status message.", "type": "string", "example": "Order Completed" }, "invoice": { "description": "Invoice ID for payment.", "type": "integer" }, "order": { "description": "Server order ID.", "type": "integer" } } } } }, "links": { "GetServerInvoice": { "operationId": "getBillingInvoice", "parameters": { "id": "$response.body#/invoice" }, "description": "Use the invoice ID to view invoice details or proceed to payment." }, "ViewNewServer": { "operationId": "getServerInfo", "parameters": { "id": "$response.body#/order" }, "description": "Use the order ID to view the newly created server." } }, "description": "Server order placed successfully." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Order a dedicated or rapid-deploy server. Returns invoice IDs for checkout.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addServer", "summary": "Place a custom dedicated server order, creating a real billable invoice", "description": "Submits a fully custom dedicated server order. Creates a `pending` `servers` row, a `Repeat_Invoice`, and the first invoice, then emails customer + admin. Caveat: real billable order — confirm with the user first.\nBody (form fields): `cpu` (id from `cpu_li`), `hd[]` (array of drive ids), `memory`, `bandwidth`, `ips`, `os`, `cp`, `raid` (ids from `getNewServer`), `region` (region_id), `servername` (valid hostname), `rootpass`, `tos` (must be true), optional `comment`. `account.server_order_discount` (if set) applies.\nReturns: `{ text:'Order Completed', invoice, order }`. Errors: 422 'Missing/Invalid '; 401 unauth.\nSibling ops: `getNewServer` (options), `placeBuyNowServer` (pre-built path), `getServerInfo` (view new order), `getServerInvoices`." } }, "/servers/{id}": { "get": { "tags": [ "Servers" ], "parameters": [ { "name": "id", "description": "Server ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Server" } } }, "links": { "GetServerInvoices": { "operationId": "getServerInvoices", "parameters": { "id": "$request.path.id" }, "description": "Retrieve billing invoices for this server." }, "ServerIpmiLive": { "operationId": "serverIpmiLiveGet", "parameters": { "id": "$request.path.id" }, "description": "View IPMI live connection information for this server." } }, "description": "Server details" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getServerInfo", "summary": "Get full hardware, network, and lifecycle details for a dedicated server", "description": "Use to fetch complete configuration for one dedicated server — hardware, network/VLAN/IP layout, asset assignments, location, status, billing references, and client action links. Path param: `id` (integer server_id, from `getServerList`). No body.\nReturns: `ViewServer::getDetails()` shape: `serviceInfo`, `networkInfo` (vlans + assets, with `ipmi_admin_username`/`ipmi_admin_password` and admin lease creds REDACTED for client safety), normalized `client_links`, `serviceType`. `admin_links`/raw `settings`/`csrf` stripped. Errors: 404 not owned; 401 unauth.\nSibling ops: `getServerInvoices`, `serverIpmiLiveGet`, `serverIpmiPowerGet` (single — prefer `serverBulkIpmiPowerGet` for many), `getServerReverseDns`, `getServersWelcomeEmail`, `serversCancel`." }, "post": { "tags": [ "Servers" ], "parameters": [ { "name": "id", "description": "Server ID number.", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateServerInfo", "summary": "Update settings on a dedicated server order (shares handler with view)", "description": "Use to modify metadata on an existing dedicated server order. Path param: `id` (integer server_id). Currently this method shares the same handler as `getServerInfo` (`View::go()`) — no dedicated update fields are processed; treat it as deprecated/no-op pending field-specific endpoints. For hostname, password, or rDNS changes use the dedicated ops below.\nReturns: same payload shape as `getServerInfo`. Errors: 404 if `id` not owned by caller; 401 unauth.\nSibling ops: prefer `postServerReverseDns` (rDNS), `serverIpmiPowerPost` (power), `serverIpmiLivePost` (IPMI access), `serversCancel` (cancel). For new orders use `addServer` or `placeBuyNowServer`. View-only: `getServerInfo`." }, "delete": { "tags": [ "Servers" ], "responses": { "200": { "$ref": "#/components/responses/ServerCancelResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "serversCancel", "summary": "Cancel a dedicated server service at the end of the current billing cycle", "description": "Submits a cancellation request for a dedicated server. The server is deprovisioned and recurring billing stops at the end of the current billing cycle (not an immediate refund). Path param: `id` (integer server_id, from `getServerList`). No body.\nCaveat: billing-affecting action — always confirm with the user. Hardware-attached data may be wiped on deprovisioning. Returns: `{ success:bool, text:'Servers is canceled.' }`. Errors: 404 if `id` not owned by caller; 409 if already cancelled or non-active; 401 unauth.\nSibling ops: `getServerInfo` (current status), `getServerInvoices` (outstanding charges), VPS counterpart `VPSCancel`. To re-order after cancel use `addServer` or `placeBuyNowServer`." }, "parameters": [ { "name": "id", "description": "Server ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/servers/{id}/invoices": { "get": { "tags": [ "Servers" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getServerInvoices", "summary": "List billing invoices (charges + payments) tied to one dedicated server", "description": "Use to retrieve the invoice history for a single dedicated server — e.g. before a cancel, refund, or to show outstanding balances. Path param: `id` (integer server_id from `getServerList`). No body. Inherits from `MyAdmin\\Api\\Billing\\InvoicesList` with module=servers.\nReturns: `ChargeInvoiceRows` array — invoice rows with id, date, amount, status, currency, line items. Errors: 404 if `id` not owned by the caller; 401 unauth.\nSibling ops: `getServerInfo` (current service state), `serversCancel` (cancel), `getBillingInvoice` (single invoice by invoice id), `getVpsInvoices`/`getDomainInvoices` for other modules, `getServersWelcomeEmail` to resend setup info." }, "parameters": [ { "name": "id", "description": "Server ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/servers/{id}/ipmi_live": { "get": { "tags": [ "Servers" ], "responses": { "200": { "$ref": "#/components/responses/ServerIpmiGetResponse" }, "404": { "$ref": "#/components/responses/NotFound" } }, "operationId": "serverIpmiLiveGet", "summary": "Read current IPMI Live whitelist + KVM gateway URL for a dedicated server", "description": "Reads the active IPMI Live session for a dedicated server — the temporary whitelisted public IP, the customer-side IPMI gateway URL, and the IPMI client (read-only) credentials so the customer can open the KVM/console. Looks up the asset's IPMI IP, the location's IPMI group, and any active `ipmi_ips` lease (3-hour TTL). Sibling ops: `serverIpmiLivePost` (allocate whitelist slot), `serverIpmiPowerGet` / `serverIpmiPowerPost` (chassis power).\n\n**Path:** `id` (integer, required) — server_id from `getServerList`.\n\n**Body / query:** None. Optionally pass `asset` (asset_id) to target a specific asset; default is first asset.\n\n**Returns:** when an active lease exists `{ text (html), public_ip, allowed_ip, client_username, client_password }`. When no lease yet: `{ text: 'Setup not yet completed' }` — then call `serverIpmiLivePost` to allocate a slot.\n\n**Auth:** Session/API key. Ownership enforced via `server_custid`.\n\n**Errors:**\n- `404` — `id` not owned, or `asset` not on this server.\n- `409` — service not `active`.\n- `200` with error text `'No IPMI IP Set'` / `'Invalid IPMI IP'` / `'Live IPMI not Available for this location.'` when the asset/location is not configured for IPMI Live.\n\n**Caveat:** returns `client_password` — never log/echo verbatim.\n\n**Related calls:**\n- **Allocate:** `serverIpmiLivePost`.\n- **Chassis power:** `serverIpmiPowerGet`, `serverIpmiPowerPost`.\n" }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/ServerIpmiLiveRequest" } }, "application/json": { "schema": { "$ref": "#/components/schemas/ServerIpmiLiveRequest" } } }, "required": true }, "tags": [ "Servers" ], "responses": { "200": { "$ref": "#/components/responses/ServerIpmiGetResponse" }, "404": { "$ref": "#/components/responses/NotFound" } }, "operationId": "serverIpmiLivePost", "summary": "Whitelist an IP for IPMI Live KVM gateway access (3-hour lease)", "description": "Allocates / refreshes an IPMI Live whitelist slot so the customer's specified IP can reach the BMC's KVM/console for 3 hours. Picks a free `ipmi_ips` row for the location's `ipmi_group`, refreshes the lease if the same IP is already allocated, otherwise pushes the new whitelist via `ipmi_live_setup()`. Sibling ops: `serverIpmiLiveGet` (read current lease), `serverIpmiPowerPost` (DESTRUCTIVE — chassis power).\n\n**Path:** `id` (integer, required) — server_id.\n\n**Body fields:**\n- `ip` (string, required) — public IPv4 to whitelist.\n- `asset` (integer, optional) — asset_id; defaults to first asset on the server.\n\n**Returns:** `{ text (html), public_ip, allowed_ip, client_username, client_password }` for KVM login.\n\n**Auth:** Session/API key. Ownership enforced via `server_custid`.\n\n**Errors:**\n- `404` — `id` not owned, or `asset` not on this server.\n- `409` — service not `active`.\n- `200` with error text — `'An Invalid IP was passed.'`, `'No Live IPs are currently free for use with the IPMI Gateway. Please wait for the next IP to free up.'`, `'There was an error communicating with the IPMI Management server'`, `'No IPMI IP Set'` / `'Invalid IPMI IP'` / `'Live IPMI not Available for this location.'`.\n\n**Caveat:** returns IPMI client password — handle securely; whitelist exposes the BMC briefly.\n\n**Related calls:**\n- **Read current lease:** `serverIpmiLiveGet`.\n- **Power control:** `serverIpmiPowerPost`.\n" }, "parameters": [ { "name": "id", "description": "Server ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/servers/{id}/welcome_email": { "get": { "tags": [ "Servers" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getServersWelcomeEmail", "summary": "Resend the dedicated server welcome email with setup credentials", "description": "Use when the customer asks for the original setup/login info to be re-sent (root password, IPs, control-panel URL). Path param: `id` (integer server_id, must be `active`). No body. Invokes `server_welcome_email($id)` which re-sends the welcome message to the account's email.\nReturns: `{ text:'Welcome Email has been resent.' }`. Errors: 404 if `id` not owned by caller; 409 if service not active (cancelled/pending/suspended); 401 unauth. Caveat: re-sending is rate-sensitive; do not call repeatedly in a loop. The email may contain root credentials — confirm intent before triggering.\nSibling ops: `getServerInfo` (status check), `getServerInvoices`, `getVpsWelcomeEmail` for VPS, `getDomainsWelcomeEmail` for domains." }, "parameters": [ { "name": "id", "description": "Server ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/signup": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/LoginSubmissionExample" }, "examples": { "LoginSubmissionExampleExample": { "value": { "login": "user@domain.com", "passwd": "mypassword", "remember": "true", "g-recaptcha-response": { "__v_isShallow": false, "dep": { "w": 0, "n": 0 }, "__v_isRef": true, "_rawValue": "zzzzz", "_value": "zzzzz" } } } } } } }, "tags": [ "Public" ], "responses": { "200": { "description": "Account created successfully." }, "402": { "$ref": "#/components/responses/LoginResponseError" } }, "security": [ {} ], "operationId": "submitSignup", "summary": "Create a new customer account (email + password + captcha + ToS)", "description": "First step of the signup flow before adding payment or services. Public — no auth required. The account is created in `pending` state and moved to `active` once the email-confirmation code is verified; an `account.activated` event then fires (welcome email + admin notification). MaxMind GeoIP populates `country` from the client IP. Sibling ops: `submitLogin`, `getCaptcha`, `getLoginInfo`, `addBillingPrepay`, plus the `add*` service ops to follow up after signup.\n\n**Body fields** (JSON or form):\n- `login` (string, required) — email; must be valid and not an alias like `+tag` or dotted gmail.\n- `passwd` (string, required) — 4–64 chars.\n- `tos` (truthy, required) — `yes` / `true` / `1`.\n- `captcha` (string, required) — answer to the phrase from `getCaptcha` or `getLoginInfo` (server reads the phrase from `$_SESSION['captchaSignup']`).\n- `email_confirmation` (string, conditional) — 8-char code emailed on the first attempt; server returns `400 { field: 'email_confirmation' }` until provided.\n- `remember` (boolean / `'true'` / `'yes'` / `'1'`, optional) — 256-day cookie.