SideLink Docs

Appearance

API Reference

Base URL: http://localhost:4010/api

This is the practical HTTP surface, organised by operational use rather than generated-schema noise. Every currently-registered route is listed — if you find a route in the codebase that isn't here, that's a documentation bug.

Overview

  • Response envelope: authenticated JSON APIs return { ok: boolean, data?: T, error?: string }.
  • Auth modes:
    • Public: no auth required.
    • Session: sidelink_session cookie (or Authorization: Bearer <internalToken> for the trusted in-process Electron caller).
    • Helper Token: x-sidelink-helper-token header. Tokens are SHA-256 hashed at rest; the server never stores the plaintext after the pairing exchange.
  • CSRF: cookie-authenticated routes under /api require an x-sidelink-csrf header matching the sidelink_csrf cookie. The auth / pair / SSE / helper routes are exempt.
  • Validation source of truth: src/server/utils/validators.ts.

Rate Limits

  • Auth tier: 20/min (/api/auth/*)
  • Apple auth tier: 5/min (/api/apple/* + helper equivalents)
  • Upload tier: 10/5min (/api/ipas/* + /helper/ipas/*)
  • General tier: 240/min (all other authenticated /api/* routes)
  • Pair-code tier: 10/min (POST /api/system/pair)

Rate-limit response headers include X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After on 429.

Notes:

  • GET /api/events and GET /api/helper/events are authenticated but don't share the general burst bucket so SSE doesn't starve polling clients.

Public Endpoints

MethodPathPurpose
GET/healthProcess health, uptime, memory, setup status
POST/system/pairExchange 6-digit pairing code for helper token
GET/sources/self-hostedPublic self-hosted source manifest

POST /system/pair

  • Auth: Public (rate-limited)
  • Request body:
    • code: string (exactly 6 digits)
  • Success 200:
    • data.token helper token (plaintext, returned once)
    • data.serverName, data.serverVersion, data.backendUrl, data.candidateAddresses
  • Errors:
    • 400 invalid code format
    • 401 code expired or already consumed

Auth Endpoints

MethodPathAuthRequest Body
GET/auth/statusPublicnone
POST/auth/setupPublic{ username, password }
POST/auth/loginPublic{ username, password }
POST/auth/logoutSessionnone
POST/auth/passwordSession{ currentPassword, newPassword }
POST/auth/resetSession (admin)none

Notes:

  • setup returns 409 when an admin already exists — a concurrent setup-wizard tab cannot crash the server.
  • setup and login set the sidelink_session cookie and mint a sidelink_csrf token.
  • password clears the session cookie on success, invalidating all sessions for the user.
  • reset wipes all users + sessions, forcing the first-run wizard to re-appear on next load.

Apple Account Endpoints

MethodPathAuthRequest Body
POST/apple/signinSession{ appleId, password }
POST/apple/2faSession{ appleId, password, code, method? }
POST/apple/2fa/smsSession{ appleId, phoneNumberId }
GET/apple/accountsSessionnone
GET/apple/accounts/:idSessionnone
POST/apple/accounts/:id/reauthSession{ password }
POST/apple/accounts/:id/reauth/2faSession{ code }
DELETE/apple/accounts/:idSessionnone
POST/apple/accounts/:id/rotate-certificateSessionnone
GET/apple/app-idsSessionoptional query: sync=1
GET/apple/app-ids/usageSessionnone
DELETE/apple/app-ids/:idSessionnone
GET/apple/certificatesSessionnone

Notes:

  • signin and reauth may return { requires2FA: true, authType, twoFAChallenge } on a 2FA-required Apple ID.
  • app-ids?sync=1 forces a round-trip to Apple's dev portal; omitting the flag returns the locally cached set.

Device Endpoints

MethodPathAuthRequest Body
GET/devicesSessionnone
POST/devices/refreshSessionnone
POST/devices/:udid/pairSessionnone
GET/devices/:udid/capabilitiesSessionnone

Notes:

  • /capabilities returns { hasLiveContainer, liveContainerBundleId, totalAppsInstalled } used by the install modal to surface upgrade paths.

