GET /api/admin/feature-availability — which secret-backed features are configured (env or `supacloud/app` vault map). Read-only; never returns secret values. Issue #276 / ADR 0036.
const url = 'https://example.com/api/admin/feature-availability';const options = {method: 'GET'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request GET \ --url https://example.com/api/admin/feature-availabilityResponses
Section titled “Responses”object
“community” | “enterprise” — the deployment edition (Issue #260 / #305). Surfaced as a KPI so the owner can see the instance tier at a glance.
object
Whether the secret(s) powering this feature are configured (env or vault).
Grouping: security | auth | chat | billing | trackers | email | ops | ai.
Whether the feature’s absence blocks server boot (the operation-critical
core). Only true for the credential-encryption key here; the other
boot-critical inputs (DATABASE_URL, JWT) are prerequisites for the
process to be running at all.
Env-var name(s) an operator can set — also the supacloud/app keys.
Stable identifier (the i18n key suffix on the frontend).
“openbao” | “env” — the active secret backend.
Examplegenerated
{ "edition": "example", "features": [ { "available": true, "category": "example", "critical": true, "env_vars": [ "example" ], "key": "example" } ], "secret_backend": "example"}Authentication required
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Permission denied
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Structured server error
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}