The DeployForge backend is powered by a Fastify REST API and WebSocket gateway.
- Cookies: Authentication uses HttpOnly, secure cookies:
accessToken(JWT) andrefreshToken(opaque token). - CSRF Protection: Non-safe HTTP methods (
POST,PUT,PATCH,DELETE) require a CSRF token.- Retrieve the CSRF token via
GET /auth/csrf(sets acsrfTokencookie). - Send the token value in every mutating request header:
X-CSRF-Token: <token>. - The backend validates the header against the cookie using timing-safe comparison.
- Retrieve the CSRF token via
Success:
{ "success": true, "data": { ... } }Error:
{
"success": false,
"error": { "code": "ERROR_CODE", "message": "Human-readable description" }
}| Code | HTTP | Description |
|---|---|---|
UNAUTHORIZED |
401 | Missing or invalid access token |
FORBIDDEN |
403 | Authenticated but insufficient permissions |
NOT_FOUND |
404 | Resource does not exist |
CONFLICT |
409 | Duplicate resource (e.g., email already registered) |
VALIDATION_ERROR |
400 | Invalid request payload |
RATE_LIMIT_EXCEEDED |
429 | Too many requests |
INTERNAL_ERROR |
500 | Unexpected server error |
- Liveness probe — returns
200 OKif the process is running.
- Readiness probe — returns
200 OKif database and Redis connections are healthy.
- Combined health status: returns JSON with API, database, and Redis states.
- Platform request counters and response-time percentiles.
- Protected by
Authorization: Bearer <METRICS_TOKEN>in production.
Retrieve a double-submit CSRF token.
- Auth: None | Rate Limit: 60/min
Register a new user account.
- Auth: None | Rate Limit: 10/min
- Body:
{ email, password, name, termsAccepted } - Response:
{ success, message, email }
Verify the email registration OTP.
- Body:
{ email, otp }
Resend the email verification OTP.
- Body:
{ email }
Authenticate and create a session.
- Body:
{ email, password } - Sets Cookies:
accessToken,refreshToken
Rotate tokens using the refresh cookie.
- Auth:
refreshTokencookie | Sets Cookies: newaccessToken,refreshToken
Terminate the current session.
- Auth: Required
Get currently authenticated user details.
- Auth: Required | Rate Limit: 30/min
Request a password-reset email.
- Body:
{ email }
Reset password using token from email.
- Body:
{ token, password }
Get the current user's profile details (name, avatar, GitHub/Google links, verification status).
- Auth: Required
Update profile fields (name, username, avatar).
- Auth: Required
- Body:
{ name?, username?, avatarUrl? }
Change the authenticated user's password.
- Auth: Required
- Body:
{ currentPassword, newPassword }
List all active sessions for the current user.
- Auth: Required
- Response: Array of sessions with device, browser, OS, IP, and last activity.
Revoke a specific session by ID.
- Auth: Required
Revoke all sessions except the current one.
- Auth: Required
Add a new target VPS.
- Auth: Required | Rate Limit: 8/10 min
- Body:
{ name, ipAddress, port, username, authType, password?, privateKey? }
List all onboarded VPS instances for the current user.
- Auth: Required
Get details of a single VPS.
- Auth: Required
Update VPS configuration (name, credentials).
- Auth: Required
Delete a VPS record.
- Auth: Required
Validate SSH connectivity to a stored VPS.
- Auth: Required
- Body:
{ id }
Get the latest health record for a VPS (CPU, RAM, Disk, Docker status).
- Auth: Required
Get historical system metrics for a VPS.
- Auth: Required
Deploy from a synced GitHub repository.
- Auth: Required
- Body:
{ vpsId, projectId, branch, env?, name?, port?, buildCommand?, startCommand?, type? }
Deploy via ZIP/tar.gz file upload.
- Auth: Required
- Body: Multipart form-data with
file,vpsId,projectId,name,env?
Rollback to a previous successful deployment version.
- Auth: Required
Get static deployment logs for a deployment.
- Auth: Required
List all deployments for the current user.
- Auth: Required
Get full details of a single deployment including history and sandbox.
- Auth: Required
Delete a deployment and remove its container from the VPS.
- Auth: Required
Stop a running deployment container without deleting it.
- Auth: Required
Restart a stopped or failed deployment.
- Auth: Required
Attach a custom domain to a deployment.
- Auth: Required
- Body:
{ deploymentId, domainName }
Issue a Let's Encrypt SSL certificate for an attached domain.
- Auth: Required
List all domains attached to the user's deployments.
- Auth: Required
Remove a domain and delete the Nginx config from the VPS.
- Auth: Required
Redirect to GitHub OAuth authorization page.
GitHub OAuth callback — exchanges code for token and links account.
List synced GitHub repositories for the authenticated user.
- Auth: Required
Manually sync the GitHub repository list.
- Auth: Required
Disconnect the GitHub OAuth account.
- Auth: Required
Redirect to Google OAuth authorization page.
Google OAuth callback — exchanges code and creates/links account.
Receives GitHub push/PR webhook events. Validates X-Hub-Signature-256 against GITHUB_WEBHOOK_SECRET.