\n\n**Returns:** `{ sessionId, account_id, account_lid, ima }`.\n\n**Errors:**\n- `400` — missing or invalid `login` / `passwd` / `tos` / `captcha` / `email_confirmation`; blocked-domain or aliased-email; account already exists.\n- `402` per `LoginResponseError` — signup gate misconfigured upstream.\n\n**Related calls:**\n- **Prerequisite:** `getCaptcha` or `getLoginInfo`.\n- **After signup:** `submitLogin`, `addBillingPrepay`, plus any `add*` order op.\n" } }, "/ssl": { "get": { "tags": [ "SSL-Certificates" ], "responses": { "200": { "links": { "GetSslDetails": { "operationId": "getSslInfo", "description": "Use the SSL certificate ID from any item in the response array to fetch full certificate details." } }, "description": "The listing of `SSL` services on your account." }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "operationId": "getSslList", "summary": "List all SSL certificates on the authenticated customer account with status and hostname", "description": "Use to enumerate every SSL certificate (DV/OV/EV) the current customer owns before drilling into a specific cert. Returns an array of SslRow objects with id, hostname, services_name (package), status (pending/active/expired/canceled), and company. No query parameters - results are auto-scoped to the session account_id. Empty array if customer has no certs. Returns 401 if unauthenticated. Pair the returned id with getSslInfo for full details, getSslInvoices for billing, getSslWelcomeEmail to resend credentials, sslCancel to terminate, or addSsl to order a new cert. Status values may be stale relative to CA - issuance/validation can take minutes to hours after order.\n\nSibling ops: `getSslInfo`, `getNewSsl` (catalog), `addSsl` (order new cert)." } }, "/ssl/order": { "get": { "tags": [ "SSL-Certificates" ], "responses": { "200": { "content": { "application/json": { "schema": { "description": "SSL certificate types and pricing.", "type": "object" } } }, "description": "Available SSL certificate types and pricing for ordering." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewSsl", "summary": "Get available SSL certificate packages and pricing for placing a new order", "description": "Use before addSsl to discover which DV/OV/EV certificate types and validation tiers are buyable, plus their costs. Returns object with packageCosts (services_id keyed map of float costs) and serviceTypes (full list of SSL product offerings from the get_service_types event). No parameters required - prices are in the customer's currency. Returns 401 if unauthenticated. Show these to the customer to pick a service_type, then call putSsl to dry-run validation (hostname, CSR, coupon) without charging, then addSsl to commit. Costs do not include taxes or applied coupons — putSsl returns the actual computed price with discounts.\n\nSibling ops: `putSsl` (validate), `addSsl` (commit), `getSslList` (existing certs), `getSslInfo` (per-cert)." }, "put": { "tags": [ "SSL-Certificates" ], "responses": { "200": { "description": "Validate SSL Order response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "putSsl", "summary": "Validate an SSL certificate order without charging - dry-run before addSsl", "description": "Use after getNewSsl and before addSsl to verify hostname, CSR, service_type, frequency, and coupon_code are acceptable without creating an invoice or charging the customer. Body params (form): frequency (months, default 12), service_type, hostname, csr, coupon_code, plus extra/vars per cert type. Returns continue (bool), errors (array), serviceType, serviceCost (after coupon), originalCost, hostname, couponCode. If continue=false the errors array explains what to fix - typical issues are invalid hostname/CSR mismatch, expired coupon, or unsupported service_type. Returns 401 if unauthenticated, 422 on validation failure semantics. No state is mutated. Always run this before addSsl to prevent failed charges.\nSibling ops: `getNewSsl` (catalog), `addSsl` (commit)." }, "post": { "tags": [ "SSL-Certificates" ], "responses": { "200": { "$ref": "#/components/responses/ServiceOrderPostResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Order an SSL certificate (DV/OV/EV). Returns invoice IDs for checkout.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addSsl", "summary": "Place a new SSL certificate order - creates invoice and queues issuance", "description": "[DESTRUCTIVE] Use after putSsl returns continue=true to commit the SSL order. Body (form): frequency (default 12 months), service_type, hostname, csr, coupon_code, plus per-type vars/extra. Re-runs validate_buy_ssl then calls place_buy_ssl which creates the service row, generates invoice (iid/iids/real_iids), and returns serviceId, serviceCost, invoice_description. CA validation is async - issuance takes minutes to hours and may require DNS or email validation post-order. If validation fails, returns continue=false with errors and no charge. Returns 401 unauthenticated, 422 invalid input. Caveat: cert is not active until invoice paid AND CA validation completes. Poll status via getSslInfo; resend instructions via getSslWelcomeEmail.\n\nSibling ops: `getNewSsl` (catalog), `putSsl` (validate), `getSslInfo` (poll), `getSslInvoices`, `initiatePayment` (settle invoice), `getSslWelcomeEmail`, `sslCancel`." } }, "/ssl/{id}": { "get": { "tags": [ "SSL-Certificates" ], "parameters": [ { "name": "id", "description": "SSL certificate ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "description": "SSL certificate service details.", "type": "object" } } }, "description": "Detailed SSL certificate information." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getSslInfo", "summary": "Get full details for one SSL certificate by id - status, expiration, links", "description": "Use to inspect a single SSL cert after locating its id via getSslList. Path param id (integer, required) is the ssl_id; cross-account ids return 404 (get_service enforces ownership). Returns the ViewSSL detail payload: hostname, service_type, status, expiration, company, plus client_links (rewrite/reissue/install actions available to the customer). admin_links, settings, csrf are stripped from client responses. Returns 401 unauthenticated, 404 if id not owned by the session customer. Reissue/rekey/install actions surfaced in client_links are time-sensitive and may require fresh DNS validation. Pair with getSslInvoices for billing history, getSslWelcomeEmail to resend, sslCancel to terminate, updateSslInfo to modify settings.\n\nSibling ops: `updateSslInfo`, `getSslInvoices`, `getSslWelcomeEmail`, `sslCancel`, `getSslList`." }, "post": { "tags": [ "SSL-Certificates" ], "parameters": [ { "name": "id", "description": "SSL certificate ID number.", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateSslInfo", "summary": "Update mutable settings on an existing SSL certificate order by id", "description": "Use to modify mutable fields on a customer-owned SSL cert (e.g. contact info, renewal preferences, hostname or CSR data depending on cert state and CA rules). Path param id (string/int, required) is the ssl_id. Body params depend on the cert package and which fields the underlying service supports - inspect getSslInfo client_links first to see which actions are exposed. Returns SuccessTextResponse on success. Returns 401 unauthenticated, 404 if id not owned, 409 if cert state forbids the change (e.g. canceled or pending CA validation), 422 on invalid field values. Caveat: changes that affect the certificate identity (hostname, CSR) typically trigger a reissue with the CA which is time-sensitive and may require new DNS or email validation.\n\nSibling ops: `getSslInfo` (read), `sslCancel` (terminate), `getSslWelcomeEmail`." }, "delete": { "tags": [ "SSL-Certificates" ], "responses": { "200": { "$ref": "#/components/responses/SSLCancelResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "sslCancel", "summary": "Cancel an SSL certificate service - stops renewals at end of billing cycle", "description": "[DESTRUCTIVE] Use to cancel a customer-owned SSL cert. Path param id (integer, required) is the ssl_id. Cancellation marks the service for non-renewal - the cert stays valid until its current paid period ends, after which auto-billing stops. The CA-issued certificate itself is NOT revoked by this call (file a separate revocation request if needed). Returns SSLCancelResponse with success bool and text. Returns 401 unauthenticated, 404 if id not owned by session customer, error if the cancel_service hook fails. Caveat: irreversible at the billing level - re-enabling requires a new addSsl order. Verify the right cert with getSslInfo and confirm no unpaid charges via getSslInvoices first.\n\nSibling ops: `getSslInfo` (verify cert), `getSslInvoices` (check unpaid), `addSsl` (re-order)." }, "parameters": [ { "name": "id", "description": "SSL Cert ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/ssl/{id}/invoices": { "get": { "tags": [ "SSL-Certificates" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getSslInvoices", "summary": "List all billing invoices and charges tied to one SSL certificate by id", "description": "Use to retrieve the full invoice history for a single SSL cert - initial order, renewals, and any addon charges. Path param id (integer, required) is the ssl_id; ownership is enforced via get_service so cross-account ids return an Invalid Service error. Returns ChargeInvoiceRows: success bool plus invoices array of charge/invoice rows with iid, date, cost, status (paid/unpaid/refunded), and description. Returns 401 unauthenticated, 400 if the id resolves to no service. Useful for auditing renewals before sslCancel, reconciling payment failures, or showing the customer their billing history.\n\nSibling ops: `getSslInfo`, `sslCancel`, `getSslWelcomeEmail`, `getBillingInvoice` (per-invoice detail), `initiatePayment` (settle unpaid)." }, "parameters": [ { "name": "id", "description": "SSL Cert ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/ssl/{id}/welcome_email": { "get": { "tags": [ "SSL-Certificates" ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getSslWelcomeEmail", "summary": "Resend the SSL welcome email with cert credentials and install instructions", "description": "Use when a customer lost the original welcome email containing CSR submission steps, validation links, or installation guidance for an active SSL cert. Path param id (integer, required) is the ssl_id. Triggers the module's ssl_welcome_email function to re-send to the account's email on file. Returns SuccessTextResponse: text='Welcome Email has been resent.' Returns 401 unauthenticated, 404 if id not found or not owned by session customer ('Invalid Service Passed'), 409 if cert status is not 'active' (pending/canceled/expired certs do not have a welcome email to resend). Caveat: cannot change the destination email - update the account profile first if the customer's address has changed.\n\nSibling ops: `getSslInfo` (verify status), `sslCancel` (terminate), `updateAccountInfo` (change email first)." }, "parameters": [ { "name": "id", "description": "SSL Cert ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/tickets": { "get": { "tags": [ "Tickets" ], "parameters": [ { "name": "page", "description": "Page number for paginated results.", "schema": { "default": 1, "type": "integer" }, "in": "query" }, { "name": "period", "description": "How far back to show tickets from. Value is in days.", "schema": { "default": "30", "enum": [ "30", "90", "365", "1825", "all" ], "type": "string" }, "in": "query" }, { "name": "view", "description": "The status of tickets to view. Possible values are Open, Closed, On Hold, and In Progress. If not specified it will show all types.", "schema": { "enum": [ "Open", "Closed", "On Hold", "In Progress" ], "type": "string" }, "in": "query" } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Tickets" }, "examples": { "TicketsExample": { "value": { "ima": "client", "custid": "223513", "view": "Open", "currentPage": 1, "limit": 50, "sortcol": 6, "sortdir": 1, "rowsOffset": 0, "tickets": [], "pages": 7, "rowsTotal": 311, "inboxCount": 311, "countArray": { "Open": 3, "On Hold": 3, "Closed": 305 }, "viewText": "Inbox" } } } } }, "links": { "GetTicketDetails": { "operationId": "getTicketInfo", "description": "Use a ticket ID from the response to fetch full ticket details and reply history." } }, "description": "The listing of support tickets." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getTicketsList", "summary": "List the authenticated account's support tickets with status and date filters", "description": "Use to browse the customer's helpdesk tickets, paginated, with optional status and recency filters. Returns tickets where email matches the session account_lid. Query params: page (int, default 1, 50 per page), period (string: '30', '90', '365', '1825', or 'all' days back; default '30'), view (string: 'Open', 'Closed', 'On Hold', 'In Progress'; omit for all). Body: none. Returns: object with tickets[], total, pages, currentPage, st_count[] (counts grouped by status: Open/On Hold/Closed), selected_period, view. Errors: 401 unauthorized session. Note ticketstatusid mapping (Open=4, On Hold=5, Closed=6, In Progress=7). To search by subject/email/mask use postTicketsList. To open a ticket detail use getTicketInfo with the returned id. To create a new ticket see addNewTicket.\n\nSibling ops: `getTicketInfo` (detail), `postTicketsList` (search), `addNewTicket` (open new)." }, "post": { "tags": [ "Tickets" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Tickets" } } }, "description": "Search through the ticket system for a given email, subject, or ticket mask id." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postTicketsList", "summary": "Search the authenticated account's tickets by subject, email, or mask ID", "description": "Use when the user supplies a search term (subject keyword, email substring, or full ticket mask ID like 'ABC-123-456'). Scoped to tickets owned by the session account_lid. Body (form): search (string, required). If the term contains exactly two hyphens it is treated as an exact ticketmaskid match; otherwise a LIKE search runs across subject, email, and ticketmaskid. Returns: array of up to 25 matching ticket rows ordered by lastactivity DESC, each enriched with lastactivity_time (human-relative). Errors: 400 if search is empty or missing; 401 unauthorized. Caveat: this is a POST that reads, not a creator. To create see addNewTicket. To paginate full inbox use getTicketsList. To open one use getTicketInfo.\n\nSibling ops: `getTicketsList` (full inbox), `getTicketInfo` (detail), `addNewTicket` (open new)." } }, "/tickets/new": { "get": { "tags": [ "Tickets" ], "responses": { "200": { "description": "New ticket form data including departments and service categories." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewTicket", "summary": "Fetch services and product options to populate the new-ticket form", "description": "Use to populate dropdowns before calling addNewTicket. Returns the customer's services grouped by product type so the user can attach a ticket to a specific resource. Iterates all enabled modules (vps, webhosting, domains, mail, etc.; mailbaby instances see only mail) and filters out services with status canceled, deleted, or fraud. Params: none. Body: none. Returns: object keyed by product TITLE (e.g. 'Vps', 'Webhosting'), each value a map of '{module}-{service_id}' to a description string including title, type/plan, VPS hypervisor name where applicable, and uppercase status tag. Errors: 401 unauthorized. Use the returned product key as the 'product' field on addNewTicket.\n\nSibling ops: `addNewTicket` (consumes the product key), `getTicketsList`." }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TicketNew" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/TicketNew" } } }, "required": true }, "tags": [ "Tickets" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/TicketNewResponse" } } }, "links": { "ViewCreatedTicket": { "operationId": "getTicketInfo", "parameters": { "id": "$response.body#/ticket_id" }, "description": "Use the ticket ID from the response to view the newly created ticket details." } }, "description": "A successful response after creating a ticket." }, "400": { "$ref": "#/components/responses/TicketNewResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "addNewTicket", "summary": "Open a new helpdesk ticket, optionally linked to a service and attachments", "description": "Use when the customer wants to contact support. Creates the Kayako ticket in the 'New Unassigned' department (id 18). Body (form): subject (string, required), body (string, required), product (string, optional, format '{module}-{service_id}' from getNewTicket), service_id+service_module (alternative to product), attachments[] (optional, each {name, type, content base64}), and optional server-access custom fields ip, root_pass, sudo_user, sudo_pass, port_no, server_access (passwords are AES-encrypted with a generated auth_key). Returns: {success: true, text, ticket: ticketmaskid}. Errors: 400 missing subject or body; 401 unauthorized; 422 ticket creation failure. Sibling: getNewTicket for product list, getTicketInfo to view, ReplyTicket to add replies." } }, "/tickets/{id}": { "get": { "tags": [ "Tickets" ], "parameters": [ { "name": "id", "description": "Ticket ID number.", "schema": { "type": "number" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/ViewTicketResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "operationId": "getTicketInfo", "summary": "Get full ticket details including subject, status, and the reply thread", "description": "Use to render a ticket page or feed full context to an LLM. Path: id (int, ticket ID, e.g. 1511222). Returns ticket header (subject, status, department, dates), the ordered post/reply history, attachments, and any custom-field values. Resolved via Ticket::getTicket(id, account_lid) so cross-account access returns Invalid ticket. Body: none. Errors: 401 unauthorized; 404/422 'Invalid ticket!' when the id is unknown or owned by another account. Caveats: the same path with POST appends a reply (postTicketInfo) and DELETE closes the ticket (deleteTicketInfo) — it does not destroy data. Siblings: ReplyTicket, updateTicketInfo, CloseTicket, getTicketsList." }, "put": { "tags": [ "Tickets" ], "parameters": [ { "name": "id", "description": "Ticket ID number.", "schema": { "type": "number" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/ViewTicketResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "operationId": "putTicketInfo", "summary": "Update a ticket's properties such as subject or status (stub, not implemented)", "description": "Reserved for future use to update ticket subject/status. The PHP handler is currently an empty stub that returns no body, so callers should not rely on it in production. Path: id (int). Body: would carry subject/status fields when implemented. Returns: undefined behavior today. Errors: 401 unauthorized; expect 404/422 when implemented if id is invalid or not owned. Caveats: prefer updateTicketInfo (POST /tickets/{id}/update) for editing custom-field values today, postTicketInfo to add a reply, CloseTicket or deleteTicketInfo to close. Avoid scripting against this endpoint until the handler ships. Siblings: getTicketInfo, ReplyTicket." }, "post": { "tags": [ "Tickets" ], "parameters": [ { "name": "id", "description": "Ticket ID number.", "schema": { "type": "number" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/ViewTicketResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "operationId": "postTicketInfo", "summary": "Append a reply (and optional attachment, server-access fields) to a ticket", "description": "Use to post a customer reply on an existing ticket. Path: id (int ticket ID). Body: body (string reply text; trimmed to first 500 words), file_attachment (multipart upload, optional), and the server-access custom fields ip/root_pass/sudo_user/sudo_pass/port_no/server_access (passwords AES-encrypted with auth_key=7). Either body OR an attachment is required. Notifies any swticketwatchers staff via templated email after posting. Returns: {status: 'success', message: 'Reply posted successfully'}. Errors: 400 'Please enter a message or attach a file'; 401 unauthorized; 404/422 'Invalid ticket!' when id missing or cross-account. Sibling: ReplyTicket (cleaner JSON-only reply at /tickets/{id}/reply), updateTicketInfo, getTicketInfo, deleteTicketInfo." }, "delete": { "tags": [ "Tickets" ], "parameters": [ { "name": "id", "description": "Ticket ID number.", "schema": { "type": "number" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/ViewTicketResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "operationId": "deleteTicketInfo", "summary": "Close a customer ticket via DELETE verb (closes only, never destroys data)", "description": "Use when the customer marks a ticket resolved. IMPORTANT: despite the DELETE verb this only CLOSES the ticket via Ticket::closeTicket — no data is destroyed. Closed tickets remain readable through getTicketInfo and appear in getTicketsList when view=Closed. Path: id (int ticket ID). Body: none. Returns: 'Ticket is closed!' string on success. Errors: 401 unauthorized; 404/422 'Invalid ticket!' when id is unknown or owned by another account. Idempotent on already-closed tickets. Siblings: CloseTicket (GET /tickets/{id}/close — same effect, simpler URL), ReplyTicket to add a final reply before closing, getTicketInfo to verify state." } }, "/tickets/{id}/update": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/UpdateTicket" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/UpdateTicket" } } } }, "tags": [ "Tickets" ], "parameters": [ { "name": "id", "description": "The ticket ID number.", "schema": { "type": "number" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/UpdateTicketResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "operationId": "updateTicketInfo", "summary": "Update a ticket's custom field values (server-access details, etc.)", "description": "Use to save or change the structured custom-field values attached to a ticket — typically server-access details supplied by the customer. Path: id (int ticket ID). Body (form): one field per custom-field title, lowercased with spaces replaced by underscores (e.g. ip, root_pass, sudo_user, sudo_pass, port_no, server_access). Field id 7 (auth_key) is skipped — never set it directly. Returns: {success: true, text: 'Ticket is updated!'} or {success: false, text: 'Unable to update ticket'}. Errors: 401 unauthorized; 404 invalid or non-owned ticket. Caveats: this updates metadata only — to add a reply use ReplyTicket, to close use CloseTicket, to read current state use getTicketInfo.\n\nSibling ops: `getTicketInfo` (read), `ReplyTicket` (reply), `CloseTicket` (close)." } }, "/tickets/{id}/reply": { "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ReplyTicketRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/ReplyTicketRequest" } } } }, "tags": [ "Tickets" ], "parameters": [ { "name": "id", "description": "The ticket ID number.", "schema": { "type": "number" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/ReplyTicketResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" }, "default": { "description": "Default response" } }, "operationId": "ReplyTicket", "summary": "Post a simple text reply to an existing ticket thread (no attachments)", "description": "Use this lightweight endpoint to add a reply to an existing ticket without attachments or server-access fields. Cleaner alternative to postTicketInfo when only text is being submitted. Path: id (int ticket ID). Body (form): content (string, required reply body). Returns: {success: true, post_id: int} on success or {success: false, text: 'Reply content cannot be empty!' | 'Unable to reply ticket'}. Errors: 401 unauthorized; 404 implied via 'Unable to reply ticket' when id is invalid or owned by another account. Siblings: postTicketInfo (POST /tickets/{id}, supports attachments + custom fields), updateTicketInfo (custom fields only), CloseTicket, getTicketInfo to verify the new post_id appears in the thread." } }, "/tickets/{id}/close": { "get": { "tags": [ "Tickets" ], "parameters": [ { "examples": { "TicketIdExample": { "value": "1511222" } }, "name": "id", "description": "Ticket ID", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/CloseTicketResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "CloseTicket", "summary": "Close an open support ticket via simple GET request (no body required)", "description": "Use to close a ticket from a link or one-click action — closure-only equivalent of deleteTicketInfo with friendlier semantics. Calls Ticket::closeTicket on the resolved ticket and leaves the record fully readable; closed tickets disappear from the active inbox but remain in getTicketsList when view=Closed. Path: id (int ticket ID, e.g. 1511222). Body: none. Returns: {success: true, text: 'Ticket is closed!'} or {success: false, text: 'Unable to close ticket'}. Errors: 401 unauthorized; 404 implied via 'Unable to close ticket' when id is unknown or cross-account. Idempotent on already-closed tickets. Siblings: deleteTicketInfo (DELETE /tickets/{id} — same effect), getTicketInfo to confirm new status." } }, "/vps": { "get": { "tags": [ "VPS" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "$ref": "#/components/schemas/VpsRow" } } } }, "links": { "GetVpsDetails": { "operationId": "getVpsInfo", "parameters": { "id": "$response.body#/0/vps_id" }, "description": "Use the `vps_id` from any item in the response array to fetch full VPS details." } }, "description": "The listing of `Vps` services on your account." