API reference
This page lists every request you can send Driftstack over the web — in API terms, every
endpoint. The Driftstack HTTP API surface lives at https://api.driftstack.dev. Every
endpoint is versioned under /v1/*; new majors land with explicit deprecation
cycles per the policy below.
What's here
- Authentication flows — sign up, log in, verify email, MFA challenge + step-up, magic link, password reset, refresh, logout. The customer-dashboard surface; distinct from API-key bearer auth.
- Account —
/v1/account/meread + edit (name, timezone, slug, region, avatar). Team-RBAC interaction notes. - API keys — create, list, rotate (24-hour grace), revoke. Scopes table.
- Sessions — create, navigate, interact, capture, wait, destroy. Session lifecycle + concurrency caps.
- Agent sessions — AI-driven chat-style automation, manual pass-through mode, and pair-mode interactive takeover/handback state machine. The v2-#8 surface; complements regular driver sessions.
- Recipes — snapshot a finished agent-session's intent_log + transcript as a replayable recipe. Create / list / read / delete ship at v1.0; only execute (replay) lands at v1.1.
- Bundled LLM — opt-in consent, monthly soft cap, used / remaining / refused state for the no-BYOK agent decomposer rail.
- BYOK Anthropic key — bring-your-own key management: set, rotate, clear, test. Encrypted at rest; never echoed in responses.
- Profiles — persistent identity slots; create, list, get, patch, clone, delete. Snapshots — capture / list / restore / delete.
- Account proxies — register your own SOCKS5 proxies; route a session's egress through one. Passwords encrypted at rest, never echoed.
- Usage — current-period meter for sessions / api-calls / data transfer with tier caps surfaced.
- Audit log — every account-level action with payload + filters + paginated read.
- Two-factor authentication — TOTP enrol / verify / disable + recovery codes; step-up gate semantics.
- Billing — subscriptions, Stripe Customer Portal redirect, billing-state read.
- Team RBAC — invite + accept + list + remove for multi-user teams. Shipped at v1.0.
- Status page API — public snapshot, incident feed (REST + SSE), 30-day SLA report, and double-opt-in email subscription. Unauthenticated; CDN-coalesced.
- OAuth 2.0 (third-party clients) — Authorization-code + PKCE flow so third-party apps can act on a customer's behalf without holding the customer's API key. Register, authorize, exchange, introspect, revoke.
- Versioning policy — additive vs breaking changes, deprecation
cycle, when
/v2/*is justified. - Webhook endpoints — register, list, update, delete, and test webhook endpoints; rotate signing secrets with a 24-hour dual-signing grace.
- Webhook events catalog — every event type Driftstack emits, payload shape, signature verification, retry policy.
- Replaying deliveries — customer self-service replay for failed and DLQ webhook deliveries.
Practical use
- Quickstart — first session in five minutes, working samples.
- Session lifecycle — full state diagram, concurrency caps, error shapes.
- Profile management — persistent identities across sessions.
Other reference surfaces
- OpenAPI spec. Live at
https://api.driftstack.dev/openapi.json; rendered via Scalar UI on the API host at/docs/. The spec is the contract for SDK consumers; a deliberately committed copy lives in the repository for SDK regeneration. - Authentication. Bearer API keys (
ds_live_…for production,ds_test_…for the free tier). Web sessions on the customer dashboard use opaque sha256-hashed tokens; Bearer header in both cases. - Rate limits. Per-tier token-bucket policy. Response headers include
x-ratelimit-remaining;429responses includeretry-after. IP-based gates also apply on unauthenticated auth endpoints (signup / login / verify-email / password-reset).