API
API index
mipo is API-first: every action the GUI performs is a documented endpoint. This index is generated from the page docs, so it stays in sync with the product. Filter by method, path, description, or source doc.
| Method | Path | Description | Source Doc | Section |
|---|---|---|---|---|
| GET | /api/profile/dashboards | List all dashboards for the current user | Dashboard | Overview |
| POST | /api/profile/dashboards | Create a new dashboard | Dashboard | Overview |
| PUT | /api/profile/dashboards/:id | Update a dashboard | Dashboard | Overview |
| DELETE | /api/profile/dashboards/:id | Delete a dashboard | Dashboard | Overview |
| PUT | /api/profile/dashboards/:id/activate | Set a dashboard as the active default | Dashboard | Overview |
| POST | /api/profile/dashboards/:id/import | Import a shared dashboard configuration | Dashboard | Overview |
| GET | /api/profile | Get current user profile and preferences | Profile | Overview |
| PUT | /api/profile/preferences | Update display preferences (theme, accent, timezone) | Profile | Overview |
| PUT | /api/profile/password | Change your password (local accounts only) | Profile | Overview |
| POST | /api/profile/mfa/setup | Begin MFA enrollment; returns the otpauth URI and secret for the QR code | Profile | Overview |
| POST | /api/profile/mfa/enable | Confirm a code and enable MFA; returns one-time recovery codes | Profile | Overview |
| DELETE | /api/profile/mfa | Disable MFA (requires a current code or a recovery code) | Profile | Overview |
| GET | /api/system/timezones | List available timezone options | Profile | Overview |
| GET | /api/config/subnets | List all subnets | Subnets | Config |
| POST | /api/config/subnets | Create a new subnet | Subnets | Config |
| PUT | /api/config/subnets/:id | Update an existing subnet | Subnets | Config |
| DELETE | /api/config/subnets/:id | Delete a subnet (if unreferenced) | Subnets | Config |
| POST | /api/config/subnets/analyze | Analyze CIDR ranges for overlap and host counts | Subnets | Config |
| GET | /api/config/subnets/:id/details | Get subnet details with associations | Subnets | Config |
| GET | /api/config/subnets/scannable | List subnets eligible for scanning | Subnets | Config |
| GET | /api/config/subnets/filter-values | Get available filter values for the subnets table | Subnets | Config |
| GET | /api/config/subnet-groups | List all subnet groups | Subnet Groups | Config |
| POST | /api/config/subnet-groups | Create a new subnet group | Subnet Groups | Config |
| PUT | /api/config/subnet-groups/:id | Update an existing subnet group | Subnet Groups | Config |
| DELETE | /api/config/subnet-groups/:id | Delete a subnet group (if unreferenced) | Subnet Groups | Config |
| GET | /api/config/subnet-groups/:id/details | Get subnet group details with members | Subnet Groups | Config |
| GET | /api/config/subnet-groups/filter-values | Get available filter values for the subnet groups table | Subnet Groups | Config |
| GET | /api/config/port-catalog | List all port catalog entries | Port Catalog | Config |
| POST | /api/config/port-catalog | Create a new catalog entry | Port Catalog | Config |
| PUT | /api/config/port-catalog/:id | Update an existing catalog entry | Port Catalog | Config |
| DELETE | /api/config/port-catalog/:id | Delete a catalog entry (if unreferenced) | Port Catalog | Config |
| GET | /api/config/port-catalog/:id/details | Get port catalog entry details | Port Catalog | Config |
| GET | /api/config/port-catalog/filter-values | Get available filter values for the port catalog table | Port Catalog | Config |
| GET | /api/config/port-lists | List all port lists | Port Lists | Config |
| POST | /api/config/port-lists | Create a new port list | Port Lists | Config |
| PUT | /api/config/port-lists/:id | Update an existing port list | Port Lists | Config |
| DELETE | /api/config/port-lists/:id | Delete a port list (if unreferenced) | Port Lists | Config |
| GET | /api/config/port-lists/:id/details | Get port list details with all port entries | Port Lists | Config |
| GET | /api/config/port-lists/filter-values | Get available filter values for the port lists table | Port Lists | Config |
| GET | /api/config/port-list-groups | List all port list groups | Port List Groups | Config |
| POST | /api/config/port-list-groups | Create a new port list group | Port List Groups | Config |
| PUT | /api/config/port-list-groups/:id | Update an existing port list group | Port List Groups | Config |
| DELETE | /api/config/port-list-groups/:id | Delete a port list group (if unreferenced) | Port List Groups | Config |
| GET | /api/config/port-list-groups/:id/details | Get port list group details with members | Port List Groups | Config |
| GET | /api/config/port-list-groups/filter-values | Get available filter values for the port list groups table | Port List Groups | Config |
| GET | /api/config/scanners | List all scanners | Scanners | Config |
| POST | /api/config/scanners | Create a new scanner | Scanners | Config |
| PUT | /api/config/scanners/:id | Update scanner name or description | Scanners | Config |
| PATCH | /api/config/scanners/:id | Update scanner binding | Scanners | Config |
| DELETE | /api/config/scanners/:id | Delete a scanner and revoke its access | Scanners | Config |
| GET | /api/config/scanners/:id/binding | Get scanner binding details | Scanners | Config |
| POST | /api/config/scanners/:id/release-binding | Release scanner IP binding | Scanners | Config |
| POST | /api/config/scanners/:id/disable | Disable a scanner | Scanners | Config |
| POST | /api/config/scanners/:id/enable | Enable a disabled scanner | Scanners | Config |
| POST | /api/config/scanners/:id/regenerate-token | Regenerate provisioning token | Scanners | Config |
| POST | /api/config/scanners/:id/rotate-key | Rotate API key with a 24h grace window. The previous key continues to authenticate for 24 hours so in-flight scans do not fail. Returns the new key once. Use regenerate-token for compromise scenarios where the old key must be killed immediately. | Scanners | Config |
| GET | /api/config/scanners/binary-hash | Get the current scanner binary hash | Scanners | Config |
| GET | /api/config/scanners/install-script-preview | Preview the scanner install script | Scanners | Config |
| GET | /api/config/scanners/source-code | Get scanner source code for review | Scanners | Config |
| GET | /api/config/scanners/:id | Get single scanner configuration | Scanners | Config |
| GET | /api/config/scanners/filter-values | Get available filter values for the scanners table | Scanners | Config |
| POST | /scanner/register | Ingest API — exchange a one-time provisioning token for a permanent API key. Body: { provisioningToken, hostname?, osInfo?, internalIp? }. Tokens are short-lived (1 hour) and single-use. Returns the API key once — it is never shown again. | Scanners | Config |
| GET | /scanner/install | Ingest API — generate and return a shell install script for the scanner. Requires Authorization: Bearer <provisioning-token> header. The script registers the scanner and installs a systemd service. Token is passed as $1 (not embedded) to avoid persisting it in the script file. | Scanners | Config |
| GET | /api/config/scan-templates | List all scan templates | Scan Templates | Config |
| POST | /api/config/scan-templates | Create a new scan template | Scan Templates | Config |
| PUT | /api/config/scan-templates/:id | Update an existing scan template | Scan Templates | Config |
| DELETE | /api/config/scan-templates/:id | Delete a scan template (if unreferenced) | Scan Templates | Config |
| GET | /api/config/scan-templates/:id/details | Get expanded template details with resolved counts | Scan Templates | Config |
| GET | /api/config/scan-templates/:id/tests | List compliance tests for a scan template | Scan Templates | Config |
| POST | /api/config/scan-templates/:id/tests | Create a compliance test for a scan template | Scan Templates | Config |
| PUT | /api/config/scan-templates/:templateId/tests/:testId | Update a compliance test | Scan Templates | Config |
| DELETE | /api/config/scan-templates/:templateId/tests/:testId | Delete a compliance test | Scan Templates | Config |
| GET | /api/config/scan-templates/filter-values | Get available filter values for the templates table | Scan Templates | Config |
| GET | /api/config/scan-template-groups | List all scan template groups | Scan Template Groups | Config |
