Admin / Server API
Privileged access to all accounts on this panel. Issued only to admin and owner accounts. Treat keys like passwords — anyone holding one can grant credits and read every user's data.
Overview
Base URL: https://<your-panel-host>. All paths are prefixed with /api/v1/admin. Admin keys also inherit every User API endpoint (they read as the key owner).
Issuing keys
Admins mint keys for themselves via the panel UI at /api-keys. To mint a key bound to a different user, hit the admin endpoint:
{
"name": "deploy-bot",
"owner_email": "ops@example.com",
"scopes": ["admin:read", "admin:write"],
"expires_at": 1798500000000 // optional, ms
}
Response includes secret exactly once.
Authentication
Authorization: Bearer vfc_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Scopes for this section: admin:read, admin:write.
List all users
[
{
"id": 42,
"email": "you@example.com",
"name": "Jane",
"credits_usd": 12.50,
"credits_frozen": false,
"is_admin": false,
"is_owner": false,
"role": "user",
"created_at": 1759000000000
}
]
Grant or remove credits
Positive amount_usd adds credits, negative removes. note is stored on the ledger row.
{ "email": "user@example.com", "amount_usd": 25.00, "note": "compensation for outage" }
// 200
{ "ok": true, "balance_after_usd": 37.50, "ledger_id": "led_..." }
Bypasses credits_frozen — admin grants always go through. Ledger entry source is admin_add or admin_remove.
Mint voucher codes
{
"amount_usd": 10.00,
"count": 5,
"max_uses": 1,
"expires_at": 1798500000000 // optional, ms
}
// 200
{ "ok": true, "codes": ["VFC-ABCD-EFGH-JKLM", "VFC-..."] }
Each code is single-use per account (or up to max_uses redemptions across accounts). Codes use the unambiguous alphabet ACDEFGHJKLMNPQRSTUVWXYZ23456789.
User endpoints also work
Admin keys can call any User API route as the key's owner_email. See the User API docs.