Skip to content
Select themeSelect language

Overview

Browser-facing HTTP API consumed by the SupaCloud web UI, plus inbound webhooks (git forges + workflow trigger receivers) under the top-level webhooks key. Generated from the utoipa annotations on the browser handlers (ADR 0044).

Information

  • License: AGPL-3.0-only
  • OpenAPI version: 3.1.0

Per-deployment App API token (scwa_…) for server-side App→API callbacks; alternatively a logged-in session cookie.

Security scheme type: http

Bearer format: scwa

Security scheme type: apiKey

Cookie parameter name: supacloud_session

HMAC of the raw request body, keyed by the per-trigger / per-project secret (constant-time compared). Header + algorithm are provider-specific: X-Hub-Signature-256 (git forges + generic, SHA256 over the raw body), Linear-Signature (Linear, SHA256), X-Notion-Signature (Notion, SHA256), X-Chatwoot-Signature (Chatwoot, SHA256 over {X-Chatwoot-Timestamp}.{raw_body}, replay-guarded), X-Hub-Signature (Intercom, SHA1 over the raw body).

Security scheme type: apiKey

Header parameter name: X-Hub-Signature-256

Unguessable per-trigger token in the final URL path segment; addresses and authenticates the trigger.

Security scheme type: apiKey

Header parameter name: token