Documentation

API Reference

RestoreCord API overview, authentication, shared response behavior, permissions, endpoint groups, and implementation notes.

Copy page

Overview

RestoreCord exposes authenticated /api/v3 endpoints for account data, custom bots, servers, migrations, members, snapshots, firewall, analytics, and webhook configuration. The category pages in this reference are generated from local TypeScript route behavior and avoid documenting endpoints that are not present in the repository.

Last reviewed: June 13, 2026. Endpoint truth was taken from local app/api route handlers, with legacy docs used only as secondary context.


Base URL

https://restorecord.com/api/v3

Examples in the category pages show full paths beginning with /api/v3. Use JSON request bodies unless the endpoint explicitly documents Server-Sent Events, raw Discord signatures, or asset responses.


Authentication

Most protected endpoints are wrapped with local authentication middleware and accept either a dashboard session token or an API key, depending on the handler. API keys use the Authorization header.

Authorization: Bearer <keyId>.<secret>

Session-only routes reject API key authentication. This is common for endpoints that validate raw Discord credentials during setup or support dashboard-only workflows.

API Key Permissions

Permission
READ_ACCOUNT
Used by
GET /api/v3/users limited account payload.
Permission
READ_SERVERS
Used by
Server list/detail/status reads.
Permission
WRITE_SERVERS
Used by
Server create/update/delete.
Permission
READ_MEMBERS
Used by
Member lists and lookups.
Permission
WRITE_MEMBERS
Used by
Member deletion and unauthorized cleanup.
Permission
READ_BOTS
Used by
Bot list/detail reads.
Permission
WRITE_BOTS
Used by
Bot create/update/delete.
Permission
READ_ANALYTICS
Used by
Member and firewall analytics.
Permission
CREATE_BACKUPS
Used by
Snapshot creation and snapshot metadata/migration operations.
Permission
RESTORE_BACKUPS
Used by
Snapshot list/detail/delete/restore and role-restore operations.
Permission
SERVER_PULL
Used by
Single-member pull operations.
Permission
SERVER_FIREWALL
Used by
Firewall rules, passwords, logs, bypasses, and ban import.

Create, rotate, and revoke API keys from the RestoreCord dashboard. Use the API Keys guide for credential format, permission names, and safe usage guidance.


Response Format

Most handlers return JSON with success: true on success. Some endpoints intentionally differ: member pull returns Server-Sent Events, preview attachment endpoints can return asset responses, Discord helper routes may pass through Discord-shaped objects, and /api/webhook returns empty 204 responses for Discord application webhooks.

Example response JSON
{
  "success": true,
  "message": "Optional message",
  "data": {}
}
Status
200
Meaning
Successful read, update, delete, or action start.
Status
201
Meaning
Resource created or async job accepted.
Status
202
Meaning
Account email verification flow started.
Status
204
Meaning
Discord application webhook acknowledgement.

Errors

Error handlers generally return an error object with a string code and message. Validation errors may include field-level formatted details from Zod.

Example response JSON
{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Validation failed",
    "errors": {
      "fieldName": {
        "_errors": ["Specific validation error"]
      }
    }
  }
}
Code/status
400 INVALID_INPUT / VALIDATION_ERROR
Typical cause
Bad ids, invalid JSON body, unsupported enum, invalid URL, invalid search value, or failed Zod schema.
Code/status
400 MISSING_FIELD
Typical cause
Required body or query field omitted.
Code/status
401 UNAUTHORIZED / INVALID_CREDENTIALS
Typical cause
Missing auth, invalid token, invalid Discord bot token, or invalid Discord signature.
Code/status
403 FORBIDDEN / INSUFFICIENT_PERMISSIONS
Typical cause
Plan gate, owner-only action, sub-user permission missing, API key permission missing, or Discord permission failure.
Code/status
404 NOT_FOUND
Typical cause
Resource missing or intentionally hidden because the caller lacks access.
Code/status
409 DUPLICATE_RESOURCE / RESOURCE_IN_USE
Typical cause
Uniqueness conflict or delete blocked by active dependency.
Code/status
429 RATE_LIMITED
Typical cause
Per-route rate limit or external Discord rate limit.
Code/status
500/502/503
Typical cause
Internal error or dependent service failure.

Endpoint Groups

Account

Account profile and account metadata.

Bots

Custom bot CRUD, domains, Discord guild helpers, role helpers, and credential validation.

Servers

Server CRUD, settings, permissions, and setup helpers.

Migrations

Migration status, history, estimates, start, stop, pause, and resume.

Members

Member list, lookup, resolve, pull, delete, unauthorized cleanup, and data request flows.

Snapshots

Snapshot creation, listing, update, delete, restore, migration, preview, and pending role restore.

Firewall

Firewall logs, rules, passwords, bypasses, ban import, and firewall analytics.

Analytics

Member analytics, member events, and firewall analytics.

Webhooks

Enterprise signed JSON webhooks, legacy Discord logs, and Discord application webhook ingestion.


Route Coverage

The public-facing reference pages cover the local routes that map to RestoreCord customer integrations. Admin, billing, auth, discovery, feedback, upload, locale, sitemap, OpenGraph, internal bot-control, and provider callback routes are intentionally not part of the customer API reference.

Route family
/api/v3/users
Where documented
Account.
Route family
/api/v3/bots*
Where documented
Bots.
Route family
/api/v3/servers/status and /api/v3/servers/{serverId}/migrations*
Where documented
Migrations.
Route family
/api/v3/servers*
Where documented
Servers plus Members, Firewall, Analytics, Snapshots, and Webhooks for server-scoped feature routes.
Route family
/api/v3/members*
Where documented
Members.
Route family
/api/v3/snapshots*
Where documented
Snapshots.
Route family
/api/webhook
Where documented
Webhooks as Discord application webhook ingestion.

Several dashboard helper routes are documented conservatively because their nested payloads are raw Discord API objects or service-owned payloads. The pages call this out explicitly instead of inventing fields.


Integration Notes

  • Use internal RestoreCord server ids in {serverId} path params; use guildId fields for Discord guild ids.
  • Treat API keys as scoped credentials. Session-only endpoints will return 403 when called with API keys.
  • Handle absent optional fields. Plan gates and privacy gates remove fields rather than returning placeholder values.
  • For member pulls, consume text/event-stream instead of JSON.
  • For webhooks, verify X-Signature-256 against the raw request body and keep receivers idempotent.
  • Do not rely on admin or billing routes for public API automation; they are not documented as customer API endpoints.