API Reference¶
Traefik Manager exposes a REST API that powers the web UI and can be used to build integrations — the official mobile app uses it exclusively.
Overview¶
All API endpoints are relative to your Traefik Manager base URL (e.g. https://manager.example.com).
Authentication¶
Two methods are supported:
Session cookie — log in via the web UI. The browser session is used automatically for all subsequent requests.
API key — generate a key in Settings → Authentication → API Key and send it as a header:
API keys bypass CSRF checks, making them the right choice for scripts and apps.
CSRF¶
State-changing endpoints (POST/DELETE) require a CSRF token when using session auth. The token is available in the web UI as a <meta name="csrf-token"> tag. Send it as a header:
API key requests skip this requirement entirely.
Rate limits¶
| Scope | Limit |
|---|---|
| Login, OTP verification | 5 / min per IP |
| Password change, OTP endpoints | 10 / min per IP |
| API key generation | 5 / hour per IP |
| All other endpoints | Unlimited |
Response format¶
All API endpoints return JSON. Successful mutations return at minimum {"ok": true} or {"success": true}. Errors return {"ok": false, "message": "..."} or {"error": "..."} with an appropriate HTTP status code.
Authentication endpoints¶
POST /api/auth/change-password¶
Change the login password.
Auth: Session · CSRF: required · Rate limit: 10/min
Request
Response
POST /api/auth/toggle¶
Enable or disable password authentication entirely.
Auth: Session · CSRF: required
Request
Response
GET /api/auth/otp/status¶
Check whether TOTP two-factor authentication is enabled.
Auth: Session or API key
Response
POST /api/auth/otp/setup¶
Generate a TOTP secret and QR code URI for scanning with an authenticator app.
Auth: Session · CSRF: required
Response
POST /api/auth/otp/enable¶
Confirm and activate TOTP using a code from the authenticator app.
Auth: Session · CSRF: required
Request
Response
POST /api/auth/otp/disable¶
Disable TOTP authentication.
Auth: Session · CSRF: required
Response
GET /api/auth/apikey/status¶
Check whether an API key exists and is active.
Auth: Session or API key
Response
POST /api/auth/apikey/generate¶
Generate a new API key. Only one key exists at a time — generating a new one replaces the previous one.
Auth: Session · CSRF: required · Rate limit: 5/hour
Response
POST /api/auth/apikey/revoke¶
Revoke the current API key immediately.
Auth: Session · CSRF: required
Response
Traefik data¶
These endpoints proxy directly to the Traefik API and return live data. They are read-only.
GET /api/traefik/overview¶
Traefik dashboard overview — router/service/middleware counts, features, version.
Auth: Session or API key
GET /api/traefik/routers¶
All routers across HTTP, TCP, and UDP protocols.
Auth: Session or API key
Response
{
"http": [ { "name": "my-app@file", "rule": "Host(`app.example.com`)", ... } ],
"tcp": [ ... ],
"udp": [ ... ]
}
GET /api/traefik/services¶
All services across HTTP, TCP, and UDP protocols.
Auth: Session or API key
Response
{
"http": [ { "name": "my-app@file", "type": "loadbalancer", ... } ],
"tcp": [ ... ],
"udp": [ ... ]
}
GET /api/traefik/middlewares¶
All middlewares across HTTP and TCP.
Auth: Session or API key
Response
GET /api/traefik/entrypoints¶
All configured entrypoints.
Auth: Session or API key
Response
GET /api/traefik/version¶
Traefik version info.
Auth: Session or API key
Response
GET /api/traefik/ping¶
Ping the Traefik API and return latency.
Auth: Session or API key
Response
GET /api/traefik/router/{protocol}/{name}¶
Get details for a specific router.
Auth: Session or API key
Path params: protocol = http / tcp / udp, name = router name (URL-encoded)
GET /api/traefik/plugins¶
List plugins from traefik.yml if the file is mounted.
Auth: Session or API key
Response
GET /api/traefik/certs¶
List TLS certificates from acme.json if the file is mounted.
Auth: Session or API key
Response
GET /api/traefik/logs¶
Tail Traefik access logs if the log file is mounted.
