⚠️ Porta is in beta — APIs and features may change before v1.0
Porta

Appearance

Admin API Overview

The Porta Admin API provides programmatic access to manage all aspects of the identity platform. All admin endpoints are served under the /api/admin/ prefix and require JWT Bearer authentication (except the metadata endpoint).

Base URL 

https://your-porta-instance/api/admin

Authentication

All Admin API endpoints (except /api/admin/metadata) require a valid JWT Bearer token in the Authorization header:

Authorization: Bearer <access_token>

The token must be issued by Porta's super-admin organization and the user must have the porta-admin RBAC role. See Authentication for details.

Response Format

All responses use JSON. Successful responses follow this pattern:

json
// Single resource
{
  "id": "uuid",
  "name": "Example",
  "status": "active",
  "createdAt": "2024-01-15T10:30:00.000Z",
  "updatedAt": "2024-01-15T10:30:00.000Z"
}

// Collection with pagination
{
  "data": [...],
  "pagination": {
    "total": 42,
    "page": 1,
    "pageSize": 20,
    "totalPages": 3
  }
}

Error Responses

Errors follow a consistent structure:

json
{
  "error": "NotFound",
  "message": "Organization not found",
  "statusCode": 404
}
Status CodeMeaning
400Bad Request — validation error or invalid input
401Unauthorized — missing or invalid token
403Forbidden — insufficient permissions
404Not Found — resource does not exist
409Conflict — duplicate resource (e.g., slug already exists)
422Unprocessable Entity — semantic validation error
500Internal Server Error — unexpected failure

Pagination

List endpoints support pagination via query parameters:

ParameterTypeDefaultDescription
pageinteger1Page number (1-based)
pageSizeinteger20Items per page (max 100)

Many list endpoints support filtering:

ParameterDescription
searchFree-text search across relevant fields
statusFilter by status (active, suspended, archived)
sortSort field (e.g., name, createdAt)
orderSort direction (asc or desc)

Endpoint Groups

GroupPrefixDescription
Organizations/api/admin/organizationsTenant management
Applications/api/admin/applicationsApplication registration
Clients/api/admin/clientsOIDC client management
Users/api/admin/organizations/:orgId/usersUser management
Roles & Permissions/api/admin/applications/:appId/rolesRBAC management
Custom Claims/api/admin/applications/:appId/claimsCustom claim definitions & values
Configuration/api/admin/configSystem configuration
Signing Keys/api/admin/keysES256 key management
Audit Log/api/admin/auditAudit trail viewer
Dashboard & Stats/api/admin/statsDashboard statistics & entity history
Sessions/api/admin/sessionsSession management & revocation
Bulk Operations/api/admin/bulkBatch status changes
Branding Assets/api/admin/organizations/:orgId/brandingLogo & favicon management
Data Export/api/admin/exportCSV & JSON data download

Discovery Endpoint

The metadata endpoint is unauthenticated and used by the CLI for OIDC login discovery:

GET /api/admin/metadata
json
{
  "issuer": "https://your-porta-instance/porta-admin",
  "authorization_endpoint": "https://your-porta-instance/porta-admin/auth/authorize",
  "token_endpoint": "https://your-porta-instance/porta-admin/auth/token"
}

Rate Limiting

The Admin API enforces Redis-backed, per-IP rate limiting on write operations:

ScopeLimitWindowMethods
Admin API writes60 requests60 secondsPOST, PUT, PATCH, DELETE
Admin API readsUnlimitedGET

When a rate limit is exceeded, the server returns:

HTTP/1.1 429 Too Many Requests
Retry-After: <seconds>
json
{
  "error": "TooManyRequests",
  "message": "Rate limit exceeded. Try again later.",
  "statusCode": 429
}

Additionally, the underlying OIDC token, introspection, and authentication endpoints have their own rate limits. See the Deployment Guide for the full rate limiting table.

Released under the MIT License.

Copyright © 2024-present TrueSoftware B.V.