Skip to content
Select themeSelect language

GET /api/admin/feature-availability — which secret-backed features are configured (env or `supacloud/app` vault map). Read-only; never returns secret values. Issue #276 / ADR 0036.

GET
/api/admin/feature-availability
curl --request GET \
--url https://example.com/api/admin/feature-availability
Media typeapplication/json
object
edition
required

“community” | “enterprise” — the deployment edition (Issue #260 / #305). Surfaced as a KPI so the owner can see the instance tier at a glance.

string
features
required
Array<object>
object
available
required

Whether the secret(s) powering this feature are configured (env or vault).

boolean
category
required

Grouping: security | auth | chat | billing | trackers | email | ops | ai.

string
critical
required

Whether the feature’s absence blocks server boot (the operation-critical core). Only true for the credential-encryption key here; the other boot-critical inputs (DATABASE_URL, JWT) are prerequisites for the process to be running at all.

boolean
env_vars
required

Env-var name(s) an operator can set — also the supacloud/app keys.

Array<string>
key
required

Stable identifier (the i18n key suffix on the frontend).

string
secret_backend
required

“openbao” | “env” — the active secret backend.

string
Examplegenerated
{
"edition": "example",
"features": [
{
"available": true,
"category": "example",
"critical": true,
"env_vars": [
"example"
],
"key": "example"
}
],
"secret_backend": "example"
}

Authentication required

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Permission denied

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Structured server error

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}