ITDocs API Documentation

Returns which SSO providers are enabled.

{ "msEnabled": true, "googleEnabled": false }

Redirects to Google OAuth2 authorization. Requires Google SSO to be configured in settings.

OAuth2 callback. Redirects to FRONTEND_URL/login with accessToken, refreshToken, and user (base64 JSON) as query params. Auto-creates account with VIEWER role on first login.

Redirects to Microsoft Entra ID authorization.

OAuth2 callback. Same redirect pattern as Google callback.

Creates a new user. First registration is always public and creates an ADMIN. Subsequent registrations require an authenticated ADMIN.

{
  "email": "[email protected]",
  "password": "minimum12chars",
  "name": "Jane Smith",
  "role": "TECHNICIAN"
}

{ "user": { "id": "...", "email": "...", "name": "...", "role": "TECHNICIAN" } }

Rate limited to 10/min. Supports local auth, LDAP auth, and TOTP MFA. If MFA is enabled and mfaCode is omitted, returns 403 with { "requireMfa": true }.

{
  "email": "[email protected]",
  "password": "yourpassword",
  "mfaCode": "123456"
}

{
  "accessToken": "eyJ...",
  "refreshToken": "uuid",
  "user": { "id": "...", "email": "...", "name": "...", "role": "ADMIN", "mfaEnabled": true }
}

Exchange a refresh token for a new access token.

{ "refreshToken": "uuid" }

{ "accessToken": "eyJ..." }

Requires auth. Blacklists the current access token in Redis and deletes all refresh tokens for the user.

Returns the current authenticated user.

Returns a TOTP secret and QR code data URL for the authenticated user to scan with their authenticator app.

{ "secret": "BASE32SECRET", "qrCodeUrl": "data:image/png;base64,..." }

Verifies the TOTP token against the secret and enables MFA for the user.

{ "token": "123456", "secret": "BASE32SECRET" }

Requires the user’s current password (verified against LDAP for LDAP users). Clears MFA secret.

{ "password": "currentpassword" }

Returns paginated list of organizations.

{
  "items": [{ "id": "...", "shortId": 482039471, "name": "Acme Corp", "logoUrl": "data:image/png;base64,..." }],
  "total": 1, "page": 1, "limit": 20, "pages": 1
}

Returns full organization with contacts and asset/vault counts.

Returns item counts for every sidebar section for a given org. Used to show badge counts in the sidebar without loading full data.

Creates a new organization. shortId is auto-generated (9-digit random integer, guaranteed unique).

Updates an organization. Saves a revision snapshot before updating. Fires push to ConnectWise or NinjaRMM if externalSource is set.

Hard deletes the org and all cascading records.

Contact CRUD scoped to an organization. PATCH saves a revision snapshot.

Upload a logo image (JPEG, PNG, GIF, WebP, SVG). Max 2MB. Stored as BYTEA.

Removes the org logo.

Creates an asset. createdById is set from the JWT.

organizationId is immutable. Saves revision snapshot. Fires fire-and-forget push to ConnectWise or NinjaRMM if asset has externalSource set. Push failures are non-fatal and logged as warnings.

Fields: name (required), address, city, state, zip, country, phone, notes

Bulk reveal is audited with the count of entries revealed.

Both read and reveal are individually audited.

TOTP secrets have spaces stripped before encryption. Passwords encrypted with AES-256-GCM.

organizationId is immutable. Saves revision snapshot (encrypted state). Pass empty string for totpSecret to clear it.

Returns all folders for an org (flat list, build tree client-side using parentId).

Cascades to child folders and files.

Returns metadata only — never includes data bytes.

Returns file metadata including content (for MARKDOWN) and blocks (for block-based editor). Never returns binary data.

Creates a new Markdown document.

Multipart upload for binary files (PDF, DOCX, XLSX). Max 100MB. Stores binary data in data column.

Converts a DOCX/TXT/MD file to a Markdown block document. DOCX is converted via mammoth → HTML → Markdown.

Streams the binary file with appropriate Content-Disposition header. Only works for non-MARKDOWN types.

Updates name, folderId, or content (MARKDOWN only).

Saves the full block array for a block-based Markdown document.

