Skip to content

The Proxy Permissions API configures authentication groups and access control for proxy endpoints at both the container and project scope. Each proxy permissions document defines authentication groups (jwt, password, ip, token), per-group program access rules, a default fallback policy, and the proxy enable state. Container-level documents may also define per-service proxy hooks.

All write operations (PATCH, DELETE) require the optimistic-concurrency If-Match: file:v header. Read the current file_version from GET first; the server returns 428 when the header is absent and 412 when it is stale.

GET /api/v1/containers/{id}/proxy/permissions

Section titled “GET /api/v1/containers/{id}/proxy/permissions”

Retrieve the full proxy access control configuration for a container, including authentication groups, per-group program permissions, default policy, proxy enable state, and hooks.

const { data } = await client.api.proxyPermissionsContainer.get({
id: "507f1f77bcf86cd799439012"
});
NameInTypeRequiredDescription
idpathstringYesContainer ID

PATCH /api/v1/containers/{id}/proxy/permissions

Section titled “PATCH /api/v1/containers/{id}/proxy/permissions”

Replace the entire container proxy permissions document. Use this for bulk rewrites; for targeted edits use the dedicated /default, /state, /groups/..., and /permissions/... endpoints below.

await client.api.proxyPermissionsContainer.replace({
id: "507f1f77bcf86cd799439012",
ifMatch: "file:v3",
data: {
project: "507f1f77bcf86cd799439011",
container: "507f1f77bcf86cd799439012",
groups: {
admin: { type: "jwt", algorithm: "HS256", secret: "<jwt-secret>", sources: ["header:Authorization"] }
},
permissions: {
admin: { terminal: "*", files: true }
},
default: "deny",
enable_proxy: true
}
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
projectstringYesProject ID owning this container (24-character hex)
containerstringYesContainer ID (must match path :id, 24-character hex)
groupsobjectYesAuthentication groups. Key is group name; value is group config (jwt, password, ip, token)
permissionsobjectYesPer-group program permissions. Map of program → access rule (boolean, port number, port list, port range, or "*")
defaultstringNoDefault access policy. One of allow, deny. Defaults to deny
enable_proxybooleanNoEnable or disable the proxy. Defaults to true
hooksobjectNoPer-service proxy hooks. Keys are service names; values are arrays of { match, script, timeout? } rules. Max 8 per service, 32 per file total. Reject-listed services: logs, proxy, workspaces

DELETE /api/v1/containers/{id}/proxy/permissions

Section titled “DELETE /api/v1/containers/{id}/proxy/permissions”

Delete the container proxy permissions document and revert the container to open access.

await client.api.proxyPermissionsContainer.delete({
id: "507f1f77bcf86cd799439012",
ifMatch: "file:v3"
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first

PATCH /api/v1/containers/{id}/proxy/permissions/default

Section titled “PATCH /api/v1/containers/{id}/proxy/permissions/default”

Update only the default access policy that applies when no authentication group matches.

await client.api.proxyPermissionsContainer.updateDefault({
id: "507f1f77bcf86cd799439012",
ifMatch: "file:v3",
data: { default: "allow" }
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
defaultstringYesDefault access policy for unmatched requests. One of allow, deny

PATCH /api/v1/containers/{id}/proxy/permissions/state

Section titled “PATCH /api/v1/containers/{id}/proxy/permissions/state”

Enable or disable the proxy entirely for the container. When disabled, the proxy layer is bypassed and access control is removed.

await client.api.proxyPermissionsContainer.updateState({
id: "507f1f77bcf86cd799439012",
ifMatch: "file:v3",
data: { enable_proxy: true }
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
enable_proxybooleanYesEnable or disable the proxy entirely

Authentication groups define WHO is allowed to reach the proxy. Each group has a type (jwt, password, ip, token) and the credentials needed to verify it.

PATCH /api/v1/containers/{id}/proxy/permissions/groups/{groupName}/ip

Section titled “PATCH /api/v1/containers/{id}/proxy/permissions/groups/{groupName}/ip”

Configure an IP-based authentication group using an IPv4 CIDR range.

await client.api.proxyPermissionsContainer.setIpGroup({
id: "507f1f77bcf86cd799439012",
groupName: "office",
ifMatch: "file:v3",
data: { range: "192.168.1.0/24" }
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
groupNamepathstringYesAuthentication group name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
rangestringYesIPv4 CIDR range (e.g. 192.168.1.0/24, 10.0.0.0/8, 203.0.113.5/32)

PATCH /api/v1/containers/{id}/proxy/permissions/groups/{groupName}/jwt

Section titled “PATCH /api/v1/containers/{id}/proxy/permissions/groups/{groupName}/jwt”

Configure a JWT-based authentication group with a signing algorithm, secret/public key, and token sources.

await client.api.proxyPermissionsContainer.setJwtGroup({
id: "507f1f77bcf86cd799439012",
groupName: "admin",
ifMatch: "file:v3",
data: {
secret: "<jwt-secret>",
algorithm: "HS256",
sources: ["header:Authorization", "cookie:jwt_token"],
claims: { role: "admin", level: 5 }
}
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
groupNamepathstringYesAuthentication group name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
secretstringYesJWT secret. For HS256: any string. For RS256/ES256: PEM-encoded public key
algorithmstringYesSignature algorithm. One of HS256, RS256, ES256
sourcesarrayYesWhere to look for JWT tokens. Each entry uses the format header:Name or cookie:Name
claimsobjectNoRequired JWT claims to validate exactly. Values must be string, number, or boolean

PATCH /api/v1/containers/{id}/proxy/permissions/groups/{groupName}/password

Section titled “PATCH /api/v1/containers/{id}/proxy/permissions/groups/{groupName}/password”

Configure a username/password authentication group using SHA256 hashing.

await client.api.proxyPermissionsContainer.setPasswordGroup({
id: "507f1f77bcf86cd799439012",
groupName: "users",
ifMatch: "file:v3",
data: {
username: "alice",
password: "correct-horse-battery-staple",
algorithm: "sha256",
salt: "randomsalt123"
}
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
groupNamepathstringYesAuthentication group name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
usernamestringYesUsername to match exactly
passwordstringYesPassword plaintext or pre-hashed SHA256(salt + password) lowercase hex
algorithmstringNoHashing algorithm. Only sha256 is supported
saltstringYesSalt used for password hashing (unique per group recommended)

PATCH /api/v1/containers/{id}/proxy/permissions/groups/{groupName}/token

Section titled “PATCH /api/v1/containers/{id}/proxy/permissions/groups/{groupName}/token”

Configure a static-token authentication group. Exactly one of header, cookie, or param must be supplied together with value.

// Header example
await client.api.proxyPermissionsContainer.setTokenGroup({
id: "507f1f77bcf86cd799439012",
groupName: "external-api",
ifMatch: "file:v3",
data: { header: "X-API-Key", value: "<static-token>" }
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
groupNamepathstringYesAuthentication group name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first

The body must contain exactly one location (header, cookie, or param) together with value.

VariantRequired FieldsDescription
Header tokenheader, valueMatch a header name (case-insensitive) against a literal token value
Cookie tokencookie, valueMatch a cookie name (case-sensitive) against a literal token value
Query tokenparam, valueMatch a query parameter name (case-sensitive) against a literal token value

DELETE /api/v1/containers/{id}/proxy/permissions/groups/{groupName}

Section titled “DELETE /api/v1/containers/{id}/proxy/permissions/groups/{groupName}”

Remove a single authentication group from the container document.

await client.api.proxyPermissionsContainer.removeAuthGroup({
id: "507f1f77bcf86cd799439012",
groupName: "office",
ifMatch: "file:v3"
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
groupNamepathstringYesGroup name to remove
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first

Program permissions define WHAT each authenticated group is permitted to access: a boolean (allow/deny all), a single port/index number, a list of ports, a port range, or "*".

PATCH /api/v1/containers/{id}/proxy/permissions/permissions/{groupName}

Section titled “PATCH /api/v1/containers/{id}/proxy/permissions/permissions/{groupName}”

Set a single program access rule for a group. The body specifies which program and which access rule to apply.

await client.api.proxyPermissionsContainer.setGroup({
id: "507f1f77bcf86cd799439012",
groupName: "admin",
ifMatch: "file:v3",
data: { program: "http", access: [80, 443] }
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
groupNamepathstringYesGroup name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
programstringYesProgram name (e.g. http, terminal, ssh, files, exec, services, notifications)
accessboolean | number | array | stringYesAccess rule. Boolean for allow/deny all; number for a single port/index; array of numbers for specific ports; "low-high" string for a port range; "*" for wildcard allow-all

DELETE /api/v1/containers/{id}/proxy/permissions/permissions/{groupName}

Section titled “DELETE /api/v1/containers/{id}/proxy/permissions/permissions/{groupName}”

Remove ALL program permissions for a group on this container in one call.

await client.api.proxyPermissionsContainer.removeGroup({
id: "507f1f77bcf86cd799439012",
groupName: "admin",
ifMatch: "file:v3"
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
groupNamepathstringYesGroup name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first

DELETE /api/v1/containers/{id}/proxy/permissions/permissions/{groupName}/{program}

Section titled “DELETE /api/v1/containers/{id}/proxy/permissions/permissions/{groupName}/{program}”

Remove a single program’s access rule for a group, leaving all other programs untouched.

await client.api.proxyPermissionsContainer.removeProgram({
id: "507f1f77bcf86cd799439012",
groupName: "admin",
program: "ssh",
ifMatch: "file:v3"
});
NameInTypeRequiredDescription
idpathstringYesContainer ID
groupNamepathstringYesGroup name
programpathstringYesProgram name (e.g. http, ssh, files)
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first

Project-scoped proxy permissions apply as defaults to every container in the project. Container-level documents override project-level rules when both are present.

GET /api/v1/projects/{id}/proxy/permissions

Section titled “GET /api/v1/projects/{id}/proxy/permissions”

Retrieve the full proxy access control configuration for a project.

const { data } = await client.api.proxyPermissionsProject.get({
id: "507f1f77bcf86cd799439011"
});
NameInTypeRequiredDescription
idpathstringYesProject ID

PATCH /api/v1/projects/{id}/proxy/permissions

Section titled “PATCH /api/v1/projects/{id}/proxy/permissions”

Replace the entire project proxy permissions document. Use this for bulk rewrites; for targeted edits use the dedicated /default, /state, /groups/..., and /permissions/... endpoints below.

await client.api.proxyPermissionsProject.replace({
id: "507f1f77bcf86cd799439011",
ifMatch: "file:v3",
data: {
project: "507f1f77bcf86cd799439011",
groups: {
admin: { type: "jwt", algorithm: "HS256", secret: "<jwt-secret>", sources: ["header:Authorization"] }
},
permissions: {
admin: { terminal: true, files: true }
},
default: "deny",
enable_proxy: true
}
});
NameInTypeRequiredDescription
idpathstringYesProject ID
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
projectstringYesProject ID (must match path :id, 24-character hex)
groupsobjectYesAuthentication groups. Key is group name; value is group config (jwt, password, ip, token)
permissionsobjectYesPer-group program permissions. Map of program → access rule (boolean, port number, port list, port range, or "*")
defaultstringNoDefault access policy. One of allow, deny. Defaults to deny
enable_proxybooleanNoEnable or disable the proxy. Defaults to true

DELETE /api/v1/projects/{id}/proxy/permissions

Section titled “DELETE /api/v1/projects/{id}/proxy/permissions”

