Skip to main content

Admin API

The admin API lets you manage lexicons, monitor records, run backfill jobs, and control user access. All endpoints live under /admin and require authentication from a DID that exists in the users table, with the appropriate permissions for the endpoint being called. You can also manage all of this through the web dashboard.

Auth

The admin API supports two authentication methods:

  1. API keys — read/write tokens starting with hv_, passed as Authorization: Bearer hv_.... See the API Keys guide for details.
  2. Service auth JWT — atproto inter-service authentication via signed JWTs.

In all cases the resolved DID is checked against the users table, and the user's permissions are loaded to authorize the request.

Auto-bootstrap: If the users table is empty, the first authenticated request automatically creates the caller as the super user with all permissions granted.

Non-user DIDs receive a 403 Forbidden response. Users without the required permission for a specific endpoint also receive 403 Forbidden.

Errors

All error responses return JSON with an error field:

{
  "error": "description of what went wrong"
}
StatusMeaning
400 Bad RequestInvalid input (missing required fields, malformed lexicon JSON)
401 UnauthorizedMissing or invalid API key or service auth JWT
403 ForbiddenAuthenticated DID is not in the users table, or user lacks the required permission
404 Not FoundLexicon, user, or backfill job not found
# All examples assume $TOKEN is an API key (hv_...)
AUTH="Authorization: Bearer $TOKEN"

Endpoint groups

GroupDescription
LexiconsUpload, list, get, and delete lexicons and network lexicons
StatsRecord counts by collection
BackfillCreate and monitor historical backfill jobs
Event LogsQuery the audit trail of system events
API KeysCreate, list, and revoke API keys
UsersCreate, list, update, and delete admin users
LabelersManage external labeler subscriptions
Instance SettingsConfigure app name, logo, and policy URLs
DomainsManage domains and their OAuth client identities
Script VariablesEncrypted key/value pairs for Lua scripts
API ClientsRegister and manage third-party XRPC clients
PluginsInstall, configure, and manage WASM plugins

Permissions

Each admin API endpoint requires a specific permission. See the Permissions guide for the full list of permissions and templates.

EndpointRequired Permission
POST /admin/lexiconslexicons:create
GET /admin/lexiconslexicons:read
GET /admin/lexicons/{id}lexicons:read
DELETE /admin/lexicons/{id}lexicons:delete
POST /admin/network-lexiconslexicons:create
GET /admin/network-lexiconslexicons:read
DELETE /admin/network-lexicons/{id}lexicons:delete
GET /admin/statsstats:read
POST /admin/backfillbackfill:create
GET /admin/backfill/statusbackfill:read
GET /admin/eventsevents:read
POST /admin/api-keysapi-keys:create
GET /admin/api-keysapi-keys:read
DELETE /admin/api-keys/{id}api-keys:delete
POST /admin/usersusers:create
GET /admin/usersusers:read
GET /admin/users/{id}users:read
PATCH /admin/users/{id}/permissionsusers:update
DELETE /admin/users/{id}users:delete
POST /admin/users/transfer-superSuper user only
GET /admin/script-variablesscript-variables:read
POST /admin/script-variablesscript-variables:create
DELETE /admin/script-variables/{key}script-variables:delete
POST /admin/labelerslabelers:create
GET /admin/labelerslabelers:read
PATCH /admin/labelers/{did}labelers:create
DELETE /admin/labelers/{did}labelers:delete
GET /admin/settingssettings:manage
PUT /admin/settings/{key}settings:manage
DELETE /admin/settings/{key}settings:manage
PUT /admin/settings/logosettings:manage
DELETE /admin/settings/logosettings:manage
GET /admin/pluginsplugins:read
POST /admin/pluginsplugins:create
POST /admin/plugins/previewplugins:read
GET /admin/plugins/officialplugins:read
DELETE /admin/plugins/{id}plugins:delete
POST /admin/plugins/{id}/reloadplugins:create
POST /admin/plugins/{id}/check-updateplugins:read
GET /admin/plugins/{id}/secretsplugins:read
PUT /admin/plugins/{id}/secretsplugins:create
GET /admin/domainssettings:manage
POST /admin/domainssettings:manage
DELETE /admin/domains/{id}settings:manage
POST /admin/domains/{id}/primarysettings:manage
GET /admin/api-clientsapi-clients:view
POST /admin/api-clientsapi-clients:create
GET /admin/api-clients/{id}api-clients:view
PUT /admin/api-clients/{id}api-clients:edit
DELETE /admin/api-clients/{id}api-clients:delete