ShipOS docs
REST API Two surfaces Audited

API Overview

ShipOS exposes two API surfaces: a control plane for managing flags and projects, and an edge for evaluating flags globally in under 50ms. This page covers base URLs, authentication, the execution model, audit, and the shared error shape.

Base URLs

The two surfaces live on different hosts and use different keys. Pick the one that matches what you're doing.

SurfaceBase URLWhat it does
Control planehttps://app.shipos.app/api/v1Manage flags and projects. See the Flags API.
Edgehttps://edge.shipos.appEvaluate flags from your app. See the Edge Evaluation API.

Authentication

The control plane accepts two authentication modes. Dashboard users authenticate with a Supabase session cookie; programmatic clients and agents authenticate with a bearer key.

Dashboard users are authenticated by their Supabase session cookie. Session users may pass ?orgId=<uuid> on any endpoint to act inside another org they belong to; without it, requests default to their first membership.

Bearer key

Programmatic clients send Authorization: Bearer <key>. Which key works where depends on its kind:

Session cookieAgent keyAdmin keySDK key
CredentialPrefixWorks onExecutes mutations
Session cookie-Control planeDirectly
Agent keysos_agt_*Control plane + MCPDirectly
Admin keysos_adm_*Control planeDirectly
SDK keysos_sdk_*Edge onlyEvaluation only

SDK keys are edge-only

SDK keys (sos_sdk_*) are rejected on the control plane. They only evaluate flags at the edge. To manage flags programmatically, create an agent or admin key in the ShipOS dashboard under Keys.

Here's a request to list your org's projects using a bearer agent key:

bash
curl https://app.shipos.app/api/v1/projects \
  -H "Authorization: Bearer sos_agt_xxxxxxxxxxxxxxxxxxxx"

Direct execution

A valid credential executes mutations directly, there is no approval or sign-off step. Agent keys (sos_agt_*), admin keys (sos_adm_*), and dashboard sessions all apply changes immediately. Safety comes from two properties that hold for every change: it is audited and it is instantly reversible with the flag's kill switch.

Keep autonomy safe by scoping keys

Scope agent keys to a single project, keep prod keys separate from dev, and revoke a key the moment it is no longer needed. Create and revoke keys in the dashboard under Keys, they are never readable over the API after creation.

Audit trail

Every mutation writes an audit row atomically with the change, if the write fails, the audit row is never orphaned. Session users are recorded as actor_type: user. Both agent and admin keys are recorded as actor_type: agent, tagged with their key prefix.

Errors

Every error, across both surfaces, uses the same envelope: an error object with a machine-readable code and a human-readable message.

json
{
  "error": {
    "code": "version_conflict",
    "message": "The config was updated by someone else. Refetch and retry."
  }
}
StatusMeaning
400Malformed request or invalid body.
401Missing or invalid credentials.
403Not permitted. Plan-limit violations use code plan_limit.
404Resource not found (or not visible to your org).
409Conflict. Optimistic-concurrency failures (expectedVersion mismatch) use code version_conflict.
422Well-formed request that fails validation.

Where to next

Manage flags on the Flags API, or evaluate flags on the Edge Evaluation API. Create SDK, agent, and admin keys in the dashboard, the full secret is shown once at creation and cannot be read back over the API.