Key Format
RestoreCord API keys are automation credentials in the format <keyId>.<secret>. The key ID identifies the credential and the secret authenticates the request.
Authorization: Bearer <keyId>.<secret>Store the full key only once when it is created. Rotate the key if it appears in logs, screenshots, repositories, browser code, or Discord messages.
Create and Manage Keys
API keys are created and managed in the RestoreCord dashboard. API credentials are for server-side integrations that call documented customer API endpoints.
- Setting
- Name
- Purpose
- Use a unique name that identifies the integration or job.
- Setting
- Expiration
- Purpose
- Choose the shortest useful lifetime for the integration.
- Setting
- Permissions
- Purpose
- Grant only the endpoint groups the integration needs.
- Setting
- IP allowlist
- Purpose
- Restrict access to fixed infrastructure when possible.
Authentication
- Send the key in the
Authorizationheader. - Use the
Bearerprefix for consistency with the rest of the v3 API. - Use API keys from server-side code only; never ship them in browser bundles or public clients.
- Expired, revoked, inactive, IP-blocked, or banned-account keys are rejected.
Permissions
Permissions are stored as a bitfield internally and are selected by name in the dashboard/API. Grant the smallest set your integration needs.
Permission Sets
- Permission
READ_ACCOUNT- Value
1- Allows
- Read basic account information.
- Permission
READ_SERVERS- Value
2- Allows
- List and inspect RestoreCord servers.
- Permission
READ_MEMBERS- Value
4- Allows
- Read member records and member status.
- Permission
READ_BOTS- Value
8- Allows
- Read bot metadata. Tokens and client secrets are hidden.
- Permission
READ_ANALYTICS- Value
16- Allows
- Read analytics data.
- Permission
WRITE_SERVERS- Value
256- Allows
- Create, update, and delete server settings.
- Permission
WRITE_MEMBERS- Value
512- Allows
- Modify member records.
- Permission
WRITE_BOTS- Value
1024- Allows
- Create, update, and delete custom bot records.
- Permission
CREATE_BACKUPS- Value
65536- Allows
- Create snapshots and run snapshot migration operations.
- Permission
RESTORE_BACKUPS- Value
131072- Allows
- List, inspect, delete, and restore snapshots.
- Permission
SERVER_PULL- Value
1048576- Allows
- Pull authorized members into a Discord server.
- Permission
SERVER_FIREWALL- Value
4194304- Allows
- Manage firewall rules, passwords, bypasses, logs, and imports.
READ_ACCOUNT is the safe baseline for most integrations. Add write, pull, backup, or firewall permissions only for jobs that need them.
Endpoint Access
Use the dedicated API reference pages for full request and response fields. This table maps API-key permissions to the major endpoint groups.
- Endpoint group
- Account
- Common endpoints
GET /api/v3/users- Permission
READ_ACCOUNT
- Endpoint group
- Servers
- Common endpoints
GET /api/v3/servers,GET /api/v3/servers/{serverId}- Permission
READ_SERVERS
- Endpoint group
- Migration status
- Common endpoints
GET /api/v3/servers/status- Permission
READ_SERVERS
- Endpoint group
- Migration control
- Common endpoints
POST,DELETE,PATCH /api/v3/servers/{serverId}/migrations- Permission
- Server owner/sub-user access; no additional API-key bit is enforced by the route
- Endpoint group
- Server writes
- Common endpoints
POST /api/v3/servers,PATCH /api/v3/servers/{serverId},DELETE /api/v3/servers/{serverId}- Permission
WRITE_SERVERS
- Endpoint group
- Members
- Common endpoints
GET /api/v3/servers/{serverId}/members,GET /api/v3/members/{userId}- Permission
READ_MEMBERS
- Endpoint group
- Member pull
- Common endpoints
PUT /api/v3/servers/{serverId}/members/{userId}- Permission
SERVER_PULL
- Endpoint group
- Bots
- Common endpoints
GET /api/v3/bots,POST /api/v3/bots,PATCH /api/v3/bots/{botId},DELETE /api/v3/bots/{botId}- Permission
READ_BOTSorWRITE_BOTS
- Endpoint group
- Snapshots
- Common endpoints
GET /api/v3/snapshots,POST /api/v3/servers/{serverId}/snapshots,POST /api/v3/snapshots/{snapshotId}/restore- Permission
CREATE_BACKUPSorRESTORE_BACKUPS
- Endpoint group
- Firewall
- Common endpoints
/api/v3/servers/{serverId}/firewall/*- Permission
SERVER_FIREWALL
- Endpoint group
- Analytics
- Common endpoints
/api/v3/servers/analytics,/api/v3/servers/firewall/analytics- Permission
READ_ANALYTICS
- Endpoint group
- Webhook events
- Common endpoints
PATCH /api/v3/servers/{serverId}withwebhookUrl,POST /api/v3/servers/{serverId}/webhook-secret- Permission
WRITE_SERVERSplus Enterprise plan for server updates; the secret route currently enforces Enterprise owner access but no API-key permission bit
IP Allowlists
Restrict keys to fixed infrastructure when possible. Allowlist entries can be exact IP addresses or CIDR ranges.
203.0.113.10
198.51.100.0/24
2001:db8::/32Safe Usage
Use one key per integration
Separate keys make it clear which system performed an action and let you revoke one integration without breaking others.
Keep destructive access isolated
Put WRITE_MEMBERS, WRITE_BOTS, SERVER_PULL, and backup restore permissions on dedicated keys, not read-only dashboard/reporting keys.
Handle API failure states
Automation should explicitly handle 401, 403, and 429 responses.