app_settings table). Reads (List, Get) are open to MANAGER and above;
writes (Put, Delete) require OWNER or ADMIN.
Sensitive-value redaction. Values under these key patterns always read
back as ***, even on the same request that set them (write-only on read):
smtp.password*oauth.*.client_secretwebhook.*.secret
DELETE returns
403 (with application/problem+json) for:
instance.bootstrap_atinstance.first_user_idschema.version
List Settings
key ascending. Sensitive values are
redacted.
Auth: OWNER, ADMIN, or MANAGER role (create tier)
Response: 200 OK
Response Fields
| Field | Type | Description |
|---|---|---|
key | string | Setting key |
value | string | Stored value, or *** when the key is sensitive |
updated_at | string? | ISO 8601 timestamp; omitted when empty |
Get Setting
OWNER, ADMIN, or MANAGER role
| Path Parameter | Description |
|---|---|
key | Setting key |
200 OK — a single setting object (same shape as a List item).
| Status | Condition |
|---|---|
400 | Missing key |
404 | Setting not found |
Set Setting
key. An empty string is a valid value (e.g. clearing a
banner); only an absent value field is rejected.
Auth: OWNER or ADMIN role (manage tier)
Request Body:
| Field | Type | Required | Description |
|---|---|---|---|
value | string | Yes | The value to store. Empty string is valid; a missing field returns 400. |
200 OK — the stored row, with redaction applied if the key is sensitive.
| Status | Condition |
|---|---|
400 | Missing key, invalid JSON, or missing value field |
403 | Insufficient role |
instance_setting.updated
Delete Setting
403 is returned even if the row does not
exist (a probing client cannot tell whether the marker was ever set).
Auth: OWNER or ADMIN role
Response: 204 No Content
| Status | Condition |
|---|---|
400 | Missing key |
403 | Key is on the protected allowlist (application/problem+json) |
404 | Setting not found |
instance_setting.deleted