All Dokploy API requests require authentication. The recommended approach for programmatic and CI/CD access is an API key, passed via theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Nettalco/dokploy/llms.txt
Use this file to discover all available pages before exploring further.
x-api-key HTTP header on every request. Browser-based access to the dashboard uses session cookies managed automatically by Dokploy’s auth layer (powered by better-auth). This page covers everything you need to know about generating, using, and revoking API keys.
Generating an API Key
Log in to your Dokploy dashboard
Open your Dokploy instance in a browser and sign in with your account credentials.
Create a new key
Click Generate New API Key, give it a descriptive name (for example,
CI/CD pipeline or Monitoring agent), and configure any optional expiry or rate-limit settings.Creating an API Key via the API
You can also create API keys programmatically using an existing authenticated session or API key. This is useful for bootstrapping CI environments or creating scoped keys on the fly.metadata.organizationId field is required — the key is scoped to that organization. You must be a member of the organization you specify.
You may also pass optional fields to control expiry and rate limiting:
A human-readable label for the key. Used to identify the key in the dashboard and audit logs.
Optional short string prepended to the generated key value (e.g.
ci_). Useful for quickly identifying the key source.Time-to-live in seconds. Omit for a non-expiring key.
The organization the key should be scoped to. The authenticated user must be a member.
Enable per-key rate limiting.
Rate limit window duration in milliseconds.
Maximum number of requests allowed within the time window.
Total number of requests this key is allowed to make before it is exhausted. Leave unset for unlimited usage.
Using an API Key
Pass the key in thex-api-key header on every request:
API Key Response Fields
When you create an API key (via the dashboard or theuser.createApiKey endpoint), the response includes:
The raw API key value. This is the only time the full key is returned. Store it immediately.
Unique identifier for the key record. Use this
id when deleting the key.The human-readable name you assigned when creating the key.
ISO 8601 timestamp of when the key was created (e.g.
2024-03-15T10:30:00.000Z).ISO 8601 timestamp of when the key expires, or
null if the key does not expire.Number of requests remaining, or
null if usage is unlimited.Looking Up a User by Token
Theuser.getUserByToken endpoint lets you verify a token and retrieve the associated user record. This is a public procedure — it does not require an existing authenticated session:
Listing API Keys
Navigate to Settings → Profile → API Keys in the dashboard to see all keys associated with your account, including their names, creation dates, and expiry status. Listing keys via the API is not currently exposed as a dedicated endpoint — manage them through the dashboard UI.Deleting an API Key
Delete a key by itsid using the user.deleteApiKey mutation. You can only delete your own keys.
The
id of the API key to delete. Must belong to the authenticated user.Deleting a key takes effect immediately. Any in-flight request that arrives after deletion will receive a
401 UNAUTHORIZED response. There is no grace period.Session Authentication
For browser-based interactions, Dokploy uses session cookies issued by better-auth. When you log in through the dashboard, a secure HTTP-only session cookie is set automatically and included in subsequent requests by the browser. Session authentication is handled transparently by the Dokploy UI — you do not need to manage cookies manually for normal dashboard use. For programmatic access (scripts, CI, external services), always use an API key instead.Generating a Token (Legacy)
Theuser.generateToken procedure exists for internal use and returns a placeholder token string. It is not intended for external API consumers — use user.createApiKey instead for all programmatic authentication needs.
Security Best Practices
Follow these practices to keep your Dokploy instance secure:- Use descriptive names — label each key with its purpose and owner (e.g.
github-actions-deploy,monitoring-agent) so you can audit and revoke individual keys without disrupting others. - Set expiry dates — short-lived keys reduce the blast radius of a compromise. Use
expiresInto enforce rotation. - Apply rate limits — for keys used in automated pipelines, enable
rateLimitEnabledand set appropriaterateLimitMaxandrateLimitTimeWindowvalues to prevent runaway processes from overloading your instance. - Rotate keys regularly — delete old keys and create fresh ones on a schedule (e.g. quarterly) or after any suspected exposure.
- Use the minimum required scope — Dokploy keys inherit the role of the creating user within the specified organization. Create dedicated service accounts with the
memberrole for automation tasks that do not require admin privileges. - Audit key usage — review the Dokploy audit log (available under Settings → Audit Logs on Enterprise plans) to detect unexpected API activity.