Remove all proxy access control configuration from the project and revert to open access with the allow default policy.

await client.api.proxyPermissionsProject.delete({
id: "507f1f77bcf86cd799439011",
ifMatch: "file:v3"
});
NameInTypeRequiredDescription
idpathstringYesProject ID
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first

PATCH /api/v1/projects/{id}/proxy/permissions/default

Section titled “PATCH /api/v1/projects/{id}/proxy/permissions/default”

Update only the default access policy that applies when no authentication group matches.

await client.api.proxyPermissionsProject.updateDefault({
id: "507f1f77bcf86cd799439011",
ifMatch: "file:v3",
data: { default: "deny" }
});
NameInTypeRequiredDescription
idpathstringYesProject ID
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
defaultstringYesDefault access policy for unmatched requests. One of allow, deny

PATCH /api/v1/projects/{id}/proxy/permissions/state

Section titled “PATCH /api/v1/projects/{id}/proxy/permissions/state”

Enable or disable the proxy entirely for the project. When disabled, the proxy layer is bypassed and all access control is removed.

await client.api.proxyPermissionsProject.updateState({
id: "507f1f77bcf86cd799439011",
ifMatch: "file:v3",
data: { enable_proxy: false }
});
NameInTypeRequiredDescription
idpathstringYesProject ID
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
enable_proxybooleanYesEnable or disable the proxy entirely

PATCH /api/v1/projects/{id}/proxy/permissions/groups/{groupName}/ip

Section titled “PATCH /api/v1/projects/{id}/proxy/permissions/groups/{groupName}/ip”

Configure an IP-based authentication group for the project using an IPv4 CIDR range.

await client.api.proxyPermissionsProject.setIpGroup({
id: "507f1f77bcf86cd799439011",
groupName: "office",
ifMatch: "file:v3",
data: { range: "192.168.1.0/24" }
});
NameInTypeRequiredDescription
idpathstringYesProject ID
groupNamepathstringYesAuthentication group name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
rangestringYesIPv4 CIDR range (e.g. 192.168.1.0/24, 10.0.0.0/8, 203.0.113.5/32)

PATCH /api/v1/projects/{id}/proxy/permissions/groups/{groupName}/jwt

Section titled “PATCH /api/v1/projects/{id}/proxy/permissions/groups/{groupName}/jwt”

Configure a JWT-based authentication group for the project with a signing algorithm, secret/public key, and token sources.

await client.api.proxyPermissionsProject.setJwtGroup({
id: "507f1f77bcf86cd799439011",
groupName: "admin",
ifMatch: "file:v3",
data: {
secret: "<jwt-secret>",
algorithm: "HS256",
sources: ["header:Authorization"],
claims: { role: "admin" }
}
});
NameInTypeRequiredDescription
idpathstringYesProject ID
groupNamepathstringYesAuthentication group name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
secretstringYesJWT secret. For HS256: any string. For RS256/ES256: PEM-encoded public key
algorithmstringYesSignature algorithm. One of HS256, RS256, ES256
sourcesarrayYesWhere to look for JWT tokens. Each entry uses the format header:Name or cookie:Name
claimsobjectNoRequired JWT claims to validate exactly. Values must be string, number, or boolean

PATCH /api/v1/projects/{id}/proxy/permissions/groups/{groupName}/password

Section titled “PATCH /api/v1/projects/{id}/proxy/permissions/groups/{groupName}/password”

Configure a username/password authentication group for the project using SHA256 hashing.

await client.api.proxyPermissionsProject.setPasswordGroup({
id: "507f1f77bcf86cd799439011",
groupName: "users",
ifMatch: "file:v3",
data: {
username: "admin",
password: "correct-horse-battery-staple",
algorithm: "sha256",
salt: "randomsalt123"
}
});
NameInTypeRequiredDescription
idpathstringYesProject ID
groupNamepathstringYesAuthentication group name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
usernamestringYesUsername to match exactly
passwordstringYesPassword plaintext or pre-hashed SHA256(salt + password) lowercase hex
algorithmstringNoHashing algorithm. Only sha256 is supported
saltstringYesSalt used for password hashing (unique per group recommended)

