Site Admin Console

The endpoints powering the KubeDB Platform site-administration UI: usage analytics, users, organizations, clusters, and authentication-source management. All paths below are relative to /api/v1.

Auth: every endpoint requires a valid token, an organization supplied via the ?org=<slug> query parameter, membership of that organization, and (for most endpoints) a specific :site_admin authorization relation named per endpoint below.

curl -H "Authorization: token $AKP_TOKEN" \
  "https://<akp-host>/api/v1/accounts/admin/users?org=appscode"

All endpoints accept the common query parameter:

NameTypeRequiredDescription
orgstringyesOrganization slug providing org context (resolved from ?org=).

Several list endpoints return raw internal records (models.User, models.Organization, models.ClusterInfo, models.LoginSource, …). In the OpenAPI these are represented generically as untyped JSON objects; the examples below show the salient fields only.


Dashboard & configuration

GET /accounts/admin

Site administration usage-analytics dashboard.

  • Auth: token + ?org= + membership + view_usage_analytics:site_admin.
  • Response: 200 — an untyped JSON object with stats and sysStatus keys.
{
  "stats": { "userCount": 12, "orgCount": 5, "clusterCount": 3 },
  "sysStatus": { "uptime": "5d3h", "goroutines": 210 }
}

Verified: GET returned 200 against appscode on 2026-07-14.

GET /accounts/admin/config

Site administration configuration page. Renders an HTML template rather than a JSON body.

  • Auth: token + ?org= + membership + site-admin.
  • Response: 200text/html.

Verified: GET returned 200 against appscode on 2026-07-14 (HTML page).

POST /accounts/admin/config/test_mail

Send a test email, then redirect to the config page.

  • Auth: token + ?org= + membership + send_test_mails:site_admin.
  • Query parameters:
NameTypeRequiredDescription
emailstringnoDestination address for the test email.
  • Response: 302 — redirect to the config page.

GET /accounts/admin/monitor

Site administration monitor page. Renders an HTML template rather than a JSON body.

  • Auth: token + ?org= + membership + site-admin.
  • Response: 200text/html.

Verified: GET returned 200 against appscode on 2026-07-14 (HTML page).


Users

GET /accounts/admin/users

List all users.

  • Auth: token + ?org= + membership + view_users:site_admin.
  • Response: 200 — an array of raw user records.
[
  {
    "ID": 5,
    "Name": "example-user",
    "FullName": "Example User",
    "Email": "user@example.com",
    "IsActive": true,
    "IsAdmin": false
  }
]

Verified: GET returned 200 against appscode on 2026-07-14.

GET /accounts/admin/users/deleted_accounts

List deactivated user accounts.

  • Auth: token + ?org= + membership + view_deleted_members:site_admin.
  • Response: 200 — an array of raw user records (deactivated).

Verified: GET returned 200 against appscode on 2026-07-14.

POST /accounts/admin/users/deleted_accounts/{id}/reactivate

Reactivate a deactivated user.

  • Auth: token + ?org= + membership + reactivate_members:site_admin.
  • Path parameters:
NameTypeDescription
idint64Numeric user ID.
  • Response: 200 — user reactivated.

POST /accounts/admin/users/new

Create a new user.

  • Auth: token + ?org= + membership + create_users:site_admin.
  • Request body: AdminCreateUserPayload.
{
  "loginType": "local",
  "userName": "example-user",
  "email": "user@example.com",
  "fullName": "Example User",
  "loginName": "example-user",
  "password": "<password>",
  "sendNotify": true,
  "mustChangePassword": true
}
FieldTypeRequiredDescription
loginTypestringyesAuthentication source type (e.g. local).
userNamestringyesThe new user’s username.
emailstringyesPrimary email address.
loginNamestringnoExternal login name.
fullNamestringnoDisplay name.
passwordstringnoInitial password.
sendNotifybooleannoSend a registration notification email.
mustChangePasswordbooleannoForce a password change on first login.
  • Response: 201 — user created.

POST /accounts/admin/users/{userid}

Edit a user.