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsList", "summary": "List all VPS services on the customer's account", "description": "Enumerates every VPS owned by the authenticated customer — status, hostname, primary IP, plan name, and monthly cost. The canonical entry point for finding a VPS `id` to pass into other VPS operations (`getVpsInfo`, lifecycle, billing, backups, etc.). No path params, no query params, no body. Server-side filtered by session account; rows come from the `vps` table joined to `repeat_invoices` (for cost) and `services` (for plan name). Returns an array of `VpsRow` (empty array if the account has no VPS). Sibling ops: `getVpsInfo` (full detail), `getNewVps`/`putVps`/`addVps` (order a new one).\n\n**Returned fields (per row):**\n- `vps_id` (integer) — canonical VPS id, used in every `/vps/{id}/*` path.\n- `vps_name` (string) — display name shown in the dashboard.\n- `vps_hostname` (string) — FQDN currently assigned to the VPS.\n- `vps_ip` (string) — primary IPv4 address.\n- `vps_status` (string enum) — `active`, `pending` (awaiting payment/provisioning), `suspended` (non-payment), or `cancelled`.\n- `services_name` (string) — service-type name (e.g. `KVM`, `KVM Storage`, `HyperV`).\n- `repeat_invoices_cost` (decimal) — current monthly cost in the VPS's billing currency.\n- `vps_comment` (string|null) — customer-provided note.\n\n**Auth:** Session (`sessionid` header) or API key (`X-API-KEY` header). API key preferred for integrations.\n\n**Errors:**\n- `401 Unauthorized` — missing/invalid session or API key.\n\n**Related calls:**\n- **Next (per-VPS):** `getVpsInfo` (full detail incl. extra IPs, slices, addons), `getVpsInvoices` (billing per VPS), `doVpsRestart`/`doVpsStart`/`doVpsStop` (lifecycle).\n- **Order a new VPS:** `getNewVps` (catalog) → `putVps` (validate + quote) → `addVps` (place + invoice).\n- **Cancel:** `VPSCancel` (end of cycle, customer-initiated).\n" } }, "/vps/order": { "get": { "tags": [ "VPS" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/VpsOrder" } } }, "description": "VPS Order information" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getNewVps", "summary": "Get the VPS order catalog — platforms, OS templates, locations, pricing", "description": "Step 1 of the VPS order flow. Returns the full ordering catalog the customer needs to build a valid VPS configuration: virtualization platforms (`kvm`, `kvmstorage`, `hyperv`), OS templates grouped by platform+distro, datacenter locations with current stock flags, per-slice resource costs converted to the customer's billing currency, control-panel prices, and slice resource defaults (RAM/HD/BW per slice, max slices per VPS). No path or query params, no body. The response drives the order form; once the user picks a config, call `putVps` for a dry-run price quote, then `addVps` to actually place the order. Sibling ops: `putVps`, `addVps`, `getVpsList` (existing VPS).\n\n**Returned top-level fields** (schema `VpsOrder`):\n- `platformNames` (object) — display names keyed by platform tag (`{kvm: \"KVM\", kvmstorage: \"KVM Storage\", hyperv: \"HyperV\"}`).\n- `platformPackages` (object) — service-type ids keyed by platform tag (`{kvm: 32, kvmstorage: 57, hyperv: 54}`).\n- `packageCosts` (object) — base list cost keyed by service-type id.\n- `templates` (object) — nested `{platform: {os: {template_file: template_version}}}` template tree.\n- `osNames` (object) — display name per `template_os` key.\n- `locationNames` (object) — `{1: \"New Jersey\", 2: \"Los Angeles\", 3: \"Dallas, TX\"}`.\n- `locationStock` (object) — `{location_id: {platform_tag: bool}}` — `true` = in stock.\n- `vpsSliceCost` (float) — per-slice cost per platform in customer currency (e.g. `vpsSliceKvmLCost`, `vpsSliceKvmStorageCost`, `vpsSliceHypervCost`, `vpsSliceOvzCost`).\n- `cpanelCost`, `daCost` (float) — control-panel addon costs.\n- `ramSlice`, `hdSlice`, `bwSlice` (int) — RAM (MB), HD (GB), BW (GB) per slice.\n- `maxSlices` (int) — `VPS_SLICE_MAX` cap for non-admin callers.\n- `currency`, `currencySymbol` (string) — derived from the account profile.\n\n**Auth:** Session or API key.\n\n**Errors:**\n- `401 Unauthorized` — missing session/API key.\n\n**Related calls:**\n- **Next:** `putVps` (validate + quote a chosen config — no charge), `addVps` (place the order).\n- **After ordering:** pay via `initiatePayment` with the returned `real_iids`, then poll `getVpsInfo` until `vps_status == \"active\"`.\n\n**Example happy-path response (abridged):**\n```json\n{\n \"platformNames\": {\"kvm\": \"KVM\", \"kvmstorage\": \"KVM Storage\", \"hyperv\": \"HyperV\"},\n \"platformPackages\": {\"kvm\": 32, \"kvmstorage\": 57, \"hyperv\": 54},\n \"locationNames\": {\"1\": \"New Jersey\", \"2\": \"Los Angeles\", \"3\": \"Dallas, TX\"},\n \"locationStock\": {\"1\": {\"kvm\": true, \"kvmstorage\": true, \"hyperv\": false}},\n \"osNames\": {\"centos-7-x86_64\": \"CentOS 7\", \"ubuntu-22.04-x86_64\": \"Ubuntu 22.04\"},\n \"templates\": {\"kvm\": {\"centos-7-x86_64\": {\"centos-7-x86_64.qcow2\": \"7\"}}},\n \"vpsSliceKvmLCost\": 6.00,\n \"cpanelCost\": 18.00,\n \"ramSlice\": 2048, \"hdSlice\": 25, \"bwSlice\": 2000, \"maxSlices\": 8,\n \"currency\": \"USD\", \"currencySymbol\": \"$\"\n}\n```\n" }, "put": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/VpsOrderPutRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/VpsOrderPutRequest" } } } }, "tags": [ "VPS" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/VpsOrderPutResponse" } } }, "description": "Validate VPS order response." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "putVps", "summary": "Validate a VPS order configuration and quote the cost — dry run, no charge", "description": "Step 2 of the VPS order flow. Validates a chosen VPS configuration (platform, OS, slices, location, control panel, coupon, etc.) against stock and policy, applies any coupon discount and frequency discount, and returns a cost breakdown — without creating any invoice or service record. Use this to preview the first-month and recurring cost before the customer commits via `addVps`. The body shape is identical between `putVps` and `addVps`; the only difference is the HTTP verb — PUT validates, POST commits. Sibling ops: `getNewVps` (catalog), `addVps` (place order).\n\n**Required body fields:**\n- `osDistro` (string) — OS template tag from `getNewVps.osNames` (e.g. `centos-7-x86_64`).\n- `osVersion` (string) — OS version from `getNewVps.templates[platform][os][template_file]`.\n- `vpsPlatform` (string) — one of the keys in `getNewVps.platformNames`: `kvm`, `kvmstorage`, `hyperv`, `openvz`, `ssdopenvz`, `virtuozzo`, `ssdvirtuozzo`, `lxc`, `cloudkvm`, `docker`. HTML stripped server-side.\n- `slices` (integer) — `1 ≤ slices ≤ getNewVps.maxSlices`. Windows (`kvm` with `osDistro` starting `windows` or `os==5`, plus `hyperv`/`cloudkvm` Windows) requires `slices ≥ 2`.\n\n**Optional body fields:**\n- `location` (integer, default 1) — `1`=NJ, `2`=LA, `3`=TX. Out-of-stock platforms in a location auto-fail with an error.\n- `period` (integer, default 1) — billing cycle in months: `1` / `6` / `12` / `24` / `36`. Discounts: 6mo=5%, 12mo=10%, 24mo=15%, 36mo=20%.\n- `controlpanel` (string, default `none`) — `none` / `cpanel` (forces CentOS) / `da` (DirectAdmin). Incompatible with Windows.\n- `coupon` (string) — coupon code; validated against `coupons` table (custid match, module=`vps`, applies-to-service-type, usable count). Returns \"Invalid Coupon\" if not found/usable.\n- `hostname` (string) — FQDN matching `/^.*\\..*\\..*$/` (e.g. `server.example.com`). Skipped for Windows KVM (auto-set to `vps{id}` server-side).\n- `rootpass` (string) — required for all Linux platforms. Must match `/(?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*\\W)/`. Not required for Windows.\n- `comment` (string) — free-form note saved on the `vps` row.\n\n**Returned fields** (schema `VpsOrderPutResponse`):\n- `continue` (bool) — `true` if validation passed and the order can be POSTed. If `false`, render `errors` and do not call `addVps`.\n- `errors` (array of strings) — human-readable validation messages.\n- `coupon_code` (integer) — id of the matched coupon row, or `0` if no coupon applied.\n- `service_cost` (float) — first-period cost in customer currency (includes coupon + period discount).\n- `slice_cost` (float) — per-slice cost after coupon.\n- `repeat_service_cost` (float) — recurring monthly/period cost after coupon and period discount.\n- `original_slice_cost`, `original_cost` (float) — undiscounted reference values.\n- `service_type` (integer) — resolved service-type id (e.g. KVM Linux=33, KVM Win=32, KVM Storage=57, HyperV=54, OpenVZ=31, Virtuozzo=55).\n- `monthly_service_cost` (float) — recurring cost normalized to monthly.\n\n**Side effects:** None — `PUT /vps/order` is a pure read.\n\n**Errors:**\n- `400` — missing required field (`osDistro` / `vpsPlatform` / `slices` / `osVersion`) or invalid `location`. Body shape: `{error: \"Missing field \"}`.\n- `401` — unauthenticated.\n\n**Related calls:**\n- **Prerequisite:** `getNewVps` (provides every option value referenced in the body).\n- **Next:** `addVps` (place the order with the same body once `continue == true`).\n\n**Example request body:**\n```json\n{\n \"vpsPlatform\": \"kvm\",\n \"osDistro\": \"centos-7-x86_64\",\n \"osVersion\": \"centos-7-x86_64.qcow2\",\n \"slices\": 2,\n \"location\": 1,\n \"period\": 1,\n \"controlpanel\": \"none\",\n \"hostname\": \"web1.example.com\",\n \"rootpass\": \"Sup3rS3cret!\",\n \"coupon\": \"\"\n}\n```\n**Example response (validation passed):**\n```json\n{\n \"continue\": true,\n \"errors\": [],\n \"coupon_code\": 0,\n \"service_cost\": 12.00,\n \"slice_cost\": 6.00,\n \"repeat_service_cost\": 12.00,\n \"service_type\": 33,\n \"monthly_service_cost\": 12.00,\n \"platform\": \"kvm\", \"os\": \"centos-7-x86_64\",\n \"slices\": 2, \"location\": 1, \"period\": 1,\n \"hostname\": \"web1.example.com\"\n}\n```\n" }, "post": { "requestBody": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/VpsOrderPostRequest" } }, "multipart/form-data": { "schema": { "$ref": "#/components/schemas/VpsOrderPostRequest" } } } }, "tags": [ "VPS" ], "responses": { "200": { "$ref": "#/components/responses/ServiceOrderPostResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "x-payment-info": { "intent": "session", "method": "card", "amount": 0, "currency": "USD", "description": "Order a VPS instance. Returns invoice IDs for /billing/pay/{method}/{invoices}.", "method_options": [ "cc", "paypal", "btcpay", "coinbase", "payu", "ccavenue", "cashfree", "payssion", "prepay" ] }, "operationId": "addVps", "summary": "Place a new VPS order, create the invoice, and queue provisioning", "description": "Step 3 of the VPS order flow — actually places the order. Revalidates the same configuration that `putVps` accepts (so the request is safe even if `putVps` was skipped), then calls `place_buy_vps`: allocates a backing hypervisor server via `get_vps_next_server`, creates a `Repeat_Invoice` ORM row for the recurring charge, generates the initial `invoices` row via `$repeat_invoice->invoice()`, inserts a `vps` service record with `vps_status='pending'`, and creates any control-panel addon invoices (CPanel/DirectAdmin). Returns the new service id plus invoice ids the caller must pay before provisioning runs. **Real money** — call `putVps` first to preview cost. Sibling ops: `getNewVps`, `putVps`, `getVpsInfo`, `VPSCancel`.\n\n**Body fields:** Identical to `putVps`. Required: `osDistro`, `osVersion`, `vpsPlatform`, `slices`. Optional: `location` (default 1), `period` (default 1), `coupon`, `hostname`, `rootpass`, `controlpanel` (default `none`), `comment`. Same validation rules apply (slice range, rootpass regex for Linux, hostname FQDN format, platform↔OS↔controlpanel compatibility).\n\n**Returned fields** (schema `ServiceOrderPostResponse`):\n- `success` (bool) — `true` on successful placement.\n- `serviceid` (integer) — new VPS id; use this with `getVpsInfo` to poll status.\n- `iid` (string) — primary invoice id (numeric).\n- `real_iids` (array of strings) — numeric invoice ids to pass to `initiatePayment` (`invoices` path param).\n- `iids` (array of strings) — tagged invoice ids (e.g. `SERVICEvps12345`) — alternative payment identifier.\n- `total_cost` (decimal string) — total to pay across all generated invoices.\n- `invoice_description` (string) — human-readable summary (e.g. `KVM 2 Slices`).\n- `cj_params` (object) — Commission Junction tracking parameters (affiliate flows).\n\n**Side effects:**\n- Inserts row into `vps` table (`vps_status='pending'`).\n- Inserts `repeat_invoices` row for the recurring charge.\n- Inserts `invoices` row for the first period charge.\n- Inserts additional `invoices` rows for CPanel/DirectAdmin addons if `controlpanel != 'none'`.