Admin API Guide
The Admin API is how tenants, applications, users, roles, role groups, and logs are managed programmatically. It is the same API the admin dashboard uses. This page is an overview and orientation — the exhaustive, always-accurate endpoint reference is generated from the OpenAPI spec (see API Reference).
:::note Reference vs. guide This guide explains the shape and auth of the admin surface so you can find your way around. The field-by-field, endpoint-by-endpoint contract lives in the machine-readable OpenAPI document, which is the source of truth. See the API Reference page. :::
Base URL & authentication
Admin endpoints live under /api/admin/... on the auth host and authenticate with a
session cookie established by logging in as an admin user (the dashboard does this for
you). Access is governed by the admin RBAC layer — an admin user holds an admin role
(e.g. super_admin) scoped to a tenant, and each handler enforces the required permission.
Base: https://auth.curupira.api.br/api/admin
Auth: session cookie (admin login) + admin-role permission checks
Every state-changing admin action is recorded in the audit log (who did what, with old vs. new values), so administration is fully traceable.
What you can manage
The admin surface mirrors the product model:
Tenants
GET /api/admin/tenants— list tenants (paginated).POST /api/admin/tenants— create a tenant with its initial application (a tenant is never created empty).GET /api/admin/tenants/{id}— tenant detail + stats.
Applications
GET /api/admin/applications— list (filterable by tenant).POST /api/admin/applications— create an application.GET /api/admin/applications/{id}— detail.PATCH/PUT /api/admin/applications/{id}— update (e.g. redirect URIs, roles, enabled).POST /api/admin/applications/{id}/regenerate-apikey— rotate the API key (invalidates the old one).
Roles & role groups
GET|POST /api/admin/roles,GET /api/admin/roles/{id}, update/delete — manage roles (each role belongs to an application).GET|POST /api/admin/role-groups,GET /api/admin/role-groups/{id}, delete — manage role groups and their member roles (.../role-groups/{group_id}/roles/{role_id}to add/remove a member).
Users & their permissions
GET /api/admin/users,GET /api/admin/users/{id}— list / detail.- Assign or remove roles and role groups for a user
(
.../users/{id}/roles,.../users/{id}/groups, and the corresponding delete routes). GET /api/admin/users/{id}/available-roles/.../available-role-groups— what can still be assigned.
SSO connections
GET|POST /api/admin/sso-connections— configure per-tenant social/enterprise login (Google / Microsoft / GitHub). See the operator note in Product Concepts; provider registration is covered by the SSO provider setup runbook in the main repo.
Logs & monitoring
- Login attempts, event logs, and audit logs are exposed for viewing and filtering (the
dashboard's logging views). Event logs also surface
super_admin_accessentries so tenant admins can see when DW-Corp support accessed their tenant.
Typical automation flow
- Authenticate as an admin (obtain the session cookie).
POST /api/admin/tenantsto create a tenant + initial application.- Capture the returned
client_idand API key for the application. POST /api/admin/roles/POST /api/admin/role-groupsto model permissions.- Assign roles/groups to users as they sign up.
Where the full reference lives
The complete request/response schemas, status codes, and examples are generated from the OpenAPI spec. Head to the API Reference — it explains the two surfaces (full internal vs. curated public) and how they will be rendered here.