IPA Library Endpoints

MethodPathAuthRequest Body
POST/ipas/uploadSessionmultipart form (ipa file)
GET/ipasSessionnone
GET/ipas/:idSessionnone
DELETE/ipas/:idSessionnone
POST/ipas/import-urlSession{ url, downloadSize? }
POST/ipas/import-pathSession (internal token only){ path }

Validation highlights:

  • Only .ipa extension accepted for uploads.
  • Upload size cap: 500 MB (enforced at multer + stream level).
  • import-url enforces https (http permitted only for RFC1918 / loopback hosts) and applies the source-fetch SSRF guard: hostnames are resolved and any private IP result is rejected.
  • import-path is intentionally restricted to the internal token used by Electron's open-file handler so dashboard users can't point the server at arbitrary local filesystem paths.

Install Pipeline Endpoints

MethodPathAuthRequest Body
POST/installSessionsee body schema below
GET/install/jobsSessionquery filters: accountId, deviceUdid, status
GET/install/jobs/:idSessionnone
GET/install/jobs/:id/logsSessionnone
POST/install/jobs/:id/cancelSessionnone
POST/install/jobs/:id/2faSession{ code }
GET/install/appsSessionoptional query: deviceUdid
GET/install/apps/updatesSessionnone
DELETE/install/apps/:idSessionoptional query: force=1
POST/install/apps/:id/deactivateSessionnone
POST/install/apps/:id/reactivateSessionnone

POST /install body schema

FieldTypeNotes
accountIdstringApple account id to sign with
ipaIdstringIPA artifact id from /ipas
deviceUdidstringTarget device UDID
includeExtensionsboolean (optional)Sign bundled .appex plug-ins too
bundleIdStrategy"deterministic" or "randomized" (optional)Default "randomized". "deterministic" preserves the IPA's original bundle id — use only when you own the ID on the Apple Developer portal. "randomized" rewrites the bundle id to a unique SideLink-scoped value so multiple installs of the same IPA coexist on one device and collisions with dev-portal App IDs are avoided.
customDisplayNamestring (optional)Rewrites CFBundleDisplayName on the signed output so duplicate installs are distinguishable on the home screen.

Notes:

  • DELETE /install/apps/:id performs a best-effort on-device uninstall and removes the signed IPA artifact before deleting the DB row. force=1 skips the device uninstall (use when the device is permanently gone).
  • GET /install/apps/updates consults the combined source manifest and returns entries whose version is strictly greater than the installed version under semver-aware comparison (so "1.10.0" > "1.9.0" as expected).

Source Endpoints

MethodPathAuthRequest Body
GET/sourcesSessionnone
POST/sourcesSession{ url }
POST/sources/:id/refreshSessionnone
DELETE/sources/:idSessionnone
GET/sources/:id/appsSessionnone
GET/sources/:id/manifestSessionnone
GET/sources/combinedSessionnone
GET/sources/communitySessionnone
GET/sources/self-hostedPublic + Sessionnone
PUT/sources/self-hostedSessionfull manifest payload
GET/sources/trusted-sourcesSessionnone

Source manifest fetches use https-only validation: http is rejected unless the hostname is loopback or RFC1918, and DNS resolution is performed before fetch so an https hostname cannot resolve to a private IP (rebinding / split-horizon DNS).

When aggregated into the combined source, duplicate bundleIdentifier entries are reduced to the highest semver rather than first-wins, so a later-ordered source shipping a newer version doesn't get masked by an older first entry.

System Endpoints

MethodPathAuthRequest Body
GET/system/dashboardSessionnone
GET/system/logsSessionquery: limit, level
DELETE/system/logsSessionnone
GET/system/schedulerSessionnone
POST/system/schedulerSession{ enabled?, checkIntervalMs?, refreshThresholdMs? }
POST/system/scheduler/refresh/:idSessionnone
POST/system/scheduler/refresh-allSessionnone
GET/system/scheduler/statesSessionnone
GET/system/auto-refresh-statesSessionnone
GET/system/webhookSessionnone
PUT/system/webhookSession{ url } (empty string unsets)
GET/system/helper/doctorSessionnone
POST/system/helper/pairing-codeSessionnone
POST/system/helper/ensureSessionoptional { teamId }
POST/system/helper/ensure-ipaSessionoptional { teamId }

Notes:

  • PUT /system/webhook rejects non-http(s) URLs, URLs with userinfo, and any hostname that resolves to a private / loopback IP. A defence-in-depth revalidation runs again at fireWebhook call time so a bypass via manual DB edit cannot cause the scheduler to call into the LAN.
  • POST /system/scheduler/refresh-all triggers auto-refresh across every active install; the response includes { triggered, skipped, errors[] }.

Events (Session)

MethodPathAuthType
GET/eventsSessionServer-Sent Events

Event types:

  • job-update — any install / refresh job state transition
  • job-log — a new log line appended to a job
  • device-update — device connect/disconnect/trust status
  • app-update — installed-app list changed
  • scheduler-update — scheduler snapshot changed (timer, last error, pending count)
  • log — system log event (debug/info/warn/error)

Helper API Endpoints (Companion App)

All /helper/* routes require helper token auth via x-sidelink-helper-token. The server stores only SHA-256(token) in the DB; the plaintext is returned exactly once from POST /system/pair.

MethodPathRequest Body / Notes
GET/helper/statusquery deviceId?
GET/helper/confignone
GET/helper/auto-refresh-statesnone
GET/helper/accountsnone
POST/helper/apple/signin{ appleId, password }
POST/helper/apple/2fa{ appleId, password, code, method? }
POST/helper/apple/2fa/sms{ appleId, phoneNumberId }
POST/helper/apple/accounts/:id/reauth{ password? }
POST/helper/apple/accounts/:id/reauth/2fa{ code }
DELETE/helper/apple/accounts/:idnone
GET/helper/devicesnone
GET/helper/ipasnone
GET/helper/jobsnone
GET/helper/jobs/:idnone
GET/helper/jobs/:id/logsnone
GET/helper/appsquery deviceUdid?
POST/helper/apps/:id/deactivatenone
POST/helper/apps/:id/reactivatenone
DELETE/helper/apps/:idoptional force=1
POST/helper/jobs/:id/cancelnone
POST/helper/jobs/:id/2fa{ code }
POST/helper/ipas/import-url{ url }
POST/helper/ipas/uploadmultipart form (ipa file)
POST/helper/installsame body schema as POST /install
POST/helper/refresh{ installId }
POST/helper/refresh-allnone
GET/helper/logsquery limit, level
GET/helper/app-idsoptional sync=1
GET/helper/app-ids/usagenone
DELETE/helper/app-ids/:idnone
GET/helper/certificatesnone
GET/helper/trusted-sourcesnone
GET/helper/devices/:udid/all-appsLists managed + unmanaged bundle ids on the device
GET/helper/doctornone
GET/helper/sourcesnone
POST/helper/sources{ url }
POST/helper/sources/:id/refreshnone
DELETE/helper/sources/:idnone
GET/helper/eventsSSE (mirrors desktop event types)

Error Semantics

StatusMeaning
400Validation error or malformed input
401Authentication required / invalid credentials or token
403Pre-setup or forbidden operation
404Missing resource
409State conflict (e.g. job not awaiting 2FA, admin already exists)
413Upload size exceeded
429Rate-limited
500Unexpected server failure

Non-2xx responses include { ok: false, error: string }. On validation errors the message is deterministically generated from the failing field.

Operator Notes

  • /auth/setup is only meant for first-run bootstrap before the first admin exists. It returns 409 (not 401) if an admin is already set up — this is a state conflict, not an authentication failure.
  • Helper-token routes are intentionally narrower than dashboard session routes: some sensitive flows (rotate-certificate, password change, admin reset) are session-only.
  • Install and refresh behaviour is modelled around explicit state transitions (queued → running → waiting_2fa → running → completed | failed | cancelled). The 2fa submit path is always a POST /.../jobs/:id/2fa — there is no side-channel for code entry.
  • The internal token used by the Electron main process is never written to process.env; it is passed as an explicit internalToken option to createApp(ctx, { internalToken }) at boot so spawned child processes can't read it.

Local-first sideloading docs for desktop, source, and helper workflows.

MIT Licensed