API Reference
The Gatwy REST API lets you automate and integrate with every feature of the platform — user management, connections, sessions, notifications, backups, and more.
Base URL
All endpoints are relative to your Gatwy instance origin:
https://<YOUR_HOST>:7443/api/v1
Authentication
Most endpoints require a valid JWT token. Obtain one via POST /auth/login.
Include the token in every authenticated request as a Bearer header:
Authorization: Bearer <token>
Alternatively, the token can be sent via the gatwy_token cookie (set automatically by the login response).
Rate Limits
| Endpoint | Limit |
|---|---|
POST /auth/login | 30 attempts / 15 min per IP |
POST /auth/login/mfa | 5 attempts / 5 min per user |
POST /profile/mfa/verify | 5 attempts / 5 min per user |
After the configured number of failed login attempts (default: 5), the account is locked for the configured duration (default: 30 min).
Permissions
Endpoints that go beyond basic self-service require specific named permissions. Permissions are assigned to roles and users inherit them through their role.
| Permission | Covers |
|---|---|
users.manage | Create, update, delete, unlock users |
roles.manage | Create, update, delete roles |
connections.create | Create new connections |
connections.edit_own | Edit own connections |
connections.edit_any | Edit any connection |
connections.delete_own | Delete own connections |
connections.delete_any | Delete any connection |
connections.share | Share connections with users/roles |
connections.import_export | Export/import connection data |
sessions.view_any | View all users' sessions |
sessions.delete | Purge session history |
audit.view_any | View audit log for all users |
settings.manage | Read and update system settings |
settings.notifications | Manage notification channels and rules |
settings.backup | Export and restore backups |
Response Format
All responses are JSON. Errors follow this shape:
{
"error": "Human-readable message"
}
Common HTTP status codes:
| Code | Meaning |
|---|---|
200 | Success |
400 | Bad request / validation error |
401 | Missing or invalid token |
403 | Insufficient permissions |
404 | Resource not found |
429 | Rate limit exceeded |
500 | Internal server error |