| POST | /api/config/scan-template-groups | Create a new scan template group | Scan Template Groups | Config |
| PUT | /api/config/scan-template-groups/:id | Update an existing scan template group | Scan Template Groups | Config |
| DELETE | /api/config/scan-template-groups/:id | Delete a scan template group (if unreferenced) | Scan Template Groups | Config |
| GET | /api/config/scan-template-groups/:id/details | Get scan template group details with members | Scan Template Groups | Config |
| GET | /api/config/scan-template-groups/filter-values | Get available filter values for the template groups table | Scan Template Groups | Config |
| GET | /api/config/scanner-groups | List all scanner groups | Scanner Groups | Config |
| POST | /api/config/scanner-groups | Create a new scanner group | Scanner Groups | Config |
| PUT | /api/config/scanner-groups/:id | Update an existing scanner group | Scanner Groups | Config |
| DELETE | /api/config/scanner-groups/:id | Delete a scanner group (if unreferenced) | Scanner Groups | Config |
| GET | /api/config/scanner-groups/:id/details | Get scanner group details with members | Scanner Groups | Config |
| GET | /api/config/scanner-groups/filter-values | Get available filter values for the scanner groups table | Scanner Groups | Config |
| GET | /api/config/discovery-sources | List all sources | Discovery | Config |
| GET | /api/config/discovery-sources/:id | Get a single discovery source | Discovery | Config |
| POST | /api/config/discovery-sources | Create source (returns API key) | Discovery | Config |
| PUT | /api/config/discovery-sources/:id | Update a discovery source | Discovery | Config |
| DELETE | /api/config/discovery-sources/:id | Delete a discovery source | Discovery | Config |
| POST | /api/config/discovery-sources/:id/regenerate-key | Regenerate API key | Discovery | Config |
| GET | /api/config/discovery-lists | List all lists (GUI read-only) | Discovery | Config |
| GET | /api/config/discovery-lists/:id | Get a single discovery list | Discovery | Config |
| GET | /api/config/discovery-lists/:id/ips | Get IP addresses from a discovery list | Discovery | Config |
| GET | /discovery/lists | Enumerate all lists owned by this discovery source (Ingest API — uses X-API-Key header). Returns names, IP counts, and last push timestamps. | Discovery | Config |
| POST | /discovery/lists | Create list (Ingest API — uses X-API-Key header) | Discovery | Config |
| DELETE | /discovery/lists/:name | Delete an entire named list and all its IPs (Ingest API — uses X-API-Key header). Returns 409 if the list is referenced by a scan template. | Discovery | Config |
| POST | /discovery/lists/:name/ips | Push/upsert IPs (Ingest API — uses X-API-Key header) | Discovery | Config |
| DELETE | /discovery/lists/:name/ips | Delete specific IPs (Ingest API — uses X-API-Key header) | Discovery | Config |
| DELETE | /discovery/lists/:name/ips/older-than | Delete stale IPs (Ingest API — uses X-API-Key header) | Discovery | Config |
| GET | /api/config/scanners | Returns scanner rate limits in maxProbesPerSecond field | Rate Limit Hierarchy | Config |
| GET | /api/config/subnets | Returns subnet rate limits in maxProbesPerSecond field | Rate Limit Hierarchy | Config |
| GET | /api/config/port-lists | Returns port list rate limits in maxProbesPerSecond field | Rate Limit Hierarchy | Config |
| GET | /scanner/jobs | Claim and receive pending jobs for this scanner. Uses X-API-Key header. Optional ?limit=1 parameter (max 10). Returns { jobs: [...] }. | Scanner Job Dispatch | Health > Scanner Protocol |
| POST | /scanner/jobs/:jobId/start | Transition a claimed job to running state. Called immediately after the scanner begins work. Returns { ok: true }. | Scanner Job Dispatch | Health > Scanner Protocol |
| POST | /scanner/jobs/:jobId/progress | Stream incremental progress. Body: { progressCount, resultCount }. Call periodically during scanning. Returns { ok: true }. | Scanner Job Dispatch | Health > Scanner Protocol |
| POST | /scanner/jobs/:jobId/complete | Finalize a job. Body: { status: "completed"|"failed", resultCount?, errorMessage? }. Triggers scan completion check when all jobs finish. | Scanner Job Dispatch | Health > Scanner Protocol |