Auth: Session or API key
Query params: lines (1–1000, default 100)
Response
Routes & middlewares¶
GET /api/routes¶
Get all managed routes and middlewares from dynamic.yml.
Auth: Session or API key
Response
{
"apps": [
{
"id": "my-app",
"name": "my-app",
"enabled": true,
"protocol": "http",
"rule": "Host(`app.example.com`)",
"target": "http://192.168.1.10:8080",
"middlewares": ["auth@file"],
"tls": true
}
],
"middlewares": [
{ "name": "auth", "type": "basicauth", ... }
]
}
POST /api/routes/{route_id}/toggle¶
Enable or disable a route without deleting it. The configuration is preserved in manager.yml.
Auth: Session or API key · CSRF: required (session only)
Request
Response
POST /save¶
Create a new route or update an existing one.
Auth: Session or API key · CSRF: required (session only)
Request (form-encoded or JSON)
| Field | Description |
|---|---|
serviceName |
Route/service name |
subdomain |
Hostname (e.g. app.example.com) |
targetIp |
Backend IP or hostname |
targetPort |
Backend port |
protocol |
http, tcp, or udp |
middlewares |
Comma-separated middleware names |
isEdit |
true when updating an existing route |
originalId |
ID of the route being replaced (edit only) |
POST /delete/{route_id}¶
Delete a managed route.
Auth: Session or API key · CSRF: required (session only)
POST /save-middleware¶
Create or update a middleware. Config is provided as raw YAML.
Auth: Session or API key · CSRF: required (session only)
Request (form-encoded or JSON)
| Field | Description |
|---|---|
middlewareName |
Middleware name |
middlewareContent |
YAML config body |
isMwEdit |
true when updating |
originalMwId |
Name of middleware being replaced (edit only) |
POST /delete-middleware/{name}¶
Delete a managed middleware.
Auth: Session or API key · CSRF: required (session only)
Settings¶
GET /api/settings¶
Get current application settings. Password hash is never included.
Auth: Session or API key
Response
{
"domains": ["example.com"],
"cert_resolver": "letsencrypt",
"traefik_api_url": "http://traefik:8080",
"auth_enabled": true,
"visible_tabs": { "docker": true, "kubernetes": false, ... }
}
POST /api/settings¶
Update application settings.
Auth: Session or API key · CSRF: required (session only)
Request
{
"domains": ["example.com", "internal.lan"],
"cert_resolver": "letsencrypt",
"traefik_api_url": "http://traefik:8080"
}
POST /api/settings/tabs¶
Show or hide optional provider tabs in the UI.
Auth: Session or API key · CSRF: required (session only)
Request
Response
Backups¶
GET /api/backups¶
List all configuration backups.
Auth: Session or API key
Response
POST /api/backup/create¶
Create a manual backup of the current configuration.
Auth: Session or API key · CSRF: required (session only)
Response
POST /api/restore/{filename}¶
Restore configuration from a backup file.
Auth: Session or API key · CSRF: required (session only) · Rate limit: 10/min
Response
POST /api/backup/delete/{filename}¶
Delete a backup file.
Auth: Session or API key · CSRF: required (session only)
Response
Utility¶
GET /api/manager/version¶
Get the latest published Traefik Manager version from GitHub.
Auth: Session or API key
Response
GET /api/manager/router-names¶
Get all router names across every protocol. Useful for autocomplete or validation.
Auth: Session or API key
Response
POST /api/setup/test-connection¶
Test connectivity to a Traefik API URL. Used during initial setup but available for integrations.
Auth: None required
Request
Response
Example: API key usage¶
# Get all routes
curl https://manager.example.com/api/routes \
-H "X-Api-Key: tm_your_key_here"
# Toggle a route off
curl -X POST https://manager.example.com/api/routes/my-app/toggle \
-H "X-Api-Key: tm_your_key_here" \
-H "Content-Type: application/json" \
-d '{"enable": false}'
# Get live services
curl https://manager.example.com/api/traefik/services \
-H "X-Api-Key: tm_your_key_here"