\n- Logs a `vps` signup event in `history_log`.\n- Saves root password to `history_log` (encrypted at rest).\n\n**Errors:**\n- `400 Bad Request` — validation failed; response body is the `errors` array from validation.\n- `401 Unauthorized` — missing session/API key.\n\n**Related calls:**\n- **Prerequisite:** `getNewVps` (catalog), `putVps` (preview cost — strongly recommended).\n- **Next:** `getBillingInvoice` (review invoice line items), `initiatePayment` (`GET /billing/pay/{method}/{invoices}` — pay with `real_iids`), then `getVpsInfo` (poll for `vps_status == \"active\"`), `getVpsWelcomeEmail` (resend credentials).\n- **Cancel before paying:** `VPSCancel`.\n\n**Example request body:** Same as `putVps`.\n\n**Example response:**\n```json\n{\n \"success\": true,\n \"serviceid\": 12345,\n \"iid\": \"25296600\",\n \"real_iids\": [\"25296600\"],\n \"iids\": [\"SERVICEvps12345\"],\n \"total_cost\": \"12.00\",\n \"invoice_description\": \"KVM 2 Slices\",\n \"cj_params\": {}\n}\n```\n**Full ordering happy path:**\n```text\nGET /vps/order -> catalog (getNewVps)\nPUT /vps/order { ...config } -> price quote (putVps)\nPOST /vps/order { ...config } -> { serviceid, real_iids } (addVps)\nGET /billing/invoices/{iid} -> confirm invoice (getBillingInvoice)\nGET /billing/pay/cc/{real_iids[0]} -> pay (payInvoice; type=submit|redirect|single)\nGET /vps/{serviceid} -> poll until vps_status==\"active\" (getVpsInfo)\n```\n" } }, "/vps/{id}": { "get": { "tags": [ "VPS" ], "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/Vps" } } }, "links": { "GetVpsInvoices": { "operationId": "getVpsInvoices", "parameters": { "id": "$request.path.id" }, "description": "Retrieve billing invoices for this VPS." }, "RestartVps": { "operationId": "doVpsRestart", "parameters": { "id": "$request.path.id" }, "description": "Restart this VPS." }, "StartVps": { "operationId": "doVpsStart", "parameters": { "id": "$request.path.id" }, "description": "Power on this VPS." }, "StopVps": { "operationId": "doVpsStop", "parameters": { "id": "$request.path.id" }, "description": "Power off this VPS." }, "BackupVps": { "operationId": "postVpsBackup", "parameters": { "id": "$request.path.id" }, "description": "Create a backup of this VPS." }, "ListVpsBackups": { "operationId": "getVpsBackups", "parameters": { "id": "$request.path.id" }, "description": "List available backups for this VPS." }, "ReinstallVpsOS": { "operationId": "getVpsReinstallOs", "parameters": { "id": "$request.path.id" }, "description": "View available OS templates for reinstalling this VPS." }, "GetVpsReverseDns": { "operationId": "getVpsReverseDns", "parameters": { "id": "$request.path.id" }, "description": "View reverse DNS entries for this VPS." } }, "description": "The VPS Information" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsInfo", "summary": "Get full details for one VPS — IPs, hostname, OS, slices, status, addons", "description": "Returns everything the customer dashboard shows for a single VPS — hostname, primary IP plus any extra IPs, OS, allocated slices (CPU/RAM/disk), current `vps_status`, plan/service-type, datacenter location, billing currency, and `serviceAddons` (extra IPs and additional GB disk). Read-only. Backed by `ViewVPS::getDetails()`; ownership is enforced via `get_service($id, 'vps')` — cross-customer requests return 404. Use to render a VPS detail page, to verify ownership before mutating, or to poll `vps_status` after `addVps` (status flips `pending` → `active` once provisioning completes). Sibling ops: `getVpsList`, `doVpsRestart`/`doVpsStart`/`doVpsStop` (lifecycle), `getVpsTrafficUsage` (bandwidth), `getVpsBackups`, `getVpsInvoices`, `updateVpsInfo`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Returned fields** (schema `Vps` plus extras):\n- Core: `vps_id`, `vps_hostname`, `vps_ip`, `vps_status`, `vps_slices`, `vps_os`, `vps_type` (service-type id), `vps_server` (backing hypervisor id), `vps_custid`, `vps_comment`, `vps_coupon`.\n- `services_name` (string) — plan name (e.g. `KVM`, `HyperV`).\n- `client_links` (array) — UI action links (`{name, link, icon}`) for restart, snapshot, console, etc. Internal `?link=queue&action=...` URLs are pre-resolved.\n- `serviceAddons` (object) — `{extra_ips: [...], additional_gb: }` populated from `repeat_invoices` rows that match `Additional IP*` / `Additional N GB Space*` patterns.\n- **Stripped fields:** `admin_links`, `settings`, `csrf` are removed before response.\n\n**Auth:** Session or API key. Customer must own the VPS (enforced via `vps_custid` match).\n\n**Errors:**\n- `401 Unauthorized` — missing session/API key.\n- `404 Invalid VPS Passed` — `id` does not exist or is owned by a different account.\n\n**Related calls:**\n- **Lifecycle:** `doVpsStart`, `doVpsStop`, `doVpsRestart`.\n- **Maintenance:** `postVpsChangeHostname`, `postVpsChangeRootPassword`, `postVpsReverseDns`.\n- **Upgrade:** `getVpsSlices`/`postVpsSlices`, `getVpsBuyHdSpace`/`putVpsBuyHdSpace`/`postVpsBuyHdSpace`, `getVpsBuyIp`/`postVpsBuyIp`.\n- **Backups:** `getVpsBackup` (create), `getVpsBackups` (list), `downloadVpsBackup`, `postVpsRestore`.\n- **Billing:** `getVpsInvoices`, `VPSCancel`.\n- **Metrics:** `getVpsTrafficUsage`.\n" }, "post": { "tags": [ "VPS" ], "parameters": [ { "name": "id", "description": "VPS ID number.", "schema": { "type": "string" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "updateVpsInfo", "summary": "Update editable settings on a VPS service record", "description": "Write-back endpoint for the VPS service record — typically the dashboard's \"save changes\" action. The body is processed by `ViewVPS::getDetails()`, the same handler as the GET, so the accepted fields mirror what the VPS detail view edits in place (e.g. customer comment/label, display preferences). For lifecycle or provisioning changes use the dedicated endpoints — they enforce platform-specific validation and queue hypervisor actions correctly. Sibling ops: `getVpsInfo`, `VPSCancel`, and all the dedicated mutation endpoints listed below.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** Form-encoded or JSON with editable fields (handler decides which are persisted). Most callers should use the dedicated endpoints instead.\n\n**Returns:** `SuccessTextResponse` — `{text: \"...\"}` on success.\n\n**Auth:** Session/API key. Ownership enforced via `vps_custid` match.\n\n**Errors:**\n- `401 Unauthorized` — missing session/API key.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n\n**Prefer these dedicated endpoints when applicable:**\n- Hostname → `postVpsChangeHostname` (OpenVZ/Virtuozzo only).\n- Root password → `postVpsChangeRootPassword` (specific value) or `postVpsResetPassword` (random).\n- Reverse DNS → `postVpsReverseDns`.\n- Slice upgrade/downgrade → `getVpsSlices` → `postVpsSlices` (creates prorated invoice).\n- Additional disk → `getVpsBuyHdSpace` → `putVpsBuyHdSpace` → `postVpsBuyHdSpace`.\n- Additional IPs → `getVpsBuyIp` → `postVpsBuyIp`.\n- Timezone → `getVpsChangeTimezone` → `postVpsChangeTimezone`.\n- Cancel service entirely → `VPSCancel`.\n" }, "delete": { "tags": [ "VPS" ], "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/VPSCancelResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "VPSCancel", "summary": "Cancel a VPS service at the end of the current billing cycle", "description": "Customer-facing cancel — schedules termination, stops future renewals, and queues deprovisioning. Billing continues until the end of the already-paid period, and the customer keeps access until then; this endpoint does **not** issue refunds. Delegates to `Billing\\CancelService::go()` (shared cancellation handler used across all service modules). The repeat-invoice is marked for cancellation and the VPS row's status will eventually flip to `cancelled`. Reversible: a customer can typically un-cancel before the cycle ends by opening a support ticket. Sibling ops: `getVpsInfo` (verify status), `getVpsInvoices` (review final invoices), `getVpsBackup` (snapshot before cancellation).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** `VPSCancelResponse` — confirmation text plus the scheduled cancellation date.\n\n**Side effects:**\n- Sets the `repeat_invoices` row for the VPS to non-renewing.\n- Logs the cancellation event in `history_log`.\n- Queues `vpsqueue` deprovisioning action to run at end-of-cycle.\n- Does NOT immediately stop the VPS — power state is unchanged until the cycle ends.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401 Unauthorized` — missing session/API key.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n\n**Related calls:**\n- **Before cancelling:** `getVpsBackup` (create a final snapshot), `downloadVpsBackup` (export it).\n- **After cancelling:** `getVpsInfo` (confirm `vps_status` flipped), `getVpsInvoices` (final invoices).\n- **Sibling cancels on other modules:** `CancelDomain`, `mailCancel`, `webhostingCancel`, etc. all use the same `CancelService` handler.\n" } }, "/vps/{id}/backup": { "get": { "tags": [ "VPS" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsBackup", "summary": "Trigger a manual on-demand snapshot/backup of the VPS", "description": "Creates an on-demand backup of the VPS — typically called before a risky change (OS reinstall, slice upgrade, restore from older backup). Enqueues a `backup` action on the hypervisor (`history_log` `vpsqueue` entry) and returns immediately; the actual snapshot runs asynchronously and may take a few minutes. Despite being GET, this is a side-effecting action and the MCP parser flags it accordingly. The new backup, once complete, appears in `getVpsBackups` keyed by `name`. Sibling ops: `getVpsBackups` (list), `downloadVpsBackup` (download via pre-signed URL), `deleteVpsBackup`, `postVpsRestore`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** `{ text: \"Action has been sent to the server. Please allow up to 2 minutes for action to be completed.\", queueId: }` — `queueId` is the row id in `queue_log`/`history_log` and can be used to track action status.\n\n**Backup limits (per platform):**\n- KVM / KVM Storage: backups **enabled**.\n- HyperV, OpenVZ, SSD-OpenVZ, Virtuozzo, SSD-Virtuozzo: **disabled** server-side (returns 400 \"Backups are disabled for this type\").\n- Max 4 backups per VPS for non-admin callers. If at the cap, returns \"Currently 4 backups per VPS max\" — delete an old one first via `deleteVpsBackup`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- `409 VPS is not active` — `vps_status != \"active\"`.\n- `400 Backups are disabled for this type` — incompatible platform.\n- `400 Currently 4 backups per VPS max` — at cap.\n\n**Related calls:**\n- **List existing:** `getVpsBackups`.\n- **Download:** `downloadVpsBackup` (PATCH; returns 24-hr pre-signed URL for MinIO backups; Swift/ZFS disabled).\n- **Delete:** `deleteVpsBackup` (DELETE; Swift/MinIO only).\n- **Restore from a backup:** `postVpsRestore`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/backups": { "get": { "tags": [ "VPS" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/VpsBackupRows" } } }, "description": "The listing of the available backups" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsBackups", "summary": "List existing backups for the VPS across Swift, MinIO, and ZFS", "description": "Enumerates the backup files available for the VPS across all backend storage systems (OpenStack Swift, MinIO/S3, and ZFS snapshots). Each entry's `name` is the canonical identifier the caller must pass to sibling endpoints (`downloadVpsBackup`, `deleteVpsBackup`, `postVpsRestore`) — there is no separate integer id. The list is filtered to the VPS's owner by default; admins can list all backups on the account by passing `all=1`. Sibling ops: `getVpsBackup` (create new), `downloadVpsBackup`, `deleteVpsBackup`, `postVpsRestore`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Query params:**\n- `all` (string, optional, enum `0`/`1`, default `0`) — set to `1` to list every backup across all services on the account, not just the ones for `{id}`.\n\n**Returns:** `VpsBackupRows` — array of objects:\n- `name` (string) — canonical identifier, e.g. `vps-12345-2026-05-12.tar.gz`.\n- `type` (string enum) — `swift` / `minio` / `zfs`. Determines which operations are available (see Sibling notes).\n- `service` (integer) — VPS id the backup belongs to.\n- `path` (string) — storage path/URL.\n- `size` (integer) — bytes.\n- `repoIdx` (integer) — repository index (0 or 1 for Swift; selects which credentials/bucket).\n- `extra` (array, optional) — multi-part backup pieces.\n\n**Auth:** Session/API key. Ownership enforced via `vps_custid` on the parent VPS.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n\n**Capability matrix by backup type:**\n- `swift`: list ✓, download ✗ (disabled — contact support), delete ✓.\n- `minio`: list ✓, download ✓ (24-hr pre-signed URL via `downloadVpsBackup`), delete ✓.