  • Auth: token + ?org= + membership + update_users:site_admin.
  • Path parameters:
NameTypeDescription
useridint64Numeric user ID.
  • Request body: AdminEditUserPayload.
{
  "loginType": "local",
  "email": "user@example.com",
  "fullName": "Example User",
  "active": true,
  "admin": false,
  "prohibitLogin": false,
  "allowCreateOrganization": true,
  "disableTwoFactor": false
}
FieldTypeRequiredDescription
loginTypestringyesAuthentication source type.
emailstringyesPrimary email address.
loginNamestringnoExternal login name.
fullNamestringnoDisplay name.
passwordstringnoNew password (if changing).
websitestringnoWebsite URL.
locationstringnoLocation.
activebooleannoWhether the account is active.
adminbooleannoGrant platform-admin.
allowGitHookbooleannoAllow git hooks.
allowImportLocalbooleannoAllow importing local repositories.
allowCreateOrganizationbooleannoAllow the user to create organizations.
prohibitLoginbooleannoPrevent the user from signing in.
disableTwoFactorbooleannoDisable the user’s two-factor authentication.
  • Response: 200 — user updated.

POST /accounts/admin/users/{userid}/delete

Deactivate a user.

  • Auth: token + ?org= + membership + delete_users:site_admin.
  • Path parameters:
NameTypeDescription
useridint64Numeric user ID.
  • Response: 200 — user deactivated. Returns 400 with a message if the user still owns organizations.

DELETE /accounts/admin/delete/inactive-users

Purge deactivated users that have been inactive for more than 30 days.

  • Auth: token + ?org= + membership + purge_deactivated_users:site_admin.
  • Response: 200 — inactive users purged.

Organizations

GET /accounts/admin/orgs

List all organizations.

  • Auth: token + ?org= + membership + view_orgs:site_admin.
  • Response: 200 — an array of raw organization records.

Verified: GET returned 200 against appscode on 2026-07-14.

GET /accounts/admin/orgs/orphaned/

List orphaned organizations (organizations with no remaining owner).

  • Auth: token + ?org= + membership.
  • Response: 200 — an array of Organization objects.

Verified: returned 400 (“invalid org id”) against appscode on 2026-07-14 — the handler rejected the request context on this deployment; the route is reachable and authorized.

DELETE /accounts/admin/orgs/orphaned/delete/{id}

Delete an orphaned organization.

  • Auth: token + ?org= + membership + delete:orphaned-org.
  • Path parameters:
NameTypeDescription
idint64Numeric organization ID.
  • Response: 200 — organization deleted.

Clusters

GET /accounts/admin/clusters

List all clusters known to the platform.

  • Auth: token + ?org= + membership.
  • Response: 200 — an array of raw cluster records (models.ClusterInfo).

Verified: GET returned 200 against appscode on 2026-07-14.


Authentication sources

Manage the platform’s login sources (LDAP, PAM, SMTP, OAuth2/OIDC, …).

GET /accounts/admin/auths

List authentication sources.

  • Auth: token + ?org= + membership + site_admin_editor_authn_source.
  • Response: 200 — an array of raw login-source records.

Verified: GET returned 200 against appscode on 2026-07-14.

GET /accounts/admin/auths/auth-types

List the available authentication source types (name/type pairs).

  • Auth: token + ?org= + membership + site_admin_editor_authn_source.
  • Response: 200 — an array of type descriptors.

Verified: GET returned 200 against appscode on 2026-07-14.

POST /accounts/admin/auths/new

Create an authentication source.

