API Reference
Orkestra is OpenAPI-first — every endpoint is defined via Huma v2, which generates a full OpenAPI 3.1 document at runtime. The pages in this section are auto-generated from that document, per-endpoint, with deep-linkable URLs and inline schemas.
:::info Core API surface
This reference shows the core API surface — the base ships only the seven core modules, with an empty optional-module catalog. A fork that adds verticals regenerates this spec to include its own routes. Routes for an optional module that is disabled at /admin/modules return 503 Service Unavailable via the module gate.
For what each module contributes, see the Module Catalog. :::
Audience split
Two audiences consume the API:
- Operator (Tier-1 self-hosters) — the
/admin/*surface plus operator-facing module endpoints. Tokens carryaud=operator. Served on the console host (e.g.console.orkestra.cc). - Client (Tier-2 external clients) — public signup, login, and the client's own account self-service. Tokens carry
aud=client. Served on the client host (e.g.api.orkestra.cc). (A fork that sells services to external clients adds its consumption surfaces — catalog, subscriptions, payment webhooks — here.)
Both audiences are rendered together in this reference because Huma currently generates a single shared OpenAPI document — the audience separation lives at the host/mux level, not at the spec level. Each route's tag tells you which surface it lives on; routes scoped to internal-tenant or with aud=operator security implications belong to the operator surface.
Authentication
All non-public endpoints require a Bearer JWT:
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...
See Architecture › Authentication Flow for how to mint one (email/password, OAuth 2.1, or — in dev — ./scripts/devtoken.sh).
Live spec
The canonical spec lives at backend/openapi/enterprise.json in the monorepo. It is regenerated by make openapi-dump and gated by make openapi-check in ci-backend, so it never drifts from the routes in main.
On a running instance, the live spec is served at:
- Operator surface:
https://<your-console-host>/openapi.json - Interactive docs (Scalar UI):
https://<your-console-host>/docs
Browse endpoints
Use the sidebar to navigate by tag, or jump to a section:
- Authentication, MFA, sessions
- Users, tenants, RBAC (roles, permissions, bindings)
- Module administration (
/admin/*) - Navigation
- Observability — runtime log-levels (
/admin/observability/*)
(A fork that adds verticals — invoicing, documents, AI, subscriptions/payments, compliance, identity, … — regenerates the spec, and those tags appear here too.)