API Documentation

Authentication

JWT Authentication

Swiftor uses JWT Bearer tokens for authentication. Public endpoints like profiles and reports are accessible without authentication, but most operations require a valid JWT token. User authentication details retrieved via JWT are cached using Redis for improved performance.

Getting Started

To authenticate your requests, include your JWT token in the Authorization header:

shell

curl -H "Authorization: Bearer YOUR_JWT_TOKEN" \
     -H "Content-Type: application/json" \
     -H "Origin: https://swiftor.io" \
     http://api.swiftor.io/vms

Token Security

Keep your JWT token secure and never share it. Tokens can be compromised if exposed.

API Access

Currently we only offer direct API access to our enterprise plan subscribers. We are working on API keys rather than a JWT token.

Public Endpoints

These endpoints are accessible without authentication:

User Profiles

GET /@{username} - Get user's public profile
GET /@{username}/pfp - Get profile picture
GET /@{username}/banner - Get profile banner

Public Reports

GET /@{username}/{reportid} - Get public report
POST /@{username}/{reportid} - Get public report details. Requires a JSON body, potentially with a password field if the report is protected.

Report Access

Only reports marked as public (not private) are accessible. If a public report is password-protected, the correct password must be supplied in the request body.

Authenticated Endpoints

Authentication Required

All endpoints below require a valid JWT token in the Authorization header.

We use redis for caching.

User Management

GET /init - Get current authenticated user's comprehensive information (profile, VMs, reports, payloads, notifications).
GET /get-usage - Get Sparks usage details.

Virtual Machines →

GET /vms - List VMs
POST /vms/create - Create VM
GET /vms/start/{vmid} - Start VM
GET /vms/stop/{vmid} - Stop VM
GET /vms/delete/{vmid} - Delete VM
GET /vms/secrets - Manage Environment Variables
GET /vms/networking - Manage Subdomain Mapping

Reports →

GET /reports - List reports
POST /reports/create - Create report
PUT /reports/publish/{report_id} - Update report (used to manage content, theme, protection status, etc.)
DELETE /reports/{report_id} - Delete report

Payloads →

POST /payloads/install - Install payload
POST /payloads/abuse - Report abuse
GET /payloads/abuse/{payloadid} - Get abuse reports (admin only)

Storage →

GET /storage - List storage usage
POST /storage/upload - Upload file
DELETE /storage/{file_id} - Delete file

Additional Services

Notifications

GET /notifications - Get notifications
POST /notifications/read - Mark as read

Payment

POST /payment/test/create-checkout-session - Create checkout

AI Services

POST /ai/chat - Chat with AI (streaming)

Account Deletion

Endpoints under /delete handle account-related deletion tasks. (Details TBC)

Security

CORS Policy

Cross-Origin Requests

The API only accepts requests from https://swiftor.io. All other origins will be rejected.

Error Handling

The API uses standard HTTP status codes with JSON error responses:

json

{
  "detail": "Error description"
}

Common status codes:

Code	Description
400	Bad Request
401	Unauthorized
403	Forbidden
404	Not Found
500	Server Error

API Documentation ​

Authentication ​

Getting Started ​

Public Endpoints ​

User Profiles ​

Public Reports ​

Authenticated Endpoints ​

User Management ​

Virtual Machines → ​

Reports → ​

Payloads → ​

Storage → ​

Additional Services ​

Notifications ​

Payment ​

AI Services ​

Account Deletion ​

Security ​

CORS Policy ​

Error Handling ​

On this page