Upload an image for a gallery block. HEIC/HEIF auto-converted to JPEG. Max 100MB.

Streams raw image bytes with 1-hour cache header.

Returns metadata only — no binary data in list response (use /download for file bytes).

Streams the file with Content-Disposition: attachment header.

Multipart upload. Max 300MB. HEIC auto-converted to JPEG. Backward compatible: also accepts assetId field (translated to sourceType: asset).

Update the display label.

When infraType is omitted, results sort by updatedAt desc (for dashboard widgets). When specified, sorts by name asc.

organizationId and infraType are immutable. Saves revision snapshot.

Saves revision snapshot.

Returns lightweight list (no raw WHOIS/DNS data).

Returns full record including all DNS and WHOIS fields.

Creates the record and immediately kicks off background DNS + WHOIS enrichment.

Only notes is updatable. Saves revision snapshot.

Saves revision snapshot.

Saves revision snapshot.

If either side is an asset, _infraType from customFields is auto-detected and used as the subtitle.

{
  "sourceType": "asset",
  "sourceId": "uuid",
  "sourceName": "Main Server",
  "targetType": "contact",
  "targetId": "uuid",
  "targetName": "John Smith",
  "targetSubtitle": "IT Manager",
  "organizationId": "uuid"
}

Deletes both directions.

Returns up to 3 most recent revisions for a record, newest first.

Returns a specific revision’s full JSON snapshot.

Technician/ Decrypts and returns password and totpSecret from a vault revision snapshot.

Restores a record to the state captured in the revision. Before restoring, saves the current state as a new revision. Strips id, createdAt, and updatedAt from the restored data to avoid overwriting primary keys.

Runs 10 parallel queries across all record types. Returns up to 10 results per type (5 for organizations). Organization results only appear in global search (no orgId).

{
  "results": {
    "assets": [{ "id": "...", "name": "...", "type": "SERVER", "infraType": "firewall", "orgId": 482039471, "orgName": "Acme", "recordType": "asset" }],
    "contacts": [...],
    "passwords": [...],
    "organizations": [...],
    "locations": [...],
    "applications": [...],
    "domains": [...],
    "certificates": [...],
    "licenses": [...],
    "infra": [...]
  },
  "total": 42
}

Returns the current sidebar config, or the default config if none has been saved.

Replaces the full sidebar config. Each item has: id, label, icon (Lucide icon name), linkType (filtered|markdown|builtin|custom), linkTarget, builtinPath, fields (for custom sections).

Resets to the default config.

Returns the global logo image with 1-hour cache header. 404 if no logo set.

Returns SSO and MFA config needed by the login page.

{ "ssoEnabled": true, "googleSsoEnabled": false, "localMfaEnabled": true }

Multipart upload. Replaces the global logo.

Returns all settings. Sensitive fields (client secrets, private keys, LDAP bind password, enrollment token) are never returned — only presence is indicated via has* boolean flags.

Secrets are only updated if a new non-masked value is provided. Passing an empty string explicitly clears a secret.

Triggers a full LDAP user sync. Returns count of synced users. Role mapping is applied only if ldapAdminGroup or ldapTechGroup is configured.

Paginated list. Query params: search, page, limit (max 100)

Updatable fields: name, role, isActive, resetMfa. Self-protection rules: – Cannot change your own role – Cannot deactivate your own account

Min 12 characters. Invalidates all existing refresh tokens for the user.

Any authenticated user. Requires current password. Min 12 characters.

Soft delete — sets isActive: false, never hard-deletes. Invalidates all refresh tokens.

Returns the current user’s preferences JSON blob.

Replaces the preferences blob. Body is any JSON object.

Paginated, newest first. Query params: search (action/resource/user name/email), page, limit (max implied 200 via take)

{
  "items": [{
    "id": "...", "action": "vault.reveal", "resource": "VaultEntry:uuid",
    "ipAddress": "1.2.3.4", "userAgent": "...", "meta": {},
    "createdAt": "...", "user": { "name": "Admin", "email": "admin@..." }
  }],
  "total": 500, "page": 1, "limit": 50, "pages": 10
}

Returns enabled/configured status and last sync info for ConnectWise and NinjaRMM.

