Skip to main content
The Crewship REST API is a single versioned surface under /api/v1/ that drives every workspace, crew, agent, and credential operation. This page covers the cross-cutting conventions — base URL, the five authentication methods, RBAC roles, request/response format, pagination, and the RFC 7807 error shape — then links out to each resource group. Real-time updates and inbound triggers ride alongside REST over WebSocket and Webhooks.

Base URL

http://<host>:8080/api/v1/
All endpoints are prefixed with /api/v1/ unless otherwise noted. Exceptions:
  • Health check: GET /api/health
  • NextAuth endpoints: /api/auth/*
  • WebSocket upgrade: GET /ws

Authentication

Crewship supports five authentication methods depending on the context. The web UI authenticates via JWT session tokens stored in HTTP-only cookies. The Go backend validates these tokens directly (no external NextAuth server required).
Cookie NameCondition
authjs.session-tokenHTTP connections
__Secure-authjs.session-tokenHTTPS connections
Tokens are set by the POST /api/auth/callback/credentials login endpoint and expire after 30 days.

2. CLI Token (Programmatic)

CLI tokens are long-lived bearer tokens prefixed with crewship_cli_. Create them via the API or CLI:
# Create a CLI token
POST /api/v1/auth/cli-token

# Use in API calls
curl -H "Authorization: Bearer crewship_cli_xxxxx" \
  http://localhost:8080/api/v1/crews?workspace_id=<id>
EndpointMethodDescription
POST /api/v1/auth/cli-tokenPOSTCreate a new CLI token
GET /api/v1/auth/cli-token/validateGETValidate the current token
GET /api/v1/auth/cli-tokensGETList all CLI tokens for the user
DELETE /api/v1/auth/cli-tokens/{tokenId}DELETERevoke a CLI token

3. WebSocket Token (Real-time)

Short-lived JWT tokens for establishing WebSocket connections.
# Get a WS token (requires session or CLI auth)
GET /api/v1/ws-token

# Connect
ws://localhost:8080/ws?token=<jwt>

4. Internal Token (IPC)

Used by the crewshipd sidecar process for internal communication over Unix socket. Passed via X-Internal-Token header. Not available to external clients.

5. Webhook Secret (Inbound)

Per-agent HMAC secrets for authenticating inbound webhook triggers:
POST /api/v1/webhooks/{crewId}/{agentId}/trigger
Header: X-Webhook-Secret: <per-agent-secret>

Authorization (RBAC)

Workspace membership is required for all workspace-scoped endpoints. The workspace_id query parameter (or {workspaceId} path parameter) identifies the workspace context.
RolePermissions
OWNERFull access, can manage workspace settings and members
ADMINCan create, update, delete resources; manage credentials
MANAGERCan create and update resources
MEMBERRead-only access
VIEWERRead-only access (lowest tier)
Permission mapping:
ActionRequired Roles
readAny authenticated member
createOWNER, ADMIN, MANAGER
manageOWNER, ADMIN

Request Format

  • Content-Type: application/json
  • Body size limit: 1 MB
  • Timestamps: ISO 8601 / RFC 3339 in UTC (e.g., 2024-01-15T10:30:00Z)
  • IDs: CUID strings (e.g., cm1a2b3c4d5e6f7g8h9i)
  • Slugs: Lowercase alphanumeric with hyphens, 2-50 characters (regex: ^[a-z0-9][a-z0-9_-]*$)
  • Soft delete: DELETE endpoints set deleted_at rather than removing rows (credentials, crews, agents)

Pagination

List endpoints use offset-based pagination:
ParameterTypeDefaultDescription
limitinteger20 or 50Maximum items per page (max 100)
offsetinteger0Number of items to skip
GET /api/v1/missions?workspace_id=ws123&limit=20&offset=40
Response is a JSON array of items. There is no envelope — the array is returned directly.

Error Format

Errors use RFC 7807 Problem Details where supported:
{
  "type": "about:blank",
  "title": "Bad Request",
  "status": 400,
  "detail": "name must be 2-100 characters",
  "instance": "/api/v1/crews"
}
Some older endpoints return a simpler format:
{
  "error": "Unauthorized"
}

Common Status Codes

CodeMeaning
200Success
201Created
204No Content (successful delete)
400Bad Request — validation error
401Unauthorized — missing or invalid token
402Payment Required — license limit exceeded
403Forbidden — insufficient role
404Not Found
409Conflict — duplicate slug, relation already exists
500Internal Server Error

Communication Layers

LayerTransportPurpose
REST APIHTTPCRUD operations, management, auth
WebSocketWSReal-time log streaming, chat, event broadcasting
WebhooksHTTP (inbound)External triggers (GitHub, Grafana, etc.)
IPCHTTP over Unix socketInternal sidecar communication

Endpoint Groups

Crews

CRUD for crews, members, container config, network policies.

