API v1
Stackarr exposes its own public endpoints under /api/v1.
Stackarr starts at /api/v1 because this is its first public API. Downstream Servarr apps keep their own API versions; Stackarr does not rewrite those routes.
The optional MCP Streamable HTTP endpoint lives at /mcp, outside the REST namespace. It uses a connection-policy bearer token rather than the dashboard API key.
| Method | Endpoint | Purpose |
|---|---|---|
GET | /api/v1/system/status | Runtime and configured-state summary. |
GET | /api/v1/health | Health warnings and blocking issues. |
GET | /api/v1/diskspace | Disk-space records for configured roots. |
GET | /api/v1/task | Queued and historical task state. |
POST | /api/v1/command | Queue a command. |
GET | /api/v1/command/:id | Inspect one queued command. |
GET | /api/v1/backup | Backup records. |
GET | /api/v1/agent/tools | Active authority, enabled apps, and available agent actions. |
GET | /api/v1/agent/connections | Generated connection kits for supported MCP clients. |
GET | /api/v1/apps/native | Enabled native apps and their allowlisted operations. |
POST | /api/v1/apps/native | Run one named native operation from an authenticated dashboard session. |
GET | /api/v1/log/file | Log file records, or a bounded redacted tail when filename is provided. |
GET/PUT | /api/v1/config/host | Host, auth, URL, API key state. |
GET/PUT | /api/v1/config/stackarr | Stackarr saved configuration and settings. |
GET/POST | /api/v1/notification | Connect notification definitions. |
GET | /api/v1/notification/schema | Notification schema. |
Mutating endpoints require X-Api-Key. The first authenticated setup save creates an API key when one is missing; command endpoints fail closed until a key exists.
The connection endpoint accepts optional client, profile, groups, containerName, and tunnelId query parameters. It never returns credentials; ChatGPT tunnel output uses a local API-key placeholder.
The native-app endpoint accepts only an app, operation name, operation kind, and the operation's typed inputs. It does not accept an HTTP method, URL, headers, or arbitrary body. A dangerous operation also requires a reason and exact app-name confirmation.