| POST | /scanner/heartbeat | Periodic liveness ping with optional metrics. Body: { version?, hostname?, internalIp?, capabilities?, metrics? }. Uses X-API-Key header. Returns { ok: true, serverTime: string }. | Scanner Heartbeat | Health > Scanner Protocol |
| POST | /scanner/results | Legacy result upload keyed by scan ID (not job ID). Body: { scanId, results: [...], complete? }. Uses X-API-Key header. Returns { ok: true }. | Scanner Heartbeat | Health > Scanner Protocol |
| GET | /scanner/binary/:platform/:arch | Returns 501 Not Implemented with the build command for the requested platform/arch. Platforms: linux, darwin, windows. Architectures: amd64, arm64. | Scanner Binary | Health > Scanner Protocol |
| GET | /health | Deep health check across config, results, and jobs database pools. Returns 200 with status "ok" when all pools are healthy, or 503 with status "degraded" when any pool is unhealthy. No authentication required. | Ingest Health Check | Health > Scanner Protocol |
| GET | /api/health/alerting/alarms | List alarms with optional filters (state, severity, entityType) | Alarms | Health > Alerting |
| GET | /api/health/alerting/alarms/count | Active alarm counts for nav badge | Alarms | Health > Alerting |
| GET | /api/health/alerting/alarms/:id | Alarm detail with matching event timeline | Alarms | Health > Alerting |
| POST | /api/health/alerting/alarms/:id/acknowledge | Acknowledge an open alarm | Alarms | Health > Alerting |
| POST | /api/health/alerting/alarms/:id/resolve | Manually resolve an alarm | Alarms | Health > Alerting |
| GET | /api/health/alerting/events | List system events with optional filters (eventType, severity, entityType) | Events | Health > Alerting |
| GET | /api/health/alerting/notification-log | Query notification history with optional filters (status, channelId, alarmId) | Notification Log | Health > Alerting |
| GET | /api/health/alerting/notification-log/stats | Get 24h delivery statistics (sent, pending, failed, exhausted counts) | Notification Log | Health > Alerting |
| GET | /api/health/job-errors | List active job error states | Job Errors | Health |
| GET | /api/health/job-errors/:stateId | Single error state with repair history | Job Errors | Health |
| POST | /api/health/job-errors/:stateId/repair | Apply a repair action | Job Errors | Health |
| POST | /api/health/job-errors/bulk-repair | Bulk repair multiple states | Job Errors | Health |
| GET | /api/health/job-errors?errorClass=no_scanner | List active rows | No Scanner | Health |
| POST | /api/health/job-errors/:stateId/repair | Apply fail or reassign | No Scanner | Health |
| POST | /api/health/job-errors/bulk-repair | Bulk apply | No Scanner | Health |
| POST | /api/health/job-errors/:stateId/repair | action=regenerate_token | Failed Scanner Auth | Health |
| POST | /api/health/job-errors/:stateId/repair | action=drain | reassign | fail | Scanner Disabled | Health |
| POST | /api/health/job-errors/:stateId/repair | action=release_binding | regenerate_token | Scanner IP Changed | Health |
| POST | /api/health/job-errors/:stateId/repair | action=drain | reassign | fail | No Heartbeat | Health |
| POST | /api/health/job-errors/:stateId/repair | action=fail | reassign | Binary Version Mismatch | Health |
| POST | /api/health/job-errors/:stateId/repair | action=redispatch | fail | Stuck Pending | Health |
| POST | /api/health/job-errors/:stateId/repair | action=fail | Stuck Running | Health |
| POST | /api/health/job-errors/:stateId/repair | action=redispatch | fail | Dispatcher Failure | Health |
| POST | /api/health/job-errors/:stateId/repair | action=fail | Expired | Health |
| POST | /api/health/job-errors/:stateId/repair | action=fail | reassign | Result Submit Failed | Health |
| POST | /api/health/job-errors/bulk-repair | action=fail across all scan_deleted rows | Scan Deleted | Health |
| POST | /api/health/job-errors/:stateId/repair | action=fail | Target Invalid | Health |
| POST | /api/health/job-errors/:stateId/repair | action=redispatch | fail | Rate Limit Exhausted | Health |
| GET | /api/health/services/manager | Manager service health and metrics | Overview | Health |
