Meta & Misc

A collection of small endpoints that don’t fit elsewhere.

Service metadata

GET /api/v1/meta (no auth) describes this deployment’s capabilities:

{
  "data": {
    "version": "v1.2.3",
    "build": "d24e65b",
    "variant": "saas",
    "registration_enabled": false,
    "sso_available": true,
    "features": {
      "knative_eventing": true,
      "bulk_import": true
    }
  }
}

The console uses this on load to decide which routes to render. registration_enabled reflects whether self-service signup is open on this deployment (always true on console.yipyap.run; configurable for self-hosted).

Public org info

GET /api/v1/public/{orgSlug}/maintenance returns upcoming visible maintenance windows for an org. No auth.

Used by status-page embeds; see Maintenance Windows.

SSO / OIDC connection discovery

Method	Path	Description
`GET`	`/api/v1/auth/oidc/connections/{orgSlug}`	Public list of OIDC connections for an org (names + initiation URLs only).
`GET`	`/api/v1/auth/oidc/{connectionID}`	Initiate the OIDC flow.
`GET`	`/api/v1/auth/oidc/callback`	OIDC callback (called by the IdP after login).
`GET`	`/api/v1/auth/oidc/connections`	Authenticated: current user’s SSO options across all orgs they belong to.

See Features → SSO.

Managing SSO connections

Method	Path	Description	Scope
`GET`	`/api/v1/org/oidc-connections`	List connections.	`admin`
`POST`	`/api/v1/org/oidc-connections`	Add a connection (Okta, Google Workspace, Azure AD, Authentik, Keycloak, etc.).	`admin`
`PATCH`	`/api/v1/org/oidc-connections/{id}`	Update.	`admin`
`DELETE`	`/api/v1/org/oidc-connections/{id}`	Remove.	`admin`

Auth endpoints

Session/authentication endpoints are API-key-unreachable; they’re for the console UI only. Documented briefly for completeness:

Method	Path	Purpose
`POST`	`/api/v1/auth/login`	Session login.
`POST`	`/api/v1/auth/logout`	Session logout.
`POST`	`/api/v1/auth/refresh`	Refresh session token.
`POST`	`/api/v1/auth/register`	Self-service signup (when enabled).
`POST`	`/api/v1/auth/verify-email`	Email verification.
`POST`	`/api/v1/auth/forgot-password`	Initiate password reset.
`POST`	`/api/v1/auth/reset-password`	Complete password reset.
`POST`	`/api/v1/auth/mfa/totp/setup` · `/verify` · `DELETE`	TOTP enrollment/verification/disable.
`POST`	`/api/v1/auth/mfa/webauthn/register/begin` · `/finish`	WebAuthn registration.
`GET`, `DELETE`	`/api/v1/auth/mfa/webauthn[/{id}]`	List + delete WebAuthn credentials.
`POST`	`/api/v1/auth/mfa/challenge`	MFA challenge (during login).
`POST`	`/api/v1/auth/mfa/webauthn/begin` · `/finish`	WebAuthn MFA challenge.
`POST`	`/api/v1/auth/passkey/login/begin` · `/finish`	Passkey login.

Billing

Billing endpoints accept session auth only, not API keys. Listed for completeness:

Method	Path	Purpose
`GET`	`/api/v1/billing`	Read current subscription.
`POST`	`/api/v1/billing/checkout`	Create a Stripe Checkout session.
`POST`	`/api/v1/billing/portal`	Create a Stripe Customer Portal session.
`PATCH`	`/api/v1/billing/email`	Update billing email.
`POST` / `DELETE`	`/api/v1/billing/enterprise`	Enterprise subscription management.

Integrations · OpenTelemetry

Method	Path	Description	Scope
`GET`	`/api/v1/integrations/otel`	Read OTel exporter config.	`admin`
`PUT`	`/api/v1/integrations/otel`	Replace config.	`admin`
`DELETE`	`/api/v1/integrations/otel`	Remove.	`admin`
`POST`	`/api/v1/integrations/otel/test`	Send a test trace/metric.	`admin`

See Integrations → OpenTelemetry.

Inbound webhooks

Third-party interactivity callbacks (no client-facing API; documented so you understand the attack surface):

Path	Signer
`/api/v1/webhooks/discord`	Discord signing key.
`/api/v1/webhooks/telegram`	Telegram webhook secret.
`/api/v1/integrations/slack/actions`	Slack signing secret.
`/api/v1/stripe/webhook`	Stripe webhook secret.