Agents

CRUD for agents, skills, credentials, chats, runs, persona, hire/rehire.

Missions

Mission lifecycle, tasks, start/restart/resume/clone, metrics.

Issues

Issue tracking, labels, comments, relations, activity, projects.

Credentials

Credential vault CRUD, testing, agent assignment.

Skills

Skill marketplace, import, workflow templates, crew templates.

Integrations

MCP server integrations at workspace/crew/agent level, OAuth flow.

Webhooks

Inbound webhook trigger endpoint.

WebSocket

Real-time channels, subscriptions, chat, event types.

Connectors

Curated connector catalog — browse, verify credentials, install.

Feature Flags

Feature flag CRUD with percentage rollout and per-workspace overrides.

Instance Settings

Instance-wide settings with sensitive-value redaction and protected keys.

Policies

Per-crew autonomy levels and behavior modes.

Privacy

GDPR peer-card access — view, purge, consent / opt-out.

Slash Commands

Capability-filtered slash-command catalog for the composer and CLI.

Additional Endpoints

These endpoints are documented here for completeness but do not have dedicated pages — health, system status, auth, onboarding, admin, audit, runs, and workspaces.

Health Check

GET /api/health
No authentication required. Returns {"status": "ok"} with HTTP 200.

System

EndpointDescription
GET /api/v1/system/runtimeRuntime info (Go version, uptime, etc.)
GET /api/v1/system/licenseLicense status and limits
GET /api/v1/system/keeperKeeper (credential access control) status
GET /api/v1/crewshipdCrewshipd process health and status
GET /api/v1/system/aux-statusResolved auxiliary-model assignment per slot (provider, model, timeout, explicit/fallback source)

Activity

EndpointDescription
GET /api/v1/activityCross-crew activity feed (assignments, peer conversations, escalations). Supports crew_id and limit query parameters. See also crewship activity CLI command.

Auth / Signup

EndpointAuthDescription
POST /api/v1/bootstrapNoneBootstrap first user (empty instance)
POST /api/v1/auth/signupNoneRegister a new user (when CREWSHIP_ALLOW_SIGNUP=true)
GET /api/v1/ws-tokenRequiredGet short-lived WebSocket JWT

NextAuth Compatibility

EndpointDescription
GET /api/auth/csrfCSRF token
GET /api/auth/providersAvailable auth providers
GET /api/auth/sessionCurrent session
POST /api/auth/callback/credentialsLogin with email/password
POST /api/auth/token/refreshRefresh the session token (NextAuth-compatible token rotation)
GET /api/auth/signinSign-in page redirect
POST /api/auth/signoutSign out (clears cookie)
GET /api/auth/errorNextAuth error page redirect

Onboarding

EndpointDescription
GET /api/v1/onboarding/statusCheck onboarding completion status
POST /api/v1/onboarding/completeMark onboarding as complete
POST /api/v1/onboarding/setupRun guided setup

Admin (OWNER only)

EndpointDescription
GET /api/v1/admin/statsAggregate counts for the current workspace (workspaces always 1, users, agents, running)
GET /api/v1/admin/usersList members of the current workspace
GET /api/v1/admin/workspacesReturn the current workspace with member/agent/crew counts
GET /api/v1/admin/keeper/requestsKeeper access request log

Audit

EndpointDescription
GET /api/v1/auditAudit log (workspace-scoped, requires manage role)
GET /api/v1/mcp-tool-callsMCP tool call audit trail

Runs

EndpointDescription
GET /api/v1/runsList agent runs (workspace-scoped)

Workspaces

EndpointMethodDescription
GET /api/v1/workspacesGETList user’s workspaces
POST /api/v1/workspacesPOSTCreate a workspace
GET /api/v1/workspaces/{workspaceId}GETGet workspace details
PATCH /api/v1/workspaces/{workspaceId}PATCHUpdate workspace
GET /api/v1/workspaces/{workspaceId}/membersGETList workspace members
POST /api/v1/workspaces/{workspaceId}/membersPOSTAdd a member
DELETE /api/v1/workspaces/{workspaceId}/members/{memberId}DELETERemove a member
GET /api/v1/workspaces/{workspaceId}/invitationsGETList invitations
POST /api/v1/workspaces/{workspaceId}/invitationsPOSTCreate invitation