| GET | /api/health/services/ingest | Ingest node statuses and metrics | Overview | Health |
| GET | /api/health/infra/db-status | Database connection pool health | Overview | Health |
| GET | /api/health/infra/proxy-status | Traefik reverse proxy metrics | Overview | Health |
| GET | /api/scanners | Registered scanners and their statuses | Overview | Health |
| GET | /api/health/internet-status | Public DNS and HTTPS reachability | Overview | Health |
| GET | /api/health/infra/backup | Backup system health and S3 status | Overview | Health |
| GET | /api/health/job-errors/topology | Aggregated job-error counts by topology target (scanner/dispatcher/db-config) | Overview | Health |
| GET | /api/health/services/manager | Fetch manager health status and metrics | Manager | Health > Services |
| GET | /api/health/services/ingest | Fetch all ingest node statuses and metrics | Ingest | Health > Services |
| GET | /api/scanners | List all registered scanners with status and metadata | Scanners | Health > Services |
| GET | /api/scanners/:id/events | Scanner event timeline (state changes, heartbeat errors) | Scanners | Health > Services |
| GET | /api/health/infra/db-status | Fetch connection pool stats for Config and Results databases | Database Status | Health > Infrastructure |
| GET | /api/health/infra/proxy-status | Fetch Traefik availability, environment, and component counts | Reverse Proxy Status | Health > Infrastructure |
| GET | /api/health/infra/backup | Fetch backup schedule, storage, encryption, S3, and trigger data | Backup | Health > Infrastructure |
| GET | /api/health/infra/dns | Fetch public, internal, container, and scanner DNS health data | DNS Status | Health > Infrastructure |
| GET | /api/health/infra/https | Fetch certificate details, connectivity, ACME status, and chain validation | HTTPS Status | Health > Infrastructure |
| GET | /api/config/scan-templates | List available scan templates | Run Scan | Scans |
| POST | /api/scans | Create and start a new scan from a template | Run Scan | Scans |
| GET | /api/scans | Fetch all scans filtered by status=running,pending; auto-refresh re-issues this on the configured interval | Running Scans | Scans |
| GET | /api/scans | Fetch scans filtered by status=completed,failed and startedAfter (NOW - window seconds); auto-refresh re-issues this on the configured interval | Recent Scans | Scans |
| GET | /api/scans | Fetch scans filtered by status=completed,failed; supports startedAfter, startedBefore, limit, offset, sort, dir | Scan History | Scans |
| GET | /api/scans/schedules | List all schedules | Schedules | Scans |
| POST | /api/scans/schedules | Create a new schedule | Schedules | Scans |
| GET | /api/scans/schedules/:id | Get schedule details | Schedules | Scans |
| PUT | /api/scans/schedules/:id | Update a schedule | Schedules | Scans |
| POST | /api/scans/schedules/:id/enable | Enable a schedule | Schedules | Scans |
| POST | /api/scans/schedules/:id/disable | Disable a schedule | Schedules | Scans |
| POST | /api/scans/schedules/:id/run-now | Trigger a schedule immediately | Schedules | Scans |
| DELETE | /api/scans/schedules/:id | Delete a schedule | Schedules | Scans |
| GET | /api/scans/:id | Retrieve scan metadata (name, status, timestamps, result count) | Results | Scans |
| GET | /api/scans/:id/results | Paginated scan results (hosts, ports, services) | Results | Scans |
| GET | /api/audit/states?scanId=:id | Port-state transitions (opened/closed) detected for this scan | Results | Scans |
| GET | /api/scans/:id/progress | Scan progress and per-scanner error details for failed scans | Results | Scans |
| POST | /api/scans/:id/save-tests | Save test baselines for scan results | Results | Scans |
| GET | /api/scans/:id/results-with-tests | Get results with test pass/fail data | Results | Scans |
| GET | /api/export/context | Get export metadata for compliance reporting | Results | Scans |
| POST | /api/export/context | Configure export context for audit evidence | Results | Scans |
| POST | /api/scans/:id/cancel | Cancel a pending or running scan (requires scans:execute) | Results | Scans |
| GET | /api/scans/:id/receipts | All execution-proof receipts for a scan (the per-job proof list) | Execution Proof | Scans |
