KubeDB Platform API Reference

The KubeDB Platform API Server is the backend server of the KubeDB Platform. This page gives you both the whole-system picture — what the server does, how it is put together, how requests are authenticated and authorized, and how the pieces fit into typical flows — and the entry point to the low-level, endpoint-by-endpoint reference. Every endpoint on the per-group pages lists its HTTP method, path, authentication, path/query parameters, and request/response shapes so you can implement a client directly against it.

All routes are served under the /api/v1 prefix unless noted otherwise. The marketplace webhook service is a separate listener rooted at /marketplace/api/v1.

A machine-readable OpenAPI 3.0.3 specification of this API is also available (openapi.yaml) — load it into any OpenAPI tool (Swagger UI, Redoc, openapi-generator) to explore the API or generate a client. A self-contained, interactive Swagger UI viewer (with the spec inlined) is also published for this release — open it to browse and try every endpoint in the browser.

Overview

The KubeDB Platform API Server combines an identity foundation (users, organizations, teams, authentication) with a multi-cluster Kubernetes management platform providing:

  • Identity & access management — users, organizations, teams, fine-grained authorization.
  • Cluster management — import, provision, and operate Kubernetes clusters (hub/spoke via Open Cluster Management, Rancher, cloud providers).
  • A full Kubernetes API proxy — the KubeDB Platform UI talks to member clusters through the KubeDB Platform API Server.
  • Licensing & contracts — issuing and enforcing product licenses (KubeDB, KubeStash, KubeVault, Voyager, …).
  • Billing & usage reporting — usage aggregation, invoices, cloud-marketplace metering (AWS/Azure/GCP).
  • Monitoring & telemetry — telemetry stack provisioning, Prometheus/Trickster auth proxying.

System Architecture

KubeDB Platform system architecture

Key runtime facts:

  • One binary, multiple subcommands. The default command is the API server; marketplace, monitor, aggregator, and summary run as separate processes for async/billing workloads.
  • NATS/JetStream is the event backbone: member clusters push resource/usage events; monitor and aggregator consume them; the API server also uses NATS for its task manager and per-user credentials.
  • FluxCD (HelmRelease) and OCM (ManagedCluster) are used to deploy KubeDB Platform features onto clusters and to manage hub→spoke relationships.
  • Deployment modes are switched by DEPLOYMENT_TYPE: AppsCode-hosted, self-hosted (incl. offline installer), or AWS/GCP marketplace deployments. Some API groups only exist in specific modes (noted below).

Authentication & Authorization

Most endpoints require a personal access token. Send it as an HTTP header:

Authorization: token <YOUR_TOKEN>

You can also pass it as a token or access_token query parameter. Token-management endpoints accept HTTP Basic auth. The web console uses a session cookie (i_like_ace); a session cookie alone does not authenticate the token-guarded REST endpoints — use a token.

The server supports several authentication mechanisms:

MechanismUsed byNotes
Session cookieWeb consoleCookie-based sign-in; CSRF-protected
Personal access token / Bearer tokenAPI clients, CLIAuthorization: token <t>, ?token=, ?access_token=
Basic authToken management endpointsWith optional OTP (2FA)
OAuth2 / OIDCSSO; the KubeDB Platform API Server is both provider and consumer/login/oauth/*, /.well-known/openid-configuration
LDAP / PAMEnterprise sign-in sourcesConfigured by site admins
2FA / WebAuthnUser accountsTOTP, scratch tokens, security keys
License-based authMember clustersClusters authenticate with issued licenses / cluster tokens
SudoSite adminsImpersonate a user via sudo param/header

Authorization is relationship-based (OpenFGA-style checks, shown as authzCheck(<permission>) in the reference tables). Common middleware referenced in the API tables:

  • Token — authenticated request required (reqToken).
  • Site admin — platform administrator only.
  • Org context — org resolved from path or ?org= query; membership/ownership verified.
  • Cluster assignment — resolves owner+cluster, loads cluster credentials, builds a Kubernetes client.
  • Public — no authentication beyond baseline middleware.

