Information
- License: AGPL-3.0-only
- OpenAPI version:
3.1.0
Browser-facing HTTP API consumed by the SupaCloud web UI, plus inbound webhooks (git forges + workflow trigger receivers) under the top-level webhooks key. Generated from the utoipa annotations on the browser handlers (ADR 0044).
Information
3.1.0Per-deployment App API token (scwa_…) for server-side App→API callbacks; alternatively a logged-in session cookie.
Security scheme type: http
Bearer format: scwa
Security scheme type: apiKey
Cookie parameter name: supacloud_session
HMAC of the raw request body, keyed by the per-trigger / per-project secret (constant-time compared). Header + algorithm are provider-specific: X-Hub-Signature-256 (git forges + generic, SHA256 over the raw body), Linear-Signature (Linear, SHA256), X-Notion-Signature (Notion, SHA256), X-Chatwoot-Signature (Chatwoot, SHA256 over {X-Chatwoot-Timestamp}.{raw_body}, replay-guarded), X-Hub-Signature (Intercom, SHA1 over the raw body).
Security scheme type: apiKey
Header parameter name: X-Hub-Signature-256
Unguessable per-trigger token in the final URL path segment; addresses and authenticates the trigger.
Security scheme type: apiKey
Header parameter name: token