Everything you need to authenticate, call endpoints, and ship integrations in minutes. Built for developers who prefer reading curl over reading marketing copy.
curl https://api.cloudplatform.dev/v2/me \
-H "Authorization: Bearer $API_KEY"Keep your $API_KEY server-side. Never commit keys to version control.
Jump to section
A programmable cloud platform exposing compute, storage, messaging, and identity primitives behind a single, consistent HTTPS API. One credential, one base URL, one set of conventions across every resource.
CRUD over JSON resources with predictable URIs and pagination.
Webhooks and server-sent events for asynchronous state changes.
Safe retries via Idempotency-Key on all writes.
Granular API keys with per-resource permissions and rotation.
# Base URL
https://api.platform.dev/v1
# Auth
Authorization: Bearer $API_KEY
# Request
Content-Type: application/json; charset=utf-8
Idempotency-Key: <uuid-v4>
# Response envelope
{
"data": { ... },
"meta": { "request_id": "req_8fA2", "page": 1 },
"error": null
}
# Errors → RFC 7807 problem+json
HTTP/1.1 422 Unprocessable Entity
{ "type": "validation_error", "detail": "..." }Every request to the API must be authenticated using a secret API key passed as a bearer token in the Authorization header.
Generate keys from your dashboard. Each key is scoped to a project and environment. Treat keys like passwords — never commit them to source control or expose them in client-side code.
Include your API key as a bearer token in every request:
GET /v1/resources HTTP/1.1
Host: api.example.com
Authorization: Bearer $API_KEY
Content-Type: application/json
Accept: application/jsonOr with curl:
$ curl https://api.example.com/v1/resources \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json"Load keys from environment variables — never hardcode them. Use a .env file locally and a secrets manager in production.
# production
API_KEY=sk_live_4eC39H...qLs7Jk
API_BASE_URL=https://api.example.com/v1
# sandbox
API_KEY_TEST=sk_test_4eC39H...qLs7JkRotation tip: create a new key, deploy it, verify traffic on the new key, then revoke the old one. Both keys remain valid during the overlap window.
Five core resource groups expose the full surface of the platform. All routes are JSON over HTTPS, share consistent pagination, filtering, and error semantics.
https://api.platform.dev/v1
Top-level container for environments, deployments, and team access.
/projects
/projects
/projects/:id
/projects/:id
Isolated runtime targets — staging, prod, preview — scoped per project.
/projects/:id/envs
/envs/:id/vars
/envs/:id
// secrets returned redacted; use ?reveal=true with elevated scope
Trigger, inspect, and roll back builds across any environment.
/deployments
/deployments/:id/logs
/deployments/:id/rollback
// streams via SSE on Accept: text/event-stream
Time-series telemetry for requests, latency, errors, and custom events.
/metrics/requests
/metrics/latency
/metrics/errors
/metrics/query
Subscribe to platform events with signed, retried HTTP callbacks.
/webhooks
/webhooks/:id/deliveries
/webhooks/:id/redeliver
{
"id": "evt_8f3a91",
"type": "deployment.succeeded",
"created": "2026-04-28T10:14:22Z",
"data": {
"project": "prj_42",
"env": "production",
"sha": "a1b2c3d"
}
}Cursor-based via ?cursor= & ?limit=. Max 100 / page.
Query params per resource. Combine with &sort=-created.
RFC-7807 problem+json. Stable code field for programmatic handling.
Quick answers to the questions developers ask most when integrating with our API. Need more? Reach out to support.
Default limits are 1,000 req/min per key on the Free tier and 10,000 req/min on Pro. Burst capacity is enforced via a token bucket.
Inspect the X-RateLimit-Remaining and Retry-After response headers. A 429 indicates you've been throttled.
Versions are pinned in the URL path, e.g. /v1/resource. Breaking changes ship under a new major version.
Minor, backwards-compatible additions are released continuously on the current version. Deprecated versions receive a 12-month support window with notices in the Sunset header.
Yes. Use https://sandbox.api.example.dev with a key prefixed sk_test_. Sandbox state is isolated and reset every 24 hours.
All endpoints behave identically to production except for billing and outbound webhooks, which are simulated.
First-party SDKs are maintained for Node.js, Python, Go, Ruby, and Java. Each handles auth, retries with exponential backoff, and pagination.
An OpenAPI 3.1 spec is published at /openapi.json for generating clients in other languages.
Any non-2xx response triggers retries with exponential backoff (1m, 5m, 30m, 2h, 12h) for up to 72 hours.
Each delivery is signed with X-Signature (HMAC-SHA256). Endpoints must respond within 10 seconds and be idempotent based on event.id.
401 Unauthorized usually means a missing or malformed Authorization: Bearer <token> header, an expired token, or sending a test key to production.
403 Forbidden means the key is valid but lacks scope for that resource. Review key permissions in the dashboard.
Community support via GitHub Discussions and email is available on all plans, typically responding within 1 business day. Pro and Enterprise plans include a private Slack channel.
Enterprise customers receive a 99.99% uptime SLA with credits for breaches. Live status and incident history are published at status.example.dev.
Still stuck? Open an issue with a request ID — every response includes X-Request-Id to speed up triage.