- Auth: Webhook signature verification (not user auth)
Get CPU, RAM, and Disk metrics history for a VPS.
- Auth: Required
- Response: Array of
{ cpuUsage, memoryUsage, diskUsage, activeContainers, timestamp }
Get paginated notifications for the current user.
- Auth: Required
- Query:
?page=1&limit=20&unreadOnly=false
Mark a single notification as read.
- Auth: Required
Mark all notifications as read.
- Auth: Required
Delete a notification.
- Auth: Required
Get the current user's alert rule thresholds.
- Auth: Required
- Response:
{ cpuThreshold, ramThreshold, diskThreshold, swapThreshold, emailAlerts, browserAlerts, realtimeAlerts }
Update alert thresholds and preferences.
- Auth: Required
- Body:
{ cpuThreshold?, ramThreshold?, diskThreshold?, swapThreshold?, emailAlerts?, browserAlerts?, realtimeAlerts? }
Get the sandbox pre-flight analysis result for a deployment.
- Auth: Required
- Response:
{ score, status, issues, estimatedCPU, estimatedRAM, estimatedDisk }
Generate a one-time token for establishing a WebSocket terminal session.
- Auth: Required
- Body:
{ vpsId } - Response:
{ token }(short-lived, single-use)
Establish an interactive SSH terminal session with the VPS.
- Auth: One-time query token from
POST /terminal/token - Protocol: Binary WebSocket frames forwarded to/from SSH shell.
- Params:
cols,rowsfor initial terminal geometry.
All endpoints require Auth: Required and target a specific :vpsId.
| Method | Endpoint | Description |
|---|---|---|
GET |
/file-manager/:vpsId/info |
Connection status & home directory |
GET |
/file-manager/:vpsId/list?path= |
List directory contents |
GET |
/file-manager/:vpsId/read?path= |
Read file content |
GET |
/file-manager/:vpsId/properties?path= |
File metadata, size, permissions |
GET |
/file-manager/:vpsId/search?path=&query=&extension= |
Search files by name |
GET |
/file-manager/:vpsId/download?path= |
Download file as binary |
POST |
/file-manager/:vpsId/create |
Create file or folder { path, type } |
PUT |
/file-manager/:vpsId/save |
Save file content { path, content } |
PUT |
/file-manager/:vpsId/rename |
Move/rename { oldPath, newPath } |
PUT |
/file-manager/:vpsId/copy |
Copy { srcPath, dstPath } |
DELETE |
/file-manager/:vpsId/delete |
Bulk delete { paths: [] } |
POST |
/file-manager/:vpsId/upload?path= |
Upload file (multipart file) |
POST |
/file-manager/:vpsId/compress |
Zip items { parentDir, paths, archiveName } |
POST |
/file-manager/:vpsId/decompress |
Extract zip { zipFilePath, destDir } |
All admin endpoints require authentication as an ADMIN or SUPER_ADMIN role via the separate admin session.
POST /admin/login— Admin login with email/password.POST /admin/logout— Terminate admin session.GET /admin/me— Get current admin profile.
GET /admin/users— List all platform users (paginated).GET /admin/users/:id— Get a specific user's details.PUT /admin/users/:id/role— Change a user's role.PUT /admin/users/:id/status— Suspend or activate a user.DELETE /admin/users/:id— Permanently delete a user account.
GET /admin/stats— Platform-wide stats: total users, deployments, VPS nodes, active sessions.
GET /admin/deployments— List all deployments across all users.DELETE /admin/deployments/:id— Force-delete any deployment.
GET /admin/audit-logs— Paginated audit log with filters by user, action, and date.
POST /admin/backup— Trigger a manual database backup.GET /admin/backups— List available backup files.POST /admin/restore— Restore from a backup file.
GET /admin/contact— List all contact form submissions.PUT /admin/contact/:id— Update message status.
Publicly accessible platform statistics (total users, deployments, servers — for landing page display).
- Auth: None
All routes require authentication (Auth: Required) and validate user ownership or membership role.
Retrieve all projects the authenticated user owns or is a collaborator/member of.
- Response: Array of projects, including creator metadata, list of project members (with their user profiles and roles), and basic deployment status list.
Retrieve all active members and pending invitations for a specific project.
- Response:
{ members: [...], invites: [...] }
Invite a new collaborator to the project.
- Role Check: Only
OWNERorADMINcan invite. - Body:
{ email, role }where role must be one ofOWNER,ADMIN,DEVELOPER,VIEWER. - Response:
{ invite: { id, email, role, token, expiresAt, ... } }
Revoke a pending project invitation.
- Role Check: Only
OWNERorADMIN.
Update the role of an existing project member.
- Role Check: Only
OWNERorADMIN. Project creator cannot be modified. - Body:
{ role }
Remove a member from the project.
- Role Check: Users can remove themselves.
OWNERorADMINcan remove other members. Project creator cannot be removed.
For users managing invitations sent to them.
Retrieve all active, non-expired project invitations sent to the currently authenticated user's email.
- Auth: Required
Accept a project invitation, adding the user as a project member with the invited role.
- Auth: Required
Decline and delete the project invitation.
- Auth: Required