| GET | /api/jobs/:jobId/receipt | A single job receipt detail, including the verbatim forensic receiptJson | Execution Proof | Scans |
| GET | /api/scans/:id | Scan metadata (name, status) shown in the page header | Execution Proof | Scans |
| GET | /api/jobs/:jobId/receipt | The single job receipt detail, including the verbatim forensic receiptJson | Job Receipt | Scans |
| GET | /api/audit/changes | List all audit change events (paginated) | Changes | Audit |
| GET | /api/audit/views | List all access log entries (paginated) | Views | Audit |
| GET | /api/audit/auth | List all authentication events (paginated) | Auth | Audit |
| GET | /api/audit/states | List port state changes with filtering | Port State Changes | Audit |
| GET | /api/audit/verify | Walk the entire audit event chain, recompute SHA-256 hashes, and return a pass/fail report with any broken-link indexes | Audit Log Integrity | Audit |
| GET | /api/admin/alerting/alarm-rules | List all built-in alarm rules | Alarm Rules | Admin > Alerting |
| PATCH | /api/admin/alerting/alarm-rules/:id | Toggle enabled or override severity | Alarm Rules | Admin > Alerting |
| POST | /api/admin/alerting/alarm-rules/:id/reset | Reset severity to default | Alarm Rules | Admin > Alerting |
| GET | /api/admin/alerting/notification-channels | List all notification channels | Notification Channels | Admin > Alerting |
| POST | /api/admin/alerting/notification-channels | Create a new notification channel | Notification Channels | Admin > Alerting |
| GET | /api/admin/alerting/notification-channels/:id | Get channel details | Notification Channels | Admin > Alerting |
| PATCH | /api/admin/alerting/notification-channels/:id | Update a channel | Notification Channels | Admin > Alerting |
| DELETE | /api/admin/alerting/notification-channels/:id | Delete a channel | Notification Channels | Admin > Alerting |
| POST | /api/admin/alerting/notification-channels/:id/test | Send a test notification | Notification Channels | Admin > Alerting |
| POST | /api/admin/alerting/notification-channels/test-config | Test unsaved channel configuration before creating | Notification Channels | Admin > Alerting |
| GET | /api/admin/alerting/notification-policies | List all notification policies | Notification Policies | Admin > Alerting |
| POST | /api/admin/alerting/notification-policies | Create a new policy | Notification Policies | Admin > Alerting |
| GET | /api/admin/alerting/notification-policies/:id | Get policy details | Notification Policies | Admin > Alerting |
| PATCH | /api/admin/alerting/notification-policies/:id | Update a policy | Notification Policies | Admin > Alerting |
| DELETE | /api/admin/alerting/notification-policies/:id | Delete a policy | Notification Policies | Admin > Alerting |
| GET | /api/admin/sessions | List all active sessions (paginated, limit/offset query params) | Sessions | Admin |
| DELETE | /api/admin/sessions/:id | Terminate a specific session by ID | Sessions | Admin |
| DELETE | /api/admin/sessions | Terminate all active sessions for a user (pass userId as a query parameter) | Sessions | Admin |
| GET | /api/admin/backups/config | Retrieve current backup configuration | Backups | Admin |
| PUT | /api/admin/backups/config | Update backup configuration | Backups | Admin |
| GET | /api/admin/backups | List existing backup bundles | Backups | Admin |
| POST | /api/admin/backups/trigger | Trigger an immediate backup | Backups | Admin |
| GET | /api/admin/backups/triggers | List backup trigger history | Backups | Admin |
| POST | /api/admin/backups/test-s3 | Test S3 connection with current settings | Backups | Admin |
| GET | /api/admin/backups/:id/download | Download a backup bundle | Backups | Admin |
| POST | /api/admin/backups/generate-encryption-key | Generate a new backup encryption key (server-side crypto) | Backups | Admin |
| GET | /api/admin/release | Returns the aggregated release posture rendered by this page. | Release | Admin |
| GET | /api/admin/settings | Retrieve current system settings (publicUrl, heartbeatUrl, heartbeatIntervalMinutes) | Settings | Admin |
| PUT | /api/admin/settings | Update system settings — accepts publicUrl, heartbeatUrl, and heartbeatIntervalMinutes | Settings | Admin |