\n- `zfs`: list ✓, download ✗ (disabled), delete ✗ (open a ticket).\n\n**Related calls:**\n- **Create new:** `getVpsBackup`.\n- **Download:** `downloadVpsBackup` (PATCH).\n- **Delete:** `deleteVpsBackup` (DELETE).\n- **Restore:** `postVpsRestore` — pass `backup` as `::`.\n" }, "delete": { "tags": [ "VPS" ], "parameters": [ { "name": "file", "description": "The backup filename to delete.", "schema": { "type": "string" }, "in": "query", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/SuccessTextResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "deleteVpsBackup", "summary": "Permanently delete a VPS backup file by name (irreversible)", "description": "Removes a backup file from storage to free space. For `minio`-typed backups runs `mc rm --force --recursive` on the path; for `swift`-typed backups removes the storage object via the Swift API. ZFS-typed backups **cannot** be deleted through this endpoint — they return an error directing the caller to open a support ticket. **Irreversible** — once deleted the backup cannot be used with `postVpsRestore` or `downloadVpsBackup`. Sibling ops: `getVpsBackups` (list), `downloadVpsBackup` (download first), `getVpsBackup` (create new).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Query params:**\n- `file` (string, required) — exact `name` from `getVpsBackups` (the canonical backup identifier).\n\n**Returns:** `SuccessTextResponse` — `Backup removed.` on success.\n\n**Side effects:**\n- **minio**: `mc rm --force --recursive` removes the entire backup directory.\n- **swift**: deletes the listed object(s) plus any multi-part `extra` segments.\n\n**Auth:** Session/API key. Ownership enforced via parent VPS.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- `No file specified` — `file` query param missing.\n- **ZFS backup:** `This type of backup if not removable. Please contact support if you need this removed.`\n- **MinIO rm failure:** `Error removing file `.\n\n**Related calls:**\n- **List first to get `name`:** `getVpsBackups`.\n- **Download before deleting:** `downloadVpsBackup` (MinIO only; Swift/ZFS disabled).\n- **Restore (don't delete):** `postVpsRestore`.\n" }, "patch": { "requestBody": { "content": { "application/json": { "schema": { "required": [ "file" ], "type": "object", "properties": { "file": { "description": "The backup filename to download.", "type": "string" } } } }, "multipart/form-data": { "schema": { "required": [ "file" ], "type": "object", "properties": { "file": { "description": "The backup filename to download.", "type": "string" } } } } }, "required": true }, "tags": [ "VPS" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "object", "properties": { "text": { "type": "string" }, "url": { "description": "A pre-signed download URL valid for 24 hours.", "type": "string" } } } } }, "description": "Download URL for the backup file." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "downloadVpsBackup", "summary": "Issue a 24-hour pre-signed URL to download a MinIO-backed VPS backup", "description": "Generates a time-limited download link for a MinIO/S3-backed VPS backup so the customer can fetch it off-platform. Runs `mc share download --expire=24h` against the resolved backup path and returns the resulting public URL — valid for 24 hours from issue. Only `minio`-typed backups are downloadable; `swift` and `zfs` backups have direct download disabled (returns an error directing the customer to support). Sibling ops: `getVpsBackups` (list to find `name`), `postVpsRestore` (restore in place — no download needed), `deleteVpsBackup`, `getVpsBackup` (create new).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body (JSON or multipart, required):**\n- `file` (string, required) — exact `name` from `getVpsBackups`.\n\n**Returns:**\n- `text` (string) — `URL available for the next 24 hours`.\n- `url` (string) — pre-signed download URL (HTTPS).\n\n**Auth:** Session/API key. Ownership enforced via parent VPS.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- `No file specified` — `file` body field missing.\n- **Swift backup:** `Downloads for this type have been disabled. Please contact support if you need this backup.`\n- **ZFS backup:** same disabled message.\n- **MinIO share failure:** `Error sharing file `.\n\n**Related calls:**\n- **Prerequisite:** `getVpsBackups` (find a backup with `type == \"minio\"`).\n- **Alternative:** `postVpsRestore` (restore in place — no download).\n- **Cleanup after download:** `deleteVpsBackup`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true }, { "name": "all", "description": "Set to `1` to list all backups across all services, not just the ones for the given VPS.", "schema": { "enum": [ "0", "1" ], "type": "string" }, "in": "query" } ] }, "/vps/{id}/block_smtp": { "get": { "tags": [ "VPS" ], "parameters": [ { "name": "id", "description": "VPS ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doVpsBlockSmtp", "summary": "Block outbound SMTP (port 25) on the VPS to prevent spam/abuse", "description": "Blocks outbound SMTP (port 25) traffic on the VPS at the hypervisor level — typical for cPanel/WHM customers who route through a smart relay, or for VPS that should never emit mail directly. Queues a `block_smtp` action on the `vpsqueue` and triggers a VNC re-setup. Despite being GET, this is a side-effecting action and the MCP parser flags it accordingly. **One-way from the client side:** there is no public unblock endpoint — re-enabling outbound SMTP requires a support ticket so abuse history can be reviewed. Sibling ops: `getVpsInfo` (verify state), `doVpsRestart`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** `{ text, queueId }` — `queueId` references the `queue_log` row; allow up to 2 minutes for the iptables/firewall rule to take effect.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- `409 VPS is not active` — `vps_status != \"active\"`.\n\n**Reversibility:** Not client-reversible — open a ticket.\n\n**Related calls:**\n- **Verify state:** `getVpsInfo`.\n- **General lifecycle:** `doVpsStart`, `doVpsStop`, `doVpsRestart`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/buy_hd_space": { "get": { "tags": [ "VPS" ], "responses": { "200": { "description": "Get VPS Buy HD Space information" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsBuyHdSpace", "summary": "Get current additional disk size and per-GB monthly cost for the VPS", "description": "Step 1 of the disk-space addon flow. Returns the current \"Additional N GB Space\" already purchased for the VPS (0 if none) and the per-GB monthly cost in USD — both adjusted for the customer's reseller pricing tier via `get_reseller_price`. Read-only. Use this to populate a disk-upgrade form before calling `putVpsBuyHdSpace` (preview) and `postVpsBuyHdSpace` (commit). For whole-plan upgrades (CPU+RAM+disk together) use the slices flow instead (`getVpsSlices` / `postVpsSlices`). Sibling ops: `putVpsBuyHdSpace`, `postVpsBuyHdSpace`, `postVpsSlices`, `getVpsInfo`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:**\n- `gbCost` (float) — per-GB monthly cost in USD (after reseller discount).\n- `size` (integer) — current additional GB already purchased (0 if none).\n\n**Auth:** Session/API key. Ownership enforced via parent VPS.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- **Pre-condition:** an existing `Additional N GB Space for VPS {id}` repeat-invoice is required for the lookup to find a baseline; if it isn't parseable, the endpoint returns an error asking the customer to contact support. New installs always start at `size: 0`.\n\n**Related calls:**\n- **Next (preview):** `putVpsBuyHdSpace` — returns prorated `diffCost` for a target size.\n- **Next (commit):** `postVpsBuyHdSpace` — creates/updates the addon repeat invoice.\n- **Alternative path (whole plan):** `getVpsSlices` → `postVpsSlices`.\n" }, "put": { "tags": [ "VPS" ], "responses": { "200": { "description": "Pricing preview for the requested HD space size." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "putVpsBuyHdSpace", "summary": "Preview cost to set additional VPS disk to a target GB size — dry run", "description": "Step 2 of the disk-space addon flow. Dry-run that quotes a new \"Additional N GB Space\" addon at the target size, prorated to the VPS's existing billing cycle. **No invoice is created and no charge happens.** Use to show the customer the immediate prorated `diffCost` and the new recurring `cost` before they commit via `postVpsBuyHdSpace`. Sibling ops: `getVpsBuyHdSpace`, `postVpsBuyHdSpace`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body fields:**\n- `size` (integer, required) — target additional GB. Range `1 ≤ size ≤ 100`; rejected with \"Invalid Size Specified\" otherwise. Rejected with \"No Change Made, Size The Same\" if it equals current.\n\n**Returns:**\n- `gbCost` (float) — per-GB monthly cost in USD.\n- `curSize` (integer) — currently purchased additional GB.\n- `newSize` (integer) — requested target size.\n- `cost` (float) — new recurring cost (size × gbCost × frequency).\n- `diffCost` (float) — prorated immediate charge for the partial cycle plus the remainder of the period (when frequency > 1).\n- `frequency` (integer) — billing cycle in months (e.g. 1, 6, 12).\n\n**Side effects:** None — pure read.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- `Invalid Size Specified` — `size` out of `1..100`.\n- `No Change Made, Size The Same` — `size == curSize`.\n\n**Related calls:**\n- **Prerequisite:** `getVpsBuyHdSpace` (read current state).\n- **Next:** `postVpsBuyHdSpace` (commit; creates invoice when diffCost > 0, queues immediate update otherwise).\n" }, "post": { "tags": [ "VPS" ], "responses": { "200": { "description": "Post Buy HD Space for VPS response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postVpsBuyHdSpace", "summary": "Buy or resize the VPS additional-disk addon and create a prorated invoice", "description": "Step 3 of the disk-space addon flow — commit. Creates or updates the `Additional N GB Space for VPS {id}` `repeat_invoices` row with the new size and recurring cost, then generates a one-off prorated `invoices` row for the immediate difference. The hypervisor disk-grow action is queued either immediately (`update_hdsize` in `vpsqueue`) when no charge is owed, or after the invoice is paid. When increasing from an existing size, any unpaid prior addon invoice is deleted and any already-paid one is credited against `diffCost`. **Real money** — call `putVpsBuyHdSpace` first to preview. Sibling ops: `getVpsBuyHdSpace`, `putVpsBuyHdSpace`, `postVpsSlices`, `initiatePayment`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body fields:**\n- `size` (integer, required) — target additional GB. Range `1..100`. Must differ from current.\n\n**Returns:**\n- When immediate charge owed: `{ text: \"Invoice Created, Please Pay This To Activate Extra Space\", invoice: }` — pass `invoice` to `initiatePayment`.\n- When no charge owed (downgrade/credit): `{ text: \"Repeat Invoice Updated, Server Size Update Queued\" }` — disk grow already queued.\n\n**Side effects:**\n- Inserts or updates `repeat_invoices` row for the addon.\n- Inserts `invoices` row for `diffCost` when > 0.\n- Deletes any unpaid prior addon invoices for the same VPS within the last month.\n- Credits any paid prior invoice against `diffCost`.\n- Queues `update_hdsize` in `vpsqueue` when no payment is owed.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- `Invalid Size Specified` — `size` out of `1..100`.\n- `No Change Made, Size The Same`.\n- **Pre-condition:** an existing addon row is required. If not found, the request short-circuits (`go()` returns without acting); use the order flow for the very first addon, or `postVpsSlices` for whole-plan upgrades.\n\n**Related calls:**\n- **Preview first:** `putVpsBuyHdSpace`.\n- **Pay the invoice:** `initiatePayment` (`GET /billing/pay/{method}/{invoices}`).\n- **Whole-plan upgrades:** `postVpsSlices` (bundles disk + RAM + CPU).\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/buy_ip": { "get": { "tags": [ "VPS" ], "responses": { "200": { "description": "VPS Buy IP information" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsBuyIp", "summary": "Read current additional IPs, cap, and per-IP monthly cost for the VPS", "description": "Step 1 of the additional-IP addon flow. Returns the list of extra IPs already on the VPS (each with a `cancel_link` for removing that specific addon), how many more are allowed (`maxIps` = `VPS_MAX_IPS` constant), and the per-IP monthly cost converted to the VPS's billing currency. Read-only. Use to render the \"buy another IP\" form and to enforce the cap before calling `postVpsBuyIp`. Sibling ops: `postVpsBuyIp` (purchase one more), `postVpsReverseDns` (set PTR on the new IP), `getVpsReverseDns`, `getVpsInfo`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:**\n- `ipsDetails` (array) — one entry per existing extra IP. Each entry includes:\n - `ip` (string) — the IPv4 address (parsed from the repeat-invoice description).