  • Auth: token + ?org= + membership + site_admin_editor_authn_source.
  • Request body: AuthenticationPayload (fields vary by source type; the common ones are shown below — LDAP, SMTP, and OAuth2/OIDC fields are all part of the same payload).
{
  "type": 2,
  "name": "corporate-ldap",
  "host": "ldap.example.com",
  "port": 636,
  "bindDN": "cn=admin,dc=example,dc=com",
  "bindPassword": "<password>",
  "userBase": "ou=users,dc=example,dc=com",
  "attributeUsername": "uid",
  "attributeMail": "mail",
  "isActive": true,
  "tls": true,
  "skipVerify": false
}
FieldTypeRequiredDescription
namestringyesDisplay name of the source.
idint64noSource ID (on edit).
typeintegernoNumeric source type (LDAP, SMTP, PAM, OAuth2, …).
hoststringnoServer host (LDAP/SMTP).
portintegernoServer port.
bindDNstringnoLDAP bind DN.
bindPasswordstringnoLDAP bind password.
userBasestringnoLDAP user search base.
userDNstringnoLDAP user DN pattern.
attributeUsernamestringnoLDAP username attribute.
attributeNamestringnoLDAP given-name attribute.
attributeSurnamestringnoLDAP surname attribute.
attributeMailstringnoLDAP email attribute.
attributeSSHPublicKeystringnoLDAP SSH public-key attribute.
attributesInBindbooleannoFetch attributes during bind.
usePagedSearchbooleannoUse LDAP paged search.
searchPageSizeintegernoPaged-search page size.
filterstringnoLDAP user filter.
adminFilterstringnoLDAP admin filter.
isActivebooleannoWhether the source is enabled.
isSyncEnabledbooleannoEnable periodic user sync.
smtpAuthstringnoSMTP auth mechanism.
smtpHoststringnoSMTP host.
smtpPortintegernoSMTP port.
allowedDomainsstringnoComma-separated allowed email domains.
securityProtocolintegernoSecurity protocol (none/StartTLS/LDAPS).
tlsbooleannoUse TLS.
skipVerifybooleannoSkip TLS certificate verification.
pamServiceNamestringnoPAM service name.
oauth2ProviderstringnoOAuth2 provider name.
oauth2KeystringnoOAuth2 client key/ID.
oauth2SecretstringnoOAuth2 client secret.
openIDConnectAutoDiscoveryURLstringnoOIDC auto-discovery URL.
oauth2UseCustomURLbooleannoUse custom OAuth2 URLs.
oauth2TokenURLstringnoCustom token URL.
oauth2AuthURLstringnoCustom authorize URL.
oauth2ProfileURLstringnoCustom profile URL.
oauth2EmailURLstringnoCustom email URL.
  • Response: 201 — authentication source created.

GET /accounts/admin/auths/{authid}

Get a single authentication source.

  • Auth: token + ?org= + membership + site_admin_editor_authn_source.
  • Path parameters:
NameTypeDescription
authidint64Numeric authentication source ID.
  • Response: 200 — a raw login-source record.

Verified: returned 500 against appscode (authid 1) on 2026-07-14 — no login source with that ID exists on this deployment; the route is reachable and authorized.

POST /accounts/admin/auths/{authid}

Edit an authentication source.

  • Auth: token + ?org= + membership + site_admin_editor_authn_source.
  • Path parameters:
NameTypeDescription
authidint64Numeric authentication source ID.
  • Request body: AuthenticationPayload (same fields as create, above).
  • Response: 200 — authentication source updated.

POST /accounts/admin/auths/{authid}/delete

Delete an authentication source.

  • Auth: token + ?org= + membership + site_admin_editor_authn_source.
  • Path parameters:
NameTypeDescription
authidint64Numeric authentication source ID.
  • Response: 200 — authentication source deleted.

External OAuth2 sources

Manage external OAuth2/social-login providers.

GET /accounts/admin/external_oauth

List external OAuth2 authentication sources.

  • Auth: token + ?org= + membership + site_admin_editor_external_authn_source.
  • Response: 200 — an array of raw external OAuth2 application records.

Verified: GET returned 200 against appscode on 2026-07-14.

POST /accounts/admin/external_oauth/new

Create an external OAuth2 authentication source.

  • Auth: token + ?org= + membership + site_admin_editor_external_authn_source.
  • Request body: ExternalOAuth2AppPayload.
{
  "provider": "github",
  "clientID": "<client-id>",
  "clientSecret": "<client-secret>",
  "callbackURL": "https://<akp-host>/user/oauth2/github/callback"
}
FieldTypeRequiredDescription
providerstringnoProvider name (e.g. github, google).
clientIDstringnoOAuth2 client ID.
clientSecretstringnoOAuth2 client secret.
callbackURLstringnoOAuth2 callback/redirect URL.
  • Response: 201 — external OAuth2 source created.

POST /accounts/admin/external_oauth/{provider}

Edit an external OAuth2 authentication source.

  • Auth: token + ?org= + membership + site_admin_editor_external_authn_source.
  • Path parameters:
NameTypeDescription
providerstringProvider name to edit.
  • Request body: ExternalOAuth2AppPayload (same fields as create, above).
  • Response: 200 — external OAuth2 source updated.

POST /accounts/admin/external_oauth/{provider}/delete

Delete an external OAuth2 authentication source.

  • Auth: token + ?org= + membership + site_admin_editor_external_authn_source.
  • Path parameters:
NameTypeDescription
providerstringProvider name to delete.
  • Response: 200 — external OAuth2 source deleted.