| POST | /api/admin/settings/heartbeat-test | Send a single on-demand ping to the configured Heartbeat URL to verify connectivity. Returns the HTTP status from the monitoring service, or 400 if no URL is configured, or 502 if the ping failed. | Settings | Admin |
| POST | /api/admin/seeds/reload-builtins | Restore deleted default configuration entries | Settings | Admin |
| POST | /api/admin/seeds/import | Import seed data from JSON | Settings | Admin |
| GET | /api/admin/scanner-acl | Export scanner ACL (optional format query parameter: json, nginx, iptables, cloudflare) | Scanner ACL | Admin |
| GET | /api/admin/services/restartable | List all restartable containers with tier and danger classification | Maintenance | Admin |
| GET | /api/admin/services/maintenance-context | Enriched container list with health diagnostics, open alarm counts, last restart history, and watchdog reachability — loaded once on page open to minimize round trips | Maintenance | Admin |
| GET | /api/admin/services/:name/context | Per-container detail loaded lazily when the detail drawer opens: health diagnostic, uptime, memory usage, DB pool stats (for database containers), recent audit events, and open alarms | Maintenance | Admin |
| POST | /api/admin/services/:name/restart | Restart a specific container via the watchdog sidecar | Maintenance | Admin |
| POST | /api/admin/backups/trigger | Trigger an immediate backup | Maintenance | Admin |
| POST | /api/admin/backups/test-s3 | Test S3 connection with current settings | Maintenance | Admin |
| GET | /api/audit/changes | Fetch recent audit events (filtered for maintenance activity) | Maintenance | Admin |
| GET | /api/admin/identity/users | List all users with their roles | Users | Admin > Identity |
| POST | /api/admin/identity/users | Create a new user | Users | Admin > Identity |
| PUT | /api/admin/identity/users/:id | Update user email or auth method | Users | Admin > Identity |
| DELETE | /api/admin/identity/users/:id | Delete a user | Users | Admin > Identity |
| POST | /api/admin/identity/users/:userId/roles/:roleId | Assign a role to a user | Users | Admin > Identity |
| DELETE | /api/admin/identity/users/:userId/roles/:roleId | Remove a role from a user | Users | Admin > Identity |
| POST | /api/admin/identity/users/:id/mfa/reset | Reset a user's MFA (clears TOTP + recovery codes; owners are reset via the break-glass CLI, not this route) | Users | Admin > Identity |
| GET | /api/admin/identity/roles | List all roles with their scopes | Roles | Admin > Identity |
| POST | /api/admin/identity/roles | Create a new custom role | Roles | Admin > Identity |
| PUT | /api/admin/identity/roles/:id | Update role name, description, or scopes | Roles | Admin > Identity |
| DELETE | /api/admin/identity/roles/:id | Delete a custom role | Roles | Admin > Identity |
| GET | /api/admin/identity/oidc | Retrieve current OIDC configuration | OIDC Configuration | Admin > Identity |
| PUT | /api/admin/identity/oidc | Update OIDC configuration | OIDC Configuration | Admin > Identity |
| GET | /api/admin/ssl | Retrieve current TLS/SSL status | SSL Status | Admin > SSL |
| POST | /api/admin/ssl/config | Update TLS mode and HTTPS port configuration | SSL Status | Admin > SSL |
| POST | /api/admin/ssl/letsencrypt | Start ACME certificate request with DNS provider configuration | Let's Encrypt | Admin > SSL |
| POST | /api/admin/ssl/test-credentials | Test DNS provider credentials without requesting a certificate | Let's Encrypt | Admin > SSL |
| GET | /api/admin/ssl/acme-status | Poll current ACME certificate status and renewal information | Let's Encrypt | Admin > SSL |
| POST | /api/admin/ssl/upload | Upload base64-encoded certificate and private key | Custom Certificate | Admin > SSL |
| GET | /api/config/port-catalog/:id | Load an existing catalog entry (Edit mode) | Port Catalog Form | Config |
| POST | /api/config/port-catalog | Create a new catalog entry (Create mode) | Port Catalog Form | Config |
| PUT | /api/config/port-catalog/:id | Update an existing catalog entry (Edit mode) | Port Catalog Form | Config |
| GET | /api/config/port-list-groups/:id | Load an existing port list group (Edit mode) | Port List Group Form | Config |
