The admin endpoints provide user lifecycle management, a tamper-evident audit log with SHA-256 hash-chain verification, full-text Elasticsearch search across a world’s index, and per-user AI settings management. AllDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/tudoumono/Sherpa/llms.txt
Use this file to discover all available pages before exploring further.
/admin/* endpoints require the admin role. The /settings endpoints are available to any authenticated user and apply per-user; changes to API keys and model selections are recorded in the audit log without storing the key values.
GET /admin/users
GET/admin/users
List all users in the system. Admin only.
Response
Array of user records.
POST /admin/users
POST/admin/users
Create a new user. The user is created with status: "active" immediately. A personal workspace directory is provisioned on creation. Admin only.
Request body
Unique identifier for the new user. Must match
^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$. Cannot be changed after creation.Human-readable name shown in the UI.
Initial role:
"user" or "admin".Initial plaintext password. Stored as a bcrypt hash; the plaintext is never persisted.
Email address. Optional.
Response
true on success.The created user record (same fields as
GET /admin/users items, without password_hash).PATCH /admin/users/
PATCH/admin/users/{uid}
Update a user’s status, role, password, or display name. All fields are optional; at least one must be provided. Admins cannot disable their own account. Admin only.
Path parameters
The
uid of the user to update.Request body
New account status:
"active" or "disabled". Setting "disabled" prevents login. An admin cannot disable their own account.New role:
"user" or "admin".New plaintext password. Stored as a bcrypt hash.
New display name.
Response
true on success.The
uid of the updated user.GET /admin/audit
GET/admin/audit
Query the audit log. All filter parameters are optional and combined with AND semantics. Viewing the audit log is itself recorded as an admin.audit_viewed event (fail-closed — the view is blocked if the audit write fails). Admin only.
Query parameters
Filter by the
uid of the user who performed the action.Filter by action name (e.g.
auth.login, user.created, document.downloaded, world.deleted).Filter by the type of resource affected (e.g.
user, world, document, workspace_file, audit_log, share, settings).Filter by a specific resource identifier (e.g.
world:payroll-2024, user:alice).Filter by outcome:
success, failure, deny, or error.Filter by severity level:
info, warning, critical.ISO 8601 start of the time range (inclusive).
ISO 8601 end of the time range (inclusive).
Filter by a specific request correlation ID.
Maximum number of rows to return. Range: 1–500.
Pagination offset.
Response
Matching audit log entries.
Number of rows in this response page.
The pagination offset that was applied.
The limit that was applied.
GET /admin/audit/verify
GET/admin/audit/verify
Verify the SHA-256 hash-chain integrity of the audit log. This detects tampering, row deletion, row insertion, reordering, and truncation of the chain-protected portion of the log. The verification itself is recorded as an admin.audit_verified event (fail-closed). Admin only.
Response
true if the hash chain is intact; false if any integrity violation was detected.Number of hash-chained rows that were verified.
Row
id where the first integrity violation was detected, or null when ok is true.Machine-readable reason for the failure. Values include
prev_hash_mismatch, entry_hash_mismatch, missing_head, count_mismatch. null when ok is true.GET /admin/es/search
GET/admin/es/search
Full-text BM25 search against a world’s Elasticsearch index. Returns document chunks with their doc_id, a text excerpt, and a relevance score. Admin only.
Query parameters
World identifier.
Search query string. Minimum length 1 character.
Repeated parameter. Restrict results to documents within these subfolder prefixes.
Maximum number of hits to return. Range: 1–50.
Response
World ID the search was executed against.
The query string that was executed.
The normalised scope prefix list used, or an empty array for an unscoped search.
Search result chunks, sorted by relevance score descending.
GET /settings
GET/settings
Retrieve the current AI settings for the authenticated user. API key values are never returned; instead, openai_key_set and gemini_key_set boolean flags indicate whether a key has been stored.
Response
Active agent backend:
"heuristic", "openai", "gemini", "ollama", or "codex".Codex reasoning effort level (
"low", "medium", "high").Codex model name.
OpenAI model name.
true if an OpenAI API key has been stored for this user.Ollama server URL.
Ollama model name.
true if a Gemini API key has been stored for this user.Gemini model name.
Provider used for knowledge extraction:
"auto", "openai", "gemini", or "ollama".Custom system prompt, or an empty string if not set.
PUT /settings
PUT/settings
Update AI settings for the authenticated user. All fields are optional; only provided (non-null) fields are updated. API key changes are audited as <set> or <cleared> (the key value itself is never written to the audit log). Returns the same shape as GET /settings.
Request body
Agent backend to activate:
"heuristic", "openai", "gemini", "ollama", or "codex".Codex reasoning effort:
"low", "medium", or "high".Codex model name (e.g.
"gpt-5.5").OpenAI API key. Stored encrypted; never returned in responses.
OpenAI model name (e.g.
"gpt-4o").Ollama server URL (e.g.
"http://localhost:11434").Ollama model name (e.g.
"qwen2.5").Google Gemini API key. Stored encrypted; never returned in responses.
Gemini model name (e.g.
"gemini-2.5-flash").Provider for knowledge graph extraction:
"auto", "openai", "gemini", or "ollama".Custom system prompt prepended to every chat request for this user.
POST /settings/test
POST/settings/test
Test connectivity to an AI provider without saving any settings. Sends a minimal probe request to the specified provider and returns the result. Useful for validating API keys and model names before committing them with PUT /settings.
Request body
Provider to test:
"openai", "gemini", "ollama", or "codex".API key to test. If omitted, falls back to the user’s stored key.
Model to test. Falls back to the user’s stored model.
Gemini API key to test.
Gemini model to test.
Ollama URL to test.
Ollama model to test.
Codex model to test.
Response
true if the provider responded successfully.Provider that was tested.
Model that was used in the probe.
Human-readable result message. On success:
"接続OK". On failure: the error description (e.g. "401 Unauthorized", "model not found", "codex CLI が見つかりません").