gigamcp/ docs

Admin API reference

Every action in the admin console is a thin wrapper over the JSON API documented here. All endpoints live under https://app.gigamcp.io/api/t/<slug>/... and are authenticated either by your session cookie (browser) or agmcp_… API key (server-to-server).

Authentication

Pass the API key as a bearer token:

curl https://app.gigamcp.io/api/t/acme/whoami \
  -H "Authorization: Bearer gmcp_..._..."

The token's tenant scope is implicit in the prefix; passing a key minted in workspace A to /api/t/B/... returns 403.

Endpoints

Whoami

GET /api/t/<slug>/whoami — returns the authenticated user, the resolved tenant, and the membership role.

Members

  • GET /api/t/<slug>/members
  • POST /api/t/<slug>/members/invite — body: { email, role }
  • POST /api/t/<slug>/members/<userId>/role — body: { role }
  • DELETE /api/t/<slug>/members/<userId>

Groups

  • GET /api/t/<slug>/groups
  • POST /api/t/<slug>/groups — body: { name, description }
  • POST /api/t/<slug>/groups/<groupId>/members — body: { userId }
  • DELETE /api/t/<slug>/groups/<groupId>/members/<userId>
  • DELETE /api/t/<slug>/groups/<groupId>

Connectors & knowledge sources

  • GET /api/t/<slug>/connectors
  • POST /api/t/<slug>/connectors — body: { kind, displayName, credentials }
  • POST /api/t/<slug>/connectors/<connectorId>/test
  • GET /api/t/<slug>/knowledge-sources
  • POST /api/t/<slug>/knowledge-sources — bulk; body: { connectorId, items: [{ sourceType, sourceRef, displayName, audience, settings? }] }. Returns 200 (mixed success) or 422 (all-failed) with { results: [{ ok, code?, message? }] }.
  • GET /api/t/<slug>/connectors/<id>/resources?withStatus=1 — source-picker snapshot read; addedSource is non-null for already-selected rows.
  • POST /api/t/<slug>/knowledge-sources/<id>/sync
  • DELETE /api/t/<slug>/knowledge-sources/<id>

API keys

  • GET /api/t/<slug>/api-keys
  • POST /api/t/<slug>/api-keys — body: { name } — token is returned once
  • DELETE /api/t/<slug>/api-keys/<id>

Audit log

  • GET /api/t/<slug>/audit-log?action=connector.&before=2026-04-01T00:00:00Z
  • GET /api/t/<slug>/audit-log/export — streams NDJSON of the entire log.

GDPR export & delete

  • GET /api/t/<slug>/export — returns a single JSON document with every record we hold for the tenant. Owner role only.
  • POST /api/t/<slug>/delete — body: { confirm: "<slug>" }. Schedules a 30-day deletion grace period.

Rate limits

Admin API is limited per plan (Free 60 req/min, Starter 300, Growth 1500, Enterprise custom). Hits return 429 with Retry-After seconds.

Errors

All errors are JSON: { error: { code, message, details? } }. Common codes: not_authenticated, not_authorized, not_found, quota_exceeded, validation_error.