API Reference
Everything you can do in the console is backed by Subnetly's REST API. The same API powers the web app, so any resource you manage in the UI can be automated.
This is a conventions-and-orientation reference. Endpoint paths below reflect the API the console uses; treat them as a guide and confirm request/response shapes against your environment.
Base URL
| Environment | API base |
|---|---|
| Production | https://api.subnetly.com |
| Development | https://api.subnetly.dev |
All endpoints are versioned under /v1.
Authentication
The API uses bearer tokens issued by the hosted identity provider (Auth0). Send your token in the Authorization header:
Authorization: Bearer <access-token>
Obtain a token via the standard OAuth/OIDC flow against your tenant's auth domain (auth.subnetly.com for production). Requests without a valid token return 401 Unauthorized.
Tenant scoping
Most resources belong to a tenant. Specify which tenant a request applies to with the X-Tenant-ID header:
X-Tenant-ID: <tenant-id>
The token's user must be a member of that tenant; access is enforced by the user's role and permissions. Platform-level endpoints under /v1/superadmin/... don't take a tenant header and require superuser privileges.
Request and response format
- Requests and responses are JSON (
Content-Type: application/json), except bulk imports which accepttext/csv. - List endpoints support pagination via
limitandoffsetquery parameters and return atotalcount. - Standard HTTP status codes:
2xxsuccess,400validation error,401unauthenticated,403forbidden,404not found,409conflict.
Example
curl https://api.subnetly.com/v1/dns/zones \
-H "Authorization: Bearer $TOKEN" \
-H "X-Tenant-ID: $TENANT_ID"
Resource map
The API mirrors the product areas in this documentation:
| Area | Representative endpoints | Docs |
|---|---|---|
| DNS zones & records | /v1/dns/zones, .../zones/{id}/records | DNS |
| Public DNS | /v1/public-dns, .../{id}/records, .../{id}/sync, .../{id}/validate-delegation | Public DNS |
| DNS firewall (RPZ) | /v1/dns/rpz zones and rules | DNS firewall |
| DHCP scopes | /v1/dhcp/scopes, scope options, reservations, leases | DHCP |
| DHCP HA groups | /v1/dhcp/ha-groups, .../{id}/members | HA groups |
| IPAM | /v1/ipam/subnets, split/merge/allocate, options, export | IPAM |
| Agents | /v1/agents, events, role, cert-rotate, reissue | Agents |
| Zone/scope deployments | /v1/agents/{id}/zone-deployments, .../scope-deployments, .../dns-config, .../dhcp-config, .../dns-views | Configuration & roles |
| Windows migration | /v1/agents/{id}/migration-preview, .../migrate, .../sync-windows-inventory | Windows migration |
| Sites | /v1/sites, .../{id} | Sites |
| Intelligence | /v1/advisor, /v1/risk-score, .../scan-delta-summary | Network Intelligence |
| Import / export | /v1/ipam/subnets/import, /v1/import/ip-subnets, /v1/import/ip-records, /v1/admin/export | Import & Export |
| Administration | /v1/admin/audit, /v1/admin/members, member permissions | Settings |
| MSP | /api/msp/dashboard and per-client resources | MSP Guide |
| Platform (superuser) | /v1/superadmin/tenants, plans, add-ons, quotas | — |
Common patterns
- Create —
POSTto the collection (e.g.POST /v1/dns/zones). - List —
GETthe collection withlimit/offset. - Update —
PUT(or a dedicated action sub-path) on the resource. - Delete —
DELETEthe resource, or a.../deleteaction endpoint where used. - Actions — operations like
sync,validate-delegation,cert-rotate,migrate, andreissuearePOSTsub-paths on a resource.
Webhooks
Subnetly can call your endpoints when events occur. Outbound webhooks are signed with an X-Subnetly-Signature header so you can verify authenticity. Configure them in Settings → Webhooks.