Lific
REST API

Identity and instance

Instance settings, browser sessions, API keys, connected tools, and users.

Instance

GET /api/instance

Returns public instance metadata for an authentication screen. This endpoint has no path or query parameters. It has no request body.

Response: an object with allow_signup (boolean), has_users (boolean), instance_name (string), login_message (string), and web_auto_login (boolean).

curl https://your-server.example/api/instance
{
  "allow_signup": true,
  "has_users": true,
  "instance_name": "Lific",
  "login_message": "",
  "web_auto_login": false
}

GET /api/instance/settings

Returns the complete instance settings object. Requires an administrator. This endpoint has no path or query parameters. It has no request body.

Response: an object with allow_signup (boolean), instance_name (string), signup_email_domains (string array), session_lifetime_days (integer), login_message (string), web_auto_login (boolean), and authz_enforced (boolean).

PATCH /api/instance/settings

Updates supplied instance settings. Requires an administrator. It has no path or query parameters.

Request body fields are allow_signup (boolean), instance_name (string), signup_email_domains (string array), session_lifetime_days (integer), login_message (string), web_auto_login (boolean), and authz_enforced (boolean). Every field is optional.

Response: the complete instance settings object.

curl -X PATCH https://your-server.example/api/instance/settings \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{"instance_name":"Lific"}'
{
  "allow_signup": true,
  "instance_name": "Lific",
  "signup_email_domains": [],
  "session_lifetime_days": 30,
  "login_message": "",
  "web_auto_login": false,
  "authz_enforced": false
}

Sessions and profiles

POST /api/auth/signup

Creates a non-admin user and a session. This endpoint has no path or query parameters.

Request body fields are username (string), email (string), password (string), and display_name (string, optional).

Response: an authentication result with user and token fields. user contains id (integer), username (string), email (string), display_name (string), and is_admin (boolean). token and expires_at are strings.

POST /api/auth/login

Authenticates a user by username or email and creates a session. This endpoint has no path or query parameters.

Request body fields are identity (string) and password (string).

Response: the same authentication result as signup.

curl -X POST https://your-server.example/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"identity":"alex","password":"example-password"}'
{
  "user": {
    "id": 1,
    "username": "alex",
    "email": "alex@example.com",
    "display_name": "alex",
    "is_admin": false
  },
  "token": "lific_sess_example",
  "expires_at": "2026-08-13T12:00:00Z"
}

POST /api/auth/auto-login

Creates a session for the first admin when single-user auto-login is enabled. This endpoint has no path or query parameters. It has no request body.

Response: an authentication result. The user object has id (integer), username (string), display_name (string), and is_admin (boolean).

POST /api/auth/logout

Deletes the session named by the Bearer header when the token is a session token. It clears the browser session cookie.

This endpoint has no path or query parameters. It has no request body. Response: { "logged_out": true }.

GET /api/auth/me

Returns the user associated with the Bearer credential. This endpoint has no path or query parameters. It has no request body.

Response: an object with id (integer), username (string), email (string), display_name (string), and is_admin (boolean).

PATCH /api/auth/me

Updates the authenticated user's profile. This endpoint has no path or query parameters.

Request body fields are display_name (string, optional) and email (string, optional). Response: the same user object as GET /api/auth/me.

POST /api/auth/me/password

Verifies the current password, changes it, invalidates the user's existing sessions, and creates a new session. This endpoint has no path or query parameters.

Request body fields are current_password (string) and new_password (string). Response: an object with ok (boolean), token (string), and expires_at (string).

DELETE /api/auth/me/sessions

Deletes every session for the authenticated user and clears the browser session cookie. This endpoint has no path or query parameters. It has no request body.

Response: { "revoked": true }.

API keys

GET /api/auth/keys

Lists API keys owned by the authenticated user. This endpoint has no path or query parameters. It has no request body.

Response: an array of objects with id (integer), name (string), created_at (string), expires_at (string or null), and revoked (boolean).

POST /api/auth/keys

Creates an API key and assigns it to the authenticated user. This endpoint has no path or query parameters.

Request body field: name (string). Response: an object with name (string) and key (string). The response is the only response that includes the plaintext key.

curl -X POST https://your-server.example/api/auth/keys \
  -H "Authorization: Bearer <API_KEY>" \
  -H "Content-Type: application/json" \
  -d '{"name":"documentation-client"}'
{
  "name": "documentation-client",
  "key": "lific_sk-live-example"
}

DELETE /api/auth/keys/{id}

Revokes an API key. Path parameter: id (integer key ID). It has no query parameters or request body.

Response: { "revoked": true }.

Connected tools

GET /api/auth/bots

Lists connected tool bots owned by the authenticated user. This endpoint has no path or query parameters. It has no request body.

Response: an array of objects with id (integer), username (string), display_name (string), owner_id (integer or null), created_at (string), and has_active_key (boolean).

POST /api/auth/bots

Creates or reconnects a bot for a supported tool. This endpoint has no path or query parameters.

Request body field: tool (string). Supported values are opencode, cursor, claude-code, claude, codex, pi, vscode, and zed.

Response: an object with bot and key. bot has id (integer), username (string), and display_name (string). key and tool are strings.

POST /api/auth/bots/{id}/disconnect

Revokes active keys for a connected bot. Path parameter: id (integer bot user ID). It has no query parameters or request body.

Response: { "disconnected": true }.

DELETE /api/auth/bots/{id}

Deletes a connected bot. Path parameter: id (integer bot user ID). It has no query parameters or request body.

Response: the standard delete response.

Users

GET /api/users

Lists non-bot users for selection controls. