Public API

Public API

Configure external API access for CI/CD integration and automation.

Use this screen to expose (or disable) the Public API, share documentation URLs, tune rate limits, and restrict access by role.

Where to find everything: Administration Settings.

Actions

• Reset to defaults
• Save settings

API documentation

• Swagger UI — interactive docs URL (often with a copy control). Point internal consumers here from runbooks.
• Base URL — REST root for API clients (for example /api/v1), with copy for pipelines.

Hosts and ports depend on your deployment (development vs production).

General settings

• Enable Public API — master switch for programmatic access.
• Current API version — read-only display (for example v1).

Rate limiting

• Enable rate limiting to protect API from abuse — when on, caps apply.
• Max requests per minute — short burst limit (for example 100).
• Max requests per hour — sustained limit (for example 1000).

Tighten limits in production; raise only with evidence of legitimate throughput needs.

Authentication

• Public API token expiry — dropdown (for example 7 days (recommended)). Shorter expiry reduces risk if a token leaks.
• Allowed roles — checkboxes for which roles may obtain or use API access (for example Administrator, Tester, Contributor, Reader). Enable only roles that need automation.

Related: Role Permissions and Audit Logs.

CORS

If your build exposes CORS options, avoid wildcard origins in production; allow-list trusted domains.

Best practices

• Keep the API disabled until you have an integration owner and monitoring.
• Store tokens in a secret manager, never in repos.
• Revoke unused tokens and review allowed roles after org changes.

Related articles

• Configuration fundamentals
• Release notes