Skip to main content
Shipfox exposes an HTTP API that the dashboard uses and that you can call directly to automate projects, definitions, runs, and runners. This page covers the endpoints meant for user automation. Endpoints that runners and provisioners use to execute jobs are a separate machine protocol — see Internal protocols.

Base URL

The API is served at the root path — there is no version prefix.
  • Managed: https://api.shipfox.io
  • Local / self-hosted: http://localhost:16101 by default (the port is configurable).

Authentication

User endpoints authenticate with a bearer token. Obtain one by signing in, then send it in the Authorization header.
# Sign in
curl -X POST https://api.shipfox.io/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "you@example.com", "password": "…"}'
# → { "token": "<JWT>", "user": {…}, "membership": {…} }

# Call an authenticated endpoint
curl https://api.shipfox.io/workspaces \
  -H "Authorization: Bearer <JWT>"
Access tokens are short-lived. POST /auth/refresh issues a new one from the HttpOnly refresh cookie set at login (a browser flow). Runner registration tokens, job lease tokens, and provisioner tokens are not general API credentials — they belong to the internal protocols below.

Endpoints

The tables list the primary endpoints per resource; obvious CRUD sub-routes are omitted. All require Authorization: Bearer <JWT> unless the Auth column says otherwise.

Auth & session

MethodPathPurposeAuth
POST/auth/signupCreate an accountNone
POST/auth/loginSign in; returns an access tokenNone
POST/auth/refreshRefresh the access tokenCookie
POST/auth/logoutSign outUser
GET/auth/meCurrent signed-in userUser
POST/auth/password/resetRequest a password resetNone

Workspaces

MethodPathPurpose
GET/workspacesList your workspace memberships
POST/workspacesCreate a workspace
GET/workspaces/{workspaceId}/membersList members
POST/workspaces/{workspaceId}/invitationsInvite a member

Projects

MethodPathPurpose
POST/projectsCreate a project bound to a repository
GET/projectsList projects (workspace_id, pagination, search)
GET/projects/{projectId}Get a project

Workflow definitions

MethodPathPurpose
POST/definitionsCreate or update a definition from YAML
GET/definitionsList definitions (workspace_id, project_id)
GET/definitions/{definitionId}Get a definition
POST/definitions/validateValidate workflow YAML without saving

Workflow runs

MethodPathPurpose
POST/workflow-definitions/{definitionId}/fire-manualFire a manual trigger
GET/workflows/runsList runs (project_id, status, definition_id, …)
GET/workflows/runs/{id}Run detail with jobs and steps
POST/workflows/runs/{id}/cancelCancel a run
POST/workflows/runs/{id}/rerunRerun a run
GET/steps/{stepId}/attempts/{attempt}/logsRead a page of step logs

Runners & provisioners

MethodPathPurpose
POST/workspaces/{workspaceId}/runners/manual-registration-tokensCreate a manual registration token
GET/workspaces/{workspaceId}/runners/activeList active runners
POST/workspaces/{workspaceId}/provisioners/tokensCreate a provisioner token
GET/workspaces/{workspaceId}/provisioners/activeList active provisioners

Agent providers

MethodPathPurpose
GET/agent/provider-catalogList available providers and models
GET/workspaces/{workspaceId}/agentList configured providers
PUT/workspaces/{workspaceId}/agentConfigure a provider
POST/workspaces/{workspaceId}/agent/{providerId}/defaultSet the default provider
See Model Providers for the catalog and resolution rules.

Integrations & trigger events

MethodPathPurpose
GET/integration-connectionsList connections (workspace_id)
GET/integration-providersList available integration providers
POST/integrations/github/installStart a GitHub App installation
GET/trigger-eventsList received trigger events (audit log)
GET/trigger-events/{eventId}Get one trigger event

Webhook ingest endpoints

These are provider callbacks, not user API endpoints — external providers POST to them with a signature. See Integrations.
MethodPathProvider
POST/webhooks/integrations/githubGitHub (X-Hub-Signature-256)
POST/webhooks/integrations/sentrySentry (signed)
POST/webhook/{connectionId}Custom webhook

Errors

Errors return a JSON body with a stable code, optional client-safe details, and an appropriate HTTP status:
{ "code": "project-already-exists", "details": { "existing_project_id": "…" } }
Common codes include validation-error (400), unauthorized (401), forbidden (403), not-found (404), and resource conflicts like project-already-exists (409). Schema-validation failures use validation-error with a message naming the offending field.

Internal protocols

Runners and provisioners authenticate with their own tokens (runner registration sf_mrt_/sf_ert_, runner session, job lease, provisioner sf_pt_) against a separate set of endpoints — claiming jobs, fetching steps, reporting results, appending logs, and polling for demand. These are an internal machine protocol, not part of the user API; don’t call them directly. See Runners and Runner provisioners.