PATCH /api/v1/projects/{id}/proxy/permissions/groups/{groupName}/token

Section titled “PATCH /api/v1/projects/{id}/proxy/permissions/groups/{groupName}/token”

Configure a static-token authentication group for the project. Exactly one of header, cookie, or param must be supplied together with value.

await client.api.proxyPermissionsProject.setTokenGroup({
id: "507f1f77bcf86cd799439011",
groupName: "api-clients",
ifMatch: "file:v3",
data: { header: "X-API-Key", value: "<static-token>" }
});
NameInTypeRequiredDescription
idpathstringYesProject ID
groupNamepathstringYesAuthentication group name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first

The body must contain exactly one location (header, cookie, or param) together with value.

VariantRequired FieldsDescription
Header tokenheader, valueMatch a header name (case-insensitive) against a literal token value
Cookie tokencookie, valueMatch a cookie name (case-sensitive) against a literal token value
Query tokenparam, valueMatch a query parameter name (case-sensitive) against a literal token value

DELETE /api/v1/projects/{id}/proxy/permissions/groups/{groupName}

Section titled “DELETE /api/v1/projects/{id}/proxy/permissions/groups/{groupName}”

Remove a single authentication group from the project document.

await client.api.proxyPermissionsProject.removeAuthGroup({
id: "507f1f77bcf86cd799439011",
groupName: "office",
ifMatch: "file:v3"
});
NameInTypeRequiredDescription
idpathstringYesProject ID
groupNamepathstringYesGroup name to remove
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first

PATCH /api/v1/projects/{id}/proxy/permissions/permissions/{groupName}

Section titled “PATCH /api/v1/projects/{id}/proxy/permissions/permissions/{groupName}”

Set a single program access rule for a project group.

await client.api.proxyPermissionsProject.setGroup({
id: "507f1f77bcf86cd799439011",
groupName: "admin",
ifMatch: "file:v3",
data: { program: "http", access: true }
});
NameInTypeRequiredDescription
idpathstringYesProject ID
groupNamepathstringYesGroup name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first
NameTypeRequiredDescription
programstringYesProgram name (e.g. http, terminal, ssh, files, exec, services, notifications)
accessboolean | number | array | stringYesAccess rule. Boolean for allow/deny all; number for a single port/index; array of numbers for specific ports; "low-high" string for a port range; "*" for wildcard allow-all

DELETE /api/v1/projects/{id}/proxy/permissions/permissions/{groupName}

Section titled “DELETE /api/v1/projects/{id}/proxy/permissions/permissions/{groupName}”

Remove ALL program permissions for a group on this project in one call.

await client.api.proxyPermissionsProject.removeGroup({
id: "507f1f77bcf86cd799439011",
groupName: "admin",
ifMatch: "file:v3"
});
NameInTypeRequiredDescription
idpathstringYesProject ID
groupNamepathstringYesGroup name
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first

DELETE /api/v1/projects/{id}/proxy/permissions/permissions/{groupName}/{program}

Section titled “DELETE /api/v1/projects/{id}/proxy/permissions/permissions/{groupName}/{program}”

Remove a single program’s access rule for a project group, leaving all other programs untouched.

await client.api.proxyPermissionsProject.removeProgram({
id: "507f1f77bcf86cd799439011",
groupName: "admin",
program: "http",
ifMatch: "file:v3"
});
NameInTypeRequiredDescription
idpathstringYesProject ID
groupNamepathstringYesGroup name
programpathstringYesProgram name (e.g. http, ssh, files)
if-matchheaderstringNoIf-Match: file:v ETag precondition — read current file_version from GET first