REST API v1

API Documentation

Programmatically manage DayZ server configuration data with authenticated JSON endpoints.

Resources

Endpoints

Writable

Quick start

Send JSON requests with a bearer token from a plan that includes API access.

Bearer token

1 Generate an API key from your profile page.
2 Pass it as an Authorization: Bearer header.
3 Use resource sid values in route parameters.

curl -X GET 'https://beta.dzconfig.com/api/v1/instances?per_page=10' \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer YOUR_API_TOKEN'

Response format

Data wrapper: Resources are returned as JSON under a data key.
Pagination: List endpoints include links and meta objects.
Scoping: Instance resources are scoped to instances owned by the authenticated user.

Authentication

All endpoints except the public health probe require a personal API token.

Bearer token

Get a token: Visit your profile page, scroll to the API token section, and click Generate token. Save it somewhere safe — it's shown only once.
Rotate or revoke: Generating a new token immediately invalidates the previous one. There is one active token per user.
Plan requirement: API access is a Platinum-plan feature. Free-plan tokens authenticate but every request returns 403 Forbidden.
Statelessness: Token requests don't write a session cookie or row. Every call is independent.

Header format

Authorization: Bearer YOUR_API_TOKEN
Accept: application/json

401 response

{
  "message": "Unauthenticated."
}

Rate limits

Throttles are enforced per route group. Hitting the limit returns a 429 with a Retry-After header.

Endpoint group	Limit	Keyed by
`GET /api/v1/health`	60 requests/minute	Client IP
`All other /api/v1/*`	60 requests/minute	Authenticated user ID (falls back to IP)

Response headers (429)

HTTP/2 429 Too Many Requests
Retry-After: 42
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0

Response body (429)

{
  "message": "Too Many Attempts."
}

The per_page query parameter on list endpoints is silently clamped to a maximum of 100. Non-numeric values are stripped and the default of 15 is used. Body-parameter per_page values are clamped the same way.

Errors

Every error is returned as JSON regardless of the Accept header thanks to the ForceJsonResponse middleware.

404 — Not found

{
  "message": "Not Found."
}

403 — Forbidden

{
  "message": "This action is unauthorized."
}

422 — Validation

{
  "message": "The name field is required.",
  "errors": {
    "name": ["The name field is required."],
    "value": ["The value must be at least 0."]
  }
}

413 — Storage limit

{
  "message": "You have reached your plan limit of 10 stored uploads...",
  "limit_type": "stored_uploads",
  "current": 10,
  "limit": 10
}

429 — Rate limited

{
  "message": "Too Many Attempts."
}

500 — Server error

{
  "message": "Server Error"
}

The limit_type on a 413 is one of stored_uploads, stored_generates, or total_storage. The numeric current and limit values are bytes for total_storage and a count otherwise.

Versioning

The current API is v1. Every endpoint lives under /api/v1/.

Additive changes: New fields, new optional query parameters, and new endpoints can ship at any time within v1. Clients should ignore unknown fields.
Breaking changes: Removing or renaming a field, changing a status code, or tightening validation will only happen in a future /api/v2/ namespace. v1 will keep running alongside v2 for a deprecation window.
Deprecations: Endpoints scheduled for removal will surface a Deprecation response header with the cutoff date and a Link header pointing to the replacement.
No version negotiation: The version is in the URL, not the Accept header. Don't send application/vnd.dzc.v1+json.