Tickiti

Administration API

This article and the rest of the API documentation in this section are written for a technical audience — integrators and developers connecting external systems to Tickiti. Familiarity with HTTP, REST, JSON and bearer-token authentication is assumed.

The Administration API exposes the Administration screens — system settings, branding, custom domain, AI assistant, users & queue permissions, licence status, storage management and diagnostics. Every endpoint runs as the token’s owner and is gated by the administration ability plus the owner’s admin role; a few are additionally restricted to sysadmin and keep their in-app password re-check.

Abilities and conventions

  1. administration:read — read endpoints.
  2. administration:write — create / update / action endpoints. Write implies read.

All endpoints are POST and JSON. Custom-domain and AI-assistant updates require the owner to be a sysadmin and to supply the operator’s current_password in the body, exactly as the screens do. Reads never return secrets (the AI key, mailbox passwords, remote tokens). Seat limits and the sysadmin-only role flags on user changes are enforced as in the UI.

Endpoints

Method & pathAbilityPurpose
POST /api/v1/administration/systemadministration:readSystem settings
POST /api/v1/administration/system/updateadministration:writeUpdate system options
POST /api/v1/administration/brandingadministration:readBranding settings
POST /api/v1/administration/branding/updateadministration:writeUpdate branding (names, colours, logo sizes)
POST /api/v1/administration/branding/app-logoadministration:writeUpload the app logo (multipart)
POST /api/v1/administration/branding/email-logoadministration:writeUpload the email logo (multipart)
POST /api/v1/administration/branding/reset-app-logoadministration:writeReset the app logo
POST /api/v1/administration/branding/reset-email-logoadministration:writeReset the email logo
POST /api/v1/administration/custom-domainadministration:read (sysadmin)Custom-domain state
POST /api/v1/administration/custom-domain/updateadministration:write (sysadmin + password)Set the custom domain
POST /api/v1/administration/ai-assistantadministration:read (sysadmin)AI-assistant settings/stats
POST /api/v1/administration/ai-assistant/updateadministration:write (sysadmin + password)Update AI-assistant settings
POST /api/v1/administration/usersadministration:readList users + queues
POST /api/v1/administration/users/createadministration:writeCreate a user (seat-limited)
POST /api/v1/administration/users/{user}/updateadministration:writeUpdate a user’s roles
POST /api/v1/administration/users/{user}/queues/{queue}administration:writeUpsert a queue permission
POST /api/v1/administration/users/{user}/queues/{queue}/detachadministration:writeRemove a queue permission
POST /api/v1/administration/licenceadministration:readLicence status + disk utilisation
POST /api/v1/administration/storage/retentionadministration:writeUpdate sent-mail retention
POST /api/v1/administration/storage/delete-orphanedadministration:writeDelete orphaned attachment files
POST /api/v1/administration/storage/delete-closedadministration:writeDelete attachments on old closed tickets
POST /api/v1/administration/diagnosticsadministration:readList/fetch diagnostics (if enabled)
POST /api/v1/administration/diagnostics/fetchadministration:readFetch a file from a diagnostic bundle
POST /api/v1/administration/diagnostics/uploadadministration:writeUpload a diagnostic bundle (multipart)
POST /api/v1/administration/diagnostics/updateadministration:writeUpdate diagnostic metadata

Not exposed

Some actions are intentionally unavailable over the API, even role-gated, because the blast radius of a leaked token is too high:

  1. Licence register / unregister — can deactivate the whole instance. Read-only status is available above.
  2. Deleting a user — create and role changes are available; deletion is UI-only.
  3. API-key management — minting tokens via a token is an escalation path; manage keys from Administration → API keys.