\n - `cancel_link` (string) — relative URL `cancel_addon?module=vps&r=` to cancel that specific IP addon.\n - The underlying `repeat_invoices` / `invoices` columns (description, amount, dates, etc.).\n- `ipCount` (integer) — current count of extra IPs already purchased.\n- `maxIps` (integer) — hard cap (`VPS_MAX_IPS`).\n- `ipCost` (float) — per-IP monthly cost, converted from `VPS_IP_COST` to the VPS's billing currency.\n- `currency` (string) — VPS billing currency code (ISO 4217, e.g. `USD`).\n- `currencySymbol` (string).\n\n**Auth:** Session/API key. Ownership enforced via parent VPS.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n\n**Related calls:**\n- **Next (buy one more):** `postVpsBuyIp` — auto-allocates the next free IP on the same hypervisor.\n- **After activation:** `postVpsReverseDns` (set PTR for the new IP), `getVpsInfo` (verify allocation).\n- **Cancel an existing extra IP:** follow the `cancel_link` URL (renders the cancel-addon page).\n" }, "post": { "tags": [ "VPS" ], "responses": { "200": { "description": "Submit VPS Buy IP form response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postVpsBuyIp", "summary": "Purchase one additional IP for the VPS and create the invoice", "description": "Step 2 of the additional-IP addon flow — commit. Auto-selects the next free IP on the same hypervisor via `vps_get_next_ip`, creates a `Additional IP for VPS {id}` recurring invoice (`repeat_invoices`), and generates an immediate one-off `invoices` row at the current IP cost. **Real money.** The network-side IP allocation happens once the invoice is paid; the IP is bound to the VPS during the next provisioning sweep. Sibling ops: `getVpsBuyIp` (preview), `initiatePayment`, `getVpsInfo` (verify), `postVpsReverseDns` (set PTR after activation).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None — the next free IP is auto-selected.\n\n**Returns:**\n- `text` (string) — `Ordered Additional IP successfully.`\n- `invoice` (integer) — new invoice id to pay via `initiatePayment`.\n\n**Side effects:**\n- Reserves the next free IP on the VPS's `vps_server` (parked until payment).\n- Inserts `repeat_invoices` row (`Additional IP for VPS {id}`, recurring at `ipCost`, frequency from parent service).\n- Inserts `invoices` row for the immediate one-period charge.\n- Logs the addon creation in `myadmin_log`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- `VPS already has the maximum number of IPs allowed. If you require additional IPs please contact support.` — `ipCount >= maxIps` (`VPS_MAX_IPS`).\n- `No available free ips on this server. Please contact support to order additional ips.` — `vps_get_next_ip` returned false.\n\n**Related calls:**\n- **Prerequisite:** `getVpsBuyIp` (capacity check + preview).\n- **Next:** `initiatePayment` with the returned `invoice` id, then `getVpsInfo` to confirm allocation.\n- **Post-activation:** `postVpsReverseDns` to set the PTR for the new IP.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/change_hostname": { "get": { "tags": [ "VPS" ], "responses": { "200": { "description": "Current hostname information for the VPS." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsChangeHostname", "summary": "Read the VPS's current hostname before changing it", "description": "Step 1 of the hostname-change flow. Returns the hostname currently stored on the `vps` row so the customer can confirm the existing value before submitting a new one. Read-only. **Platform restriction:** hostname changes through `postVpsChangeHostname` are only supported on OpenVZ/SSD-OpenVZ/Virtuozzo/SSD-Virtuozzo; KVM and HyperV require a support ticket — so for those platforms this endpoint is informational only. Sibling ops: `postVpsChangeHostname` (apply new value), `postVpsReverseDns` (PTR for primary IP — auto-updated by `postVpsChangeHostname`).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** Current hostname (object form: `{ hostname: \"\" }`).\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- `409 VPS is not active` — `vps_status != \"active\"`.\n\n**Related calls:**\n- **Next:** `postVpsChangeHostname` (OpenVZ/Virtuozzo only; auto-updates PTR for the primary IP).\n- **PTR for extra IPs:** `postVpsReverseDns`.\n- **Verify after change:** `getVpsInfo`.\n" }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/HostnameObject" } }, "application/json": { "schema": { "$ref": "#/components/schemas/HostnameObject" } } }, "required": true }, "tags": [ "VPS" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postVpsChangeHostname", "summary": "Rename the VPS hostname (OpenVZ/Virtuozzo only) and auto-set PTR for the primary IP", "description": "Renames the VPS — validates the FQDN with `valid_hostname()`, sets the reverse-DNS PTR record for the primary IP (`reverse_dns($vps_ip, $hostname)`), and either updates the `vps_hostname` column directly (if the VPS is still `pending`) or queues a `change_hostname` action on the hypervisor (`vpsqueue`) for active services. **Platform restriction:** rejected unless the VPS runs on OpenVZ, SSD-OpenVZ, Virtuozzo, or SSD-Virtuozzo — KVM/HyperV must open a support ticket. Sibling ops: `getVpsChangeHostname`, `postVpsReverseDns`, `getVpsInfo`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body fields:**\n- `hostname` (string, required) — new FQDN (e.g. `web1.example.com`). Validated by `valid_hostname()`.\n\n**Returns:**\n- For active services: `{ text, queueId }` — `queueId` references the `queue_log` row. Allow ~2 minutes.\n- For pending services: `{ text: \"Hostname Updated\" }` — applied in place.\n\n**Side effects:**\n- Sets PTR record for `vps_ip` via `reverse_dns()`.\n- Either updates `vps_hostname` directly (pending) or queues `change_hostname` (active) plus logs `change_hostname` history entry with the `old to new` transition.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n- `Invalid Hostname` — fails `valid_hostname()`.\n- `No change in hostname` — value matches current.\n- `Hostname changing is only enabled on OpenVZ/Virtuozzo Platforms currently. Contact support and we can change it for you.` — wrong platform.\n\n**Related calls:**\n- **Prerequisite:** `getVpsChangeHostname` (read current).\n- **Extra IPs need separate PTR updates:** `postVpsReverseDns`.\n- **Verify:** `getVpsInfo` (look for updated `vps_hostname`).\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/change_root_password": { "get": { "tags": [ "VPS" ], "responses": { "200": { "description": "Password requirements and current state." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsChangeRootPassword", "summary": "Pre-flight check before changing the VPS root password", "description": "Step 1 of the root-password change flow. Validates ownership and active status; the response is a placeholder/policy object the dashboard uses to render the form (current implementation does not yet return a populated policy — it short-circuits after the ownership/status checks). Read-only. Use to confirm the VPS exists and is active before calling `postVpsChangeRootPassword`. For a server-generated random password instead, use `postVpsResetPassword`. Sibling ops: `postVpsChangeRootPassword`, `postVpsResetPassword`, `postVpsChangeWebuzoPassword` (Webuzo control panel).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** Object with password requirements/state. Currently a no-op pre-check; reserved for future policy fields (min length, complexity rules, last-change timestamp).\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed` — `id` not owned by caller.\n- `409 VPS is not active` — `vps_status != \"active\"`.\n\n**Related calls:**\n- **Next (specific password):** `postVpsChangeRootPassword`.\n- **Random password:** `postVpsResetPassword`.\n- **Webuzo control panel password:** `postVpsChangeWebuzoPassword` (separate credential).\n" }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/PasswordRequest" } }, "application/json": { "schema": { "$ref": "#/components/schemas/PasswordRequest" } } }, "required": true }, "tags": [ "VPS" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postVpsChangeRootPassword", "summary": "Set a specific new root/Administrator password on the VPS", "description": "Sets a specific root password (Administrator on Windows) chosen by the customer. Queues a `change_root` action on the hypervisor (`vpsqueue`) and records the new password in `history_log` as a `change_root_password` entry for operator reference. The password takes effect within ~2 minutes. **Caveat:** there is no rollback — to \"undo\", set another new password. For a server-generated random password instead, use `postVpsResetPassword`. Sibling ops: `getVpsChangeRootPassword`, `postVpsResetPassword`, `postVpsChangeWebuzoPassword`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body fields:**\n- `password` (string, required) — new root/Administrator password. The endpoint does not enforce a regex here (the hypervisor agent applies platform policy), but `validate_buy_vps`-style strength is strongly recommended: 8+ chars, upper, lower, digit, special.\n\n**Returns:** `{ text, queueId }` — `queueId` tracks the action in `queue_log`.\n\n**Side effects:**\n- Inserts `vpsqueue` `change_root` row.\n- Inserts `history_log` `change_root_password` audit entry storing the new password (operator-readable for support).\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n- `400 Missing field \"password\"`.\n\n**Related calls:**\n- **Pre-flight:** `getVpsChangeRootPassword`.\n- **Random instead:** `postVpsResetPassword`.\n- **Control panel password:** `postVpsChangeWebuzoPassword`.\n- **Verify:** `getVpsInfo` (no field change — verification is operational, not via API).\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/change_timezone": { "get": { "tags": [ "VPS" ], "responses": { "200": { "content": { "application/json": { "schema": { "type": "array", "items": { "type": "string" } }, "examples": { "TimeZones": { "value": [ "America/New_York", "America/Nome", "America/Noronha", "America/North_Dakota/Beulah", "America/North_Dakota/Center" ] } } } }, "description": "VPS Change Timezone info response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsChangeTimezone", "summary": "List IANA timezones supported by the VPS guest OS", "description": "Step 1 of the timezone-change flow. Returns the list of IANA timezone identifiers the VPS accepts (e.g. `America/New_York`, `Europe/London`, `Asia/Tokyo`) — sourced from `/usr/share/zoneinfo/zone.tab` on the MyAdmin host. Use to populate a timezone picker before calling `postVpsChangeTimezone`. Read-only. Sibling op: `postVpsChangeTimezone`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** Array of strings — IANA timezone identifiers, sorted alphabetically.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n\n**Related calls:**\n- **Next:** `postVpsChangeTimezone` (must pass a value present in this array).\n- **Account-level timezone:** `updateAccountInfo` (sets the default for new VPS).\n" }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/TimezoneUpdate" } }, "application/json": { "schema": { "$ref": "#/components/schemas/TimezoneUpdate" } } }, "required": true }, "tags": [ "VPS" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postVpsChangeTimezone", "summary": "Set the system timezone on the VPS guest OS", "description": "Step 2 of the timezone-change flow — commit. Validates `timezone` against the list from `getVpsChangeTimezone`, then queues a `change_timezone` action on the hypervisor (`vpsqueue`). Action takes effect within ~2 minutes. Sibling op: `getVpsChangeTimezone`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body fields:**\n- `timezone` (string, required) — IANA identifier; **must** be one of the values returned by `getVpsChangeTimezone` (in-array check enforced server-side).\n\n**Returns:** `{ text, queueId }`.\n\n**Side effects:**\n- Inserts `vpsqueue` `change_timezone` row with the validated value.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n- `422 Invalid timezone` — value not in the supported list.\n\n**Related calls:**\n- **Prerequisite:** `getVpsChangeTimezone` (the only valid source for `timezone` values).