| GET | /api/config/port-lists | List available port lists for selection | Port List Group Form | Config |
| POST | /api/config/port-list-groups | Create a new port list group (Create mode) | Port List Group Form | Config |
| PUT | /api/config/port-list-groups/:id | Update an existing port list group (Edit mode) | Port List Group Form | Config |
| GET | /api/config/port-lists/:id | Load an existing port list (Edit mode) | Port List Form | Config |
| POST | /api/config/port-lists | Create a new port list (Create mode) | Port List Form | Config |
| PUT | /api/config/port-lists/:id | Update an existing port list (Edit mode) | Port List Form | Config |
| GET | /api/config/scan-template-groups/:id | Load an existing template group (Edit mode) | Scan Template Group Form | Config |
| GET | /api/config/scan-templates | List available scan templates | Scan Template Group Form | Config |
| POST | /api/config/scan-template-groups | Create a new template group (Create mode) | Scan Template Group Form | Config |
| PUT | /api/config/scan-template-groups/:id | Update an existing template group (Edit mode) | Scan Template Group Form | Config |
| GET | /api/config/scan-templates/:id/details | Load an existing template with all selected subnets/groups/ports (Edit mode) | Scan Template Form | Config |
| GET | /api/config/subnets | List available subnets | Scan Template Form | Config |
| GET | /api/config/subnet-groups | List available subnet groups | Scan Template Form | Config |
| GET | /api/config/port-lists | List available port lists | Scan Template Form | Config |
| GET | /api/config/port-list-groups | List available port list groups | Scan Template Form | Config |
| GET | /api/config/discovery-lists | List available discovery lists | Scan Template Form | Config |
| POST | /api/config/scan-templates | Create a new template (Create mode) | Scan Template Form | Config |
| PUT | /api/config/scan-templates/:id | Update an existing template (Edit mode) | Scan Template Form | Config |
| GET | /api/config/scanner-groups/:id | Load an existing scanner group (Edit mode) | Scanner Group Form | Config |
| GET | /api/scanners | List available scanners for selection | Scanner Group Form | Config |
| POST | /api/config/scanner-groups | Create a new scanner group (Create mode) | Scanner Group Form | Config |
| PUT | /api/config/scanner-groups/:id | Update an existing scanner group (Edit mode) | Scanner Group Form | Config |
| POST | /api/config/scanners | Create a new scanner and receive a provisioning token | Scanner Form | Config |
| GET | /api/config/scanners/binary-hash | Trust-verification: scanner binary SHA-256 | Scanner Form | Config |
| GET | /api/config/scanners/install-script-preview | Trust-verification: the install script the curl command will execute | Scanner Form | Config |
| GET | /api/config/scanners/source-code | Trust-verification: scanner source code (Go, stdlib only) | Scanner Form | Config |
| GET | /api/config/subnet-groups/:id | Load an existing subnet group (Edit mode) | Subnet Group Form | Config |
| GET | /api/config/subnets | List available subnets for selection | Subnet Group Form | Config |
| POST | /api/config/subnet-groups | Create a new subnet group (Create mode) | Subnet Group Form | Config |
| PUT | /api/config/subnet-groups/:id | Update an existing subnet group (Edit mode) | Subnet Group Form | Config |
| GET | /api/config/subnets/:id | Load an existing subnet (Edit mode) | Subnet Form | Config |
| POST | /api/config/subnets | Create a new subnet (Create mode) | Subnet Form | Config |
| PUT | /api/config/subnets/:id | Update an existing subnet (Edit mode) | Subnet Form | Config |
| GET | /api/scans/schedules/:id | Load an existing schedule with its template/group selection (Edit mode) | Schedule Form | Scans |
| GET | /api/config/scan-templates | List available scan templates | Schedule Form | Scans |
| GET | /api/config/scan-template-groups | List available scan template groups | Schedule Form | Scans |
| POST | /api/scans/schedules | Create a new schedule (Create mode) | Schedule Form | Scans |
| PUT | /api/scans/schedules/:id | Update an existing schedule (Edit mode) | Schedule Form | Scans |