Tests ConnectWise credentials without saving. Hits /system/info.

Saves ConnectWise settings. Private key is AES-256-GCM encrypted at rest. Masked values (starting with •) are not re-encrypted.

Triggers a full pull sync (Companies → Orgs, Contacts, Configurations → Assets). Returns sync result counts. Creates a SyncLog entry.

Pushes a single record to ConnectWise. :type must be organization, contact, or asset.

Tests NinjaRMM OAuth2 client credentials.

Full pull sync (Organizations, Devices → Assets, Contacts). Name-based deduplication against existing orgs.

endpoint — pre-shared token auth, no JWT required. Called by the PowerShell enrollment script. Resolves org by shortId. Matches existing asset by hostname (case-insensitive) or auto-creates one. Asset type inferred from OS name (SERVER if contains “server”, otherwise WORKSTATION). Password stored AES-256-GCM encrypted in vault.

{
  "enrollmentToken": "plain-token",
  "orgShortId": 482039471,
  "rustdeskId": "1571237679",
  "password": "generated-password",
  "hostname": "DESKTOP-ABC123",
  "ipAddress": "192.168.1.10",
  "osName": "Windows 10 Pro",
  "osVersion": "10.0.19045",
  "macAddress": "AA:BB:CC:DD:EE:FF"
}

JWT auth. Returns RustDesk ID, decrypted password, and a ready-to-use rustdesk:// connect URI.

{
  "rustdeskId": "1571237679",
  "password": "decryptedpassword",
  "connectUri": "rustdesk://1571237679?password=decryptedpassword"
}

Returns current RustDesk settings. Enrollment token presence indicated by hasEnrollmentToken boolean — the token itself is never returned.

Pass rotateToken: true to generate a new enrollment token. The new plain token is returned once in the response and never again.

Downloads a pre-filled enroll-rustdesk.ps1 PowerShell script. All four variables (%%ITDOCS_URL%%, %%ENROLLMENT_TOKEN%%, %%ORG_SHORT_ID%%, %%RUSTDESK_CONFIG%%) are replaced server-side before delivery.

Clears rustdeskId from the asset and deletes the associated vault entry.

Exports an encrypted backup archive. Uses AES-256-GCM with PBKDF2-SHA512 key derivation (200,000 iterations, random 16-byte salt per backup). File format: [16B salt][12B IV][16B auth tag][ciphertext]. – db — Full database export as JSON (includes all records, vault entries decrypted then re-encrypted for portability) – files — Binary attachments, uploaded documents, and block images as raw files

Multipart. Auto-detects backup type from ZIP contents. – wipe — Deletes all current data and replaces with backup – merge — Upserts records, preserves existing data not in backup For file backups:

{ "success": true, "mode": "wipe" }

{ "success": true, "mode": "files", "restored": 12, "skipped": 2 }

Returns the scheduled backup configuration plus env var status.

Updates DB backup schedule settings. Cron expression is validated before saving.

Updates file backup schedule settings.

Triggers a scheduled DB backup immediately. Requires BACKUP_PATH and BACKUP_PASSWORD env vars.

Triggers an incremental file backup immediately. Requires BACKUP_FILES_PATH env var.

Lists .enc backup files in BACKUP_PATH, newest first.

{
  "files": [{ "filename": "itdocs_db_backup_2026-03-25_020000.enc", "sizeBytes": 1048576, "createdAt": "..." }]
}

Restores from a named .enc file on the server. Always wipe mode. Path traversal protected. Decrypts using BACKUP_PASSWORD env var.

Walks BACKUP_FILES_PATH and returns the directory tree grouped by org. Resolves shortId folder names to human-readable org names.

{
  "orgs": [{
    "org": "482039471 - Acme Corp",
    "orgLabel": "Acme Corp",
    "files": [{ "path": "482039471 - Acme Corp/attachments/photo.jpg", "name": "photo.jpg", "type": "attachments", "sizeBytes": 45000, "modifiedAt": "..." }]
  }]
}

Restores selected files from BACKUP_FILES_PATH back into the database. Uses .meta.json sidecars to upsert records — works even if the original DB record was deleted. Falls back to name/ID matching for legacy backups without sidecars.