\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/change_webuzo_password": { "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/PasswordRequest" } }, "application/json": { "schema": { "$ref": "#/components/schemas/PasswordRequest" } } }, "required": true }, "tags": [ "VPS" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postVpsChangeWebuzoPassword", "summary": "Rotate the Webuzo control panel admin password (re-auth required)", "description": "Rotates the admin password on the Webuzo control panel that ships pre-installed on certain VPS templates. Re-authenticates the caller via their MyAdmin account password (`account_passwd` md5 check), then calls the Webuzo SDK (`Webuzo_API::change_password`) to apply the new password, updates the stored credential in `history_log`, and emails the customer a confirmation via the `client/client_email.tpl` template. Used for the control panel only — for the underlying OS root/Administrator password use `postVpsChangeRootPassword`/`postVpsResetPassword`. Sibling ops: `postVpsChangeRootPassword`, `postVpsResetPassword`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body fields (both required):**\n- `password` (string, required) — new Webuzo admin password. Validated by `valid_password()`.\n- `login_password` (string, required) — the customer's current MyAdmin account password (re-auth check; md5-compared to `accounts.account_passwd`).\n\n**Returns:** `{ text }` — `Password updated successfully!`\n\n**Side effects:**\n- Calls Webuzo API to apply new password.\n- Updates the `Webuzo Details` row in `history_log` with the new value.\n- Sends a confirmation email to the account's billing email.\n- Logs the rotation in `myadmin_log`.\n\n**Auth:** Session/API key plus re-auth via `login_password`.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n- `Missing Password` / `Missing Login Password` — body field absent.\n- `Login Password is incorrect!` — `login_password` doesn't match stored hash.\n- `New Password is not valid` — fails `valid_password()`.\n- `Missing Existing Webuzo Password Details.` — no Webuzo credential in `history_log` (contact support).\n- `Unable to update password. Please contact support team for further assistance.` — Webuzo API call failed.\n\n**Related calls:**\n- **OS root password instead:** `postVpsChangeRootPassword`, `postVpsResetPassword`.\n- **Account password rotation:** `updateAccountPassword`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/disable_cd": { "get": { "tags": [ "VPS" ], "parameters": [ { "name": "id", "description": "VPS ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doVpsDisableCd", "summary": "Remove the virtual CD/DVD device entirely from the VPS configuration", "description": "Removes the virtual CD/DVD device from the VPS hardware configuration entirely — distinct from `doVpsEjectCd`, which only unmounts the ISO but leaves the drive attached. Queues a `disable_cd` action on the hypervisor (`vpsqueue`) and triggers a VNC re-setup. Side-effecting GET. Reversible by attaching a new CD via `postVpsInsertCd`. Sibling ops: `doVpsEjectCd` (eject ISO but keep drive), `getVpsInsertCd` (list ISOs), `postVpsInsertCd` (mount ISO).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** `{ text, queueId }` — allow ~2 minutes for hypervisor action.\n\n**Side effects:**\n- Inserts `vpsqueue` `disable_cd` row.\n- Calls `vps_resetup_vnc()` to refresh the VNC config.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n\n**Related calls:**\n- **Re-attach drive:** `postVpsInsertCd` (provide ISO URL).\n- **Just unmount the ISO:** `doVpsEjectCd`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/disable_quota": { "get": { "tags": [ "VPS" ], "parameters": [ { "name": "id", "description": "VPS ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doVpsDisableQuota", "summary": "Disable per-user disk quota enforcement inside the VPS guest OS", "description": "Stops enforcing per-user disk quotas inside the VPS guest OS — useful when an application or user workflow conflicts with quota limits. Queues a `disable_quota` action on the hypervisor (`vpsqueue`) and triggers a VNC re-setup. Side-effecting GET. Reversible via `doVpsEnableQuota`. Sibling op: `doVpsEnableQuota`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** `{ text, queueId }` — allow ~2 minutes.\n\n**Side effects:**\n- Inserts `vpsqueue` `disable_quota` row.\n- Calls `vps_resetup_vnc()`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n\n**Related calls:**\n- **Re-enable:** `doVpsEnableQuota`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/eject_cd": { "get": { "tags": [ "VPS" ], "parameters": [ { "name": "id", "description": "VPS ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doVpsEjectCd", "summary": "Eject the mounted ISO from the VPS virtual CD drive (keep the drive)", "description": "Unmounts whatever ISO is currently in the VPS virtual CD drive, leaving the drive attached so another ISO can be mounted. Distinct from `doVpsDisableCd` (which removes the drive itself). Queues an `eject_cd` action on the hypervisor (`vpsqueue`) and triggers a VNC re-setup. Side-effecting GET. Sibling ops: `getVpsInsertCd` (list available ISOs), `postVpsInsertCd` (mount a different one), `doVpsDisableCd` (remove drive entirely).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** `{ text, queueId }` — allow ~2 minutes.\n\n**Side effects:**\n- Inserts `vpsqueue` `eject_cd` row.\n- Calls `vps_resetup_vnc()`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n\n**Related calls:**\n- **Mount a different ISO:** `postVpsInsertCd`.\n- **Remove the drive entirely:** `doVpsDisableCd`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/enable_quota": { "get": { "tags": [ "VPS" ], "parameters": [ { "name": "id", "description": "VPS ID number.", "schema": { "type": "integer" }, "in": "path", "required": true } ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "doVpsEnableQuota", "summary": "Enable per-user disk quota enforcement inside the VPS guest OS", "description": "Turns on per-user disk-quota enforcement inside the VPS guest OS. Queues an `enable_quota` action on the hypervisor (`vpsqueue`) and triggers a VNC re-setup. Side-effecting GET. Reversible via `doVpsDisableQuota`. Sibling op: `doVpsDisableQuota`.\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** `{ text, queueId }` — allow ~2 minutes.\n\n**Side effects:**\n- Inserts `vpsqueue` `enable_quota` row.\n- Calls `vps_resetup_vnc()`.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n\n**Related calls:**\n- **Disable later:** `doVpsDisableQuota`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/insert_cd": { "get": { "tags": [ "VPS" ], "responses": { "200": { "description": "Available CD/ISO images for the VPS." }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsInsertCd", "summary": "List ISO templates that can be mounted in the VPS virtual CD drive", "description": "Step 1 of the CD-mount flow. Returns the catalog of ISO images the customer can mount in the VPS virtual CD drive — typically rescue ISOs, OS installers, or recovery media. Read-only. Use to populate a CD/ISO picker before calling `postVpsInsertCd` with a chosen URL. Sibling ops: `postVpsInsertCd` (mount), `doVpsEjectCd` (unmount), `doVpsDisableCd` (remove drive), `doVpsRestart` (boot from mounted CD).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** Object with available ISO templates (current implementation returns the platform's CD options).\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n\n**Related calls:**\n- **Next:** `postVpsInsertCd` (provide `url` for the ISO to mount).\n- **Boot from CD:** `doVpsRestart` after mounting.\n" }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/UrlRequest" } }, "application/json": { "schema": { "$ref": "#/components/schemas/UrlRequest" } } }, "required": true }, "tags": [ "VPS" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postVpsInsertCd", "summary": "Mount an ISO image in the VPS virtual CD drive from a URL", "description": "Mounts an ISO image in the VPS virtual CD drive from the supplied URL — used to boot into rescue media, run an OS installer, or temporarily attach removable media. Queues an `insert_cd` action on the hypervisor (`vpsqueue`) with the URL. After mounting, restart the VPS with `doVpsRestart` to boot from the CD. Sibling ops: `getVpsInsertCd` (list), `doVpsEjectCd` (unmount), `doVpsDisableCd` (remove drive), `doVpsRestart` (boot from CD).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body fields:**\n- `url` (string, required) — http(s):// URL to a `.iso` file accessible from the hypervisor.\n\n**Returns:** `{ text, queueId }` — allow ~2 minutes.\n\n**Side effects:**\n- Inserts `vpsqueue` `insert_cd` row with the URL.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n\n**Related calls:**\n- **List options first:** `getVpsInsertCd`.\n- **Boot the ISO:** `doVpsRestart`.\n- **Unmount when done:** `doVpsEjectCd`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/invoices": { "get": { "tags": [ "VPS" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/ChargeInvoiceRows" } } }, "description": "Get VPS Invoices response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsInvoices", "summary": "List all billing invoices associated with this specific VPS", "description": "Returns the billing history for one VPS — initial purchase invoice, monthly/period renewal invoices, addon invoices (extra IPs, additional disk space), and any prorated upgrade invoices for slice changes. Read-only. Backed by `Billing\\InvoicesList::go()`. Use to render a per-VPS billing-history view, to find an unpaid invoice id to pass to `initiatePayment`, or to confirm a recent charge. Sibling ops: `getVpsInfo`, `getBillingInvoice` (single invoice detail), `initiatePayment`, `addVps` (creates the first invoice).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** `ChargeInvoiceRows` — array of invoice rows with `id`, `amount`, `paid`, `description`, `date`, `due_date`, `currency`, `module=vps`, `service={id}`, and any addon-specific fields. Order is most-recent-first.\n\n**Auth:** Session/API key. Ownership enforced via parent VPS.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid Service Passed` — `id` not owned by caller.\n\n**Related calls:**\n- **Single invoice detail:** `getBillingInvoice`.\n- **Pay an unpaid invoice:** `initiatePayment` (`GET /billing/pay/{method}/{invoices}`).\n- **All invoices across account:** `getBillingInvoices`.\n" }, "parameters": [ { "name": "id", "description": "VPS ID number", "schema": { "type": "integer" }, "in": "path", "required": true } ] }, "/vps/{id}/reinstall_os": { "get": { "tags": [ "VPS" ], "responses": { "200": { "content": { "application/json": { "schema": { "$ref": "#/components/schemas/VpsTemplatesList" } } }, "description": "VPS Reinstall OS info response" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "getVpsReinstallOs", "summary": "List OS templates compatible with this VPS's hypervisor for reinstall", "description": "Step 1 of the OS-reinstall flow. Returns the list of OS templates that can be installed on this specific VPS — filtered server-side by the VPS's backing hypervisor type (KVM, HyperV, OpenVZ, Virtuozzo) and by `template_available=1` (non-admin callers only see published templates). Use to populate the reinstall picker; the `template_file` from a chosen row is what `postVpsReinstallOs` accepts. **Reinstall destroys all data** — recommend a backup via `getVpsBackup` first. Sibling ops: `postVpsReinstallOs` (commit reinstall), `getVpsBackup` (snapshot first), `postVpsRestore` (restore from backup instead).\n\n**Path param:**\n- `id` (integer, required) — VPS id from `getVpsList.vps_id`.\n\n**Body:** None.\n\n**Returns:** `VpsTemplatesList`:\n- `templates` (array) — one entry per available template:\n - `template_id` (integer)\n - `template_name` (string) — display name (e.g. `CentOS 7`).\n - `template_version` (string) — version (e.g. `7`).\n - `template_file` (string) — **canonical identifier** to pass to `postVpsReinstallOs` (e.g. `centos-7-x86_64.qcow2`).\n - `template_os` (string) — OS family tag.\n - `template_type` (integer) — internal hypervisor type id.\n - `template_available` (integer) — `1` for non-admin visible templates.\n\n**Auth:** Session/API key. Ownership enforced.\n\n**Errors:**\n- `401` — unauthenticated.\n- `404 Invalid VPS Passed`.\n- `409 VPS is not active`.\n\n**Related calls:**\n- **Snapshot before reinstall:** `getVpsBackup`.\n- **Commit reinstall:** `postVpsReinstallOs` (pass `template_file` + MyAdmin login password).\n- **Alternative — restore old backup:** `postVpsRestore`.\n" }, "post": { "requestBody": { "content": { "multipart/form-data": { "schema": { "$ref": "#/components/schemas/TemplateRequest" } }, "application/json": { "schema": { "$ref": "#/components/schemas/TemplateRequest" } } }, "required": true }, "tags": [ "VPS" ], "responses": { "200": { "$ref": "#/components/responses/QueueResponse" }, "401": { "$ref": "#/components/responses/Unauthorized" } }, "operationId": "postVpsReinstallOs", "summary": "Reinstall the VPS OS (DESTRUCTIVE — wipes disk; requires re-auth)", "description": "**DESTRUCTIVE.** Wipes the VPS disk and reinstalls the chosen OS template. Re-authenticates via the customer's MyAdmin account password (`auth->authenticate` against `account_lid`+`localPassword`), updates the `vps` row (`vps_server_status='Reinstalling'`, `vps_os=