Overview
RestoreCord exposes authenticated /api/v3 endpoints for account data, custom bots, servers, migrations, members, snapshots, firewall, analytics, and webhook configuration. The category pages in this reference are generated from local TypeScript route behavior and avoid documenting endpoints that are not present in the repository.
Last reviewed: June 13, 2026. Endpoint truth was taken from local app/api route handlers, with legacy docs used only as secondary context.
Base URL
https://restorecord.com/api/v3Examples in the category pages show full paths beginning with /api/v3. Use JSON request bodies unless the endpoint explicitly documents Server-Sent Events, raw Discord signatures, or asset responses.
Authentication
Most protected endpoints are wrapped with local authentication middleware and accept either a dashboard session token or an API key, depending on the handler. API keys use the Authorization header.
Authorization: Bearer <keyId>.<secret>Session-only routes reject API key authentication. This is common for endpoints that validate raw Discord credentials during setup or support dashboard-only workflows.
API Key Permissions
- Permission
READ_ACCOUNT- Used by
GET /api/v3/userslimited account payload.
- Permission
READ_SERVERS- Used by
- Server list/detail/status reads.
- Permission
WRITE_SERVERS- Used by
- Server create/update/delete.
- Permission
READ_MEMBERS- Used by
- Member lists and lookups.
- Permission
WRITE_MEMBERS- Used by
- Member deletion and unauthorized cleanup.
- Permission
READ_BOTS- Used by
- Bot list/detail reads.
- Permission
WRITE_BOTS- Used by
- Bot create/update/delete.
- Permission
READ_ANALYTICS- Used by
- Member and firewall analytics.
- Permission
CREATE_BACKUPS- Used by
- Snapshot creation and snapshot metadata/migration operations.
- Permission
RESTORE_BACKUPS- Used by
- Snapshot list/detail/delete/restore and role-restore operations.
- Permission
SERVER_PULL- Used by
- Single-member pull operations.
- Permission
SERVER_FIREWALL- Used by
- Firewall rules, passwords, logs, bypasses, and ban import.
Create, rotate, and revoke API keys from the RestoreCord dashboard. Use the API Keys guide for credential format, permission names, and safe usage guidance.
Response Format
Most handlers return JSON with success: true on success. Some endpoints intentionally differ: member pull returns Server-Sent Events, preview attachment endpoints can return asset responses, Discord helper routes may pass through Discord-shaped objects, and /api/webhook returns empty 204 responses for Discord application webhooks.
{
"success": true,
"message": "Optional message",
"data": {}
}- Status
200- Meaning
- Successful read, update, delete, or action start.
- Status
201- Meaning
- Resource created or async job accepted.
- Status
202- Meaning
- Account email verification flow started.
- Status
204- Meaning
- Discord application webhook acknowledgement.
Errors
Error handlers generally return an error object with a string code and message. Validation errors may include field-level formatted details from Zod.
{
"error": {
"code": "VALIDATION_ERROR",
"message": "Validation failed",
"errors": {
"fieldName": {
"_errors": ["Specific validation error"]
}
}
}
}- Code/status
400 INVALID_INPUT/VALIDATION_ERROR- Typical cause
- Bad ids, invalid JSON body, unsupported enum, invalid URL, invalid search value, or failed Zod schema.
- Code/status
400 MISSING_FIELD- Typical cause
- Required body or query field omitted.
- Code/status
401 UNAUTHORIZED/INVALID_CREDENTIALS- Typical cause
- Missing auth, invalid token, invalid Discord bot token, or invalid Discord signature.
- Code/status
403 FORBIDDEN/INSUFFICIENT_PERMISSIONS- Typical cause
- Plan gate, owner-only action, sub-user permission missing, API key permission missing, or Discord permission failure.
- Code/status
404 NOT_FOUND- Typical cause
- Resource missing or intentionally hidden because the caller lacks access.
- Code/status
409 DUPLICATE_RESOURCE/RESOURCE_IN_USE- Typical cause
- Uniqueness conflict or delete blocked by active dependency.
- Code/status
429 RATE_LIMITED- Typical cause
- Per-route rate limit or external Discord rate limit.
- Code/status
500/502/503- Typical cause
- Internal error or dependent service failure.
Endpoint Groups
Route Coverage
The public-facing reference pages cover the local routes that map to RestoreCord customer integrations. Admin, billing, auth, discovery, feedback, upload, locale, sitemap, OpenGraph, internal bot-control, and provider callback routes are intentionally not part of the customer API reference.
- Route family
/api/v3/users- Where documented
- Account.
- Route family
/api/v3/bots*- Where documented
- Bots.
- Route family
/api/v3/servers/statusand/api/v3/servers/{serverId}/migrations*- Where documented
- Migrations.
- Route family
/api/v3/servers*- Where documented
- Servers plus Members, Firewall, Analytics, Snapshots, and Webhooks for server-scoped feature routes.
- Route family
/api/v3/members*- Where documented
- Members.
- Route family
/api/v3/snapshots*- Where documented
- Snapshots.
- Route family
/api/webhook- Where documented
- Webhooks as Discord application webhook ingestion.
Several dashboard helper routes are documented conservatively because their nested payloads are raw Discord API objects or service-owned payloads. The pages call this out explicitly instead of inventing fields.
Integration Notes
- Use internal RestoreCord server ids in
{serverId}path params; useguildIdfields for Discord guild ids. - Treat API keys as scoped credentials. Session-only endpoints will return 403 when called with API keys.
- Handle absent optional fields. Plan gates and privacy gates remove fields rather than returning placeholder values.
- For member pulls, consume
text/event-streaminstead of JSON. - For webhooks, verify
X-Signature-256against the raw request body and keep receivers idempotent. - Do not rely on admin or billing routes for public API automation; they are not documented as customer API endpoints.