Authorization
The Sitequest API uses Bearer token authentication with API keys.
API Keys
Create API keys in your Dashboard under API / MCP (open the profile menu at the bottom of the sidebar). Each key can be configured with a name, expiry date, and specific permission scopes.
Include your key in every request via the Authorization header:
Authorization: Bearer sq_live_xxxxx...
API keys use the prefix sq_live_ followed by a 64-character hex string.
Scopes
Each API key is assigned one or more scopes that control what it can access. Use the principle of least privilege — only grant the scopes your integration needs.
| Scope | Description |
|---|---|
vps:read |
List servers, view status and metrics |
vps:write |
Start, stop, reboot, reinstall, mount ISO, SSH execution |
vps:manage |
Create, upgrade, and delete servers |
domains:read |
List domains and view DNS records |
domains:write |
Edit DNS records and domain settings |
domains:manage |
Register, transfer, and delete domains |
webspace:read |
List webspaces, view config, list SSH keys, list SFTP, list linked domains |
webspace:write |
SFTP write/delete/rename/chmod/mkdir, exec SSH command, link/unlink domains, install CMS, manage SSH keys, reset DB password |
webspace:manage |
Create, upgrade, suspend, unsuspend, and delete webspaces (provisioning) |
When creating a key you can choose Full access (all scopes), Read only (vps:read + domains:read + webspace:read), or Custom (pick individual scopes).
Resource Restrictions
In addition to scopes, an API key can be restricted to specific VPS instances, domains, and/or webspaces. When Resource restrictions are enabled, only the explicitly allowed resource IDs can be accessed by the key — even if the scope would otherwise permit them. Newly provisioned resources are not auto-added; grant access by editing the key.
Rate Limiting
API requests are rate-limited to 60 requests per minute per API key.
Every response includes rate limit headers:
| Header | Description |
|---|---|
X-RateLimit-Limit |
Maximum requests allowed per window |
X-RateLimit-Remaining |
Requests remaining in the current window |
X-RateLimit-Reset |
Unix timestamp when the window resets |
When the rate limit is exceeded the API returns 429 Too Many Requests.
Error Responses
Authentication errors return a JSON body:
{
"error": "Invalid or missing API key",
"code": "UNAUTHORIZED",
"status": 401
}
| Status | Code | Meaning |
|---|---|---|
| 401 | UNAUTHORIZED |
Missing, invalid, revoked, or expired API key |
| 403 | INSUFFICIENT_SCOPE |
API key lacks the required scope(s) |
| 429 | RATE_LIMITED |
Too many requests |
Security Tips
- Never commit API keys to version control.
- Rotate keys regularly and revoke unused ones.
- Use the narrowest scopes possible.
- Set an expiry date for keys used in CI/CD pipelines.