Baseline middleware on every /api/v1 route: optional-sign-in, NATS connection cleanup, security headers (nosniff), API context, sudo support.

API Groups

The v1 API surface is organized into the following logical groups:

#GroupBase path(s)What it coversAvailability
1Identity: Users & Settings/api/v1/user, /api/v1/usersAccounts, profile/security settings, tokens, credentialsalways
2Identity: Organizations & Teams/api/v1/orgs, /api/v1/teamsOrgs, members, teams, org tokensalways
3Administration/api/v1/admin, /api/v1/accounts/adminAdmin console, site settingsalways
4Authorization (Roles & Permissions)/api/v1/authzCustom roles & permissionsalways
5Cluster Management (v1 + K8s proxy + Helm)/api/v1/clustersCluster lifecycle, Kubernetes proxy, Helmalways
6Cluster Management v2/api/v1/clustersv2Hub-aware cluster API, subscriptions, gatewaysalways
7Multi-cluster (OCM hub/spoke)/api/v1/clusters/:owner/:cluster/...Hub/spoke, cluster sets, feature setsalways
8Client Organizations/api/v1/user/client*, /api/v1/clusters/.../permissionManaged-service client orgsalways
9Cloud Providers/api/v1/cloudsProvider discovery for provisioningalways
10Platform Installer/api/v1/ace-installerSelf-host installer bundlesAppsCode-hosted only
11Platform Upgrade/api/v1/upgrade, /api/v1/clusters/.../upgradePlatform & cluster upgradesalways
12Licensing & Contracts/api/v1/contracts, /api/v1/user/contracts, /api/v1/register, /api/v1/licenseContracts, licenses, registrationcontracts: AppsCode-hosted
13Billing Dashboard & Usage Reports/api/v1/dashboard, /api/v1/user/dashboard, /api/v1/dbaasUsage reports & billing dashboardsbilling-enabled deployments
14Marketplace/api/v1/marketplaces (separate service), /api/v1/proxy/metered-billingCloud-marketplace webhooks & meteringmarketplace deployments
15Monitoring & Telemetry/api/v1/telemetry, /api/v1/tricksterTelemetry stack, Trickster auth proxyalways
16Rancher Integration/api/v1/rancherRancher sync & proxyalways
17Helm Chart Repositories (public)/api/v1/chartrepositoriesPublic Helm chart repositoriesalways
18Miscellaneous & Site Settings/api/v1/version, /api/v1/markdown, /api/v1/branding, …Version, markdown, healthalways

KubeDB Platform /api/v1 API group map

Typical Request Flows

Cluster resource access via the Kubernetes proxy

Kubernetes proxy request flow

License issuance for a contract cluster

License issuance flow

Usage → billing pipeline

Usage to billing pipeline

Deployment Modes

ModeDEPLOYMENT_TYPENotes
AppsCode-hosted (SaaS)HostedFull surface incl. contracts admin, installer, Firebase tokens
Self-hostedSelfHostedProduction (offline installs also set the separate OfflineInstaller flag)Runs from a generated installer bundle; /selfhost console URL
AWS MarketplaceAWSMarketplaceMarketplace webhooks + AWS metering proxy enabled
GCP MarketplaceGoogleCloudMarketplaceMarketplace webhooks + GCP metering proxy enabled
Azure MarketplaceAzureMarketplaceRecognized marketplace mode (webhooks); no metering proxy wired up

Feature gating summary:

  • AppsCodeHosted → contracts admin APIs, installer APIs, org claim, Firebase token.
  • IsBillingEnabled() → billing dashboard APIs (admin, user, usage reports).
  • DeploymentType → which marketplace metering proxy (if any) is registered.
  • License enforcement is compiled in (ENFORCE_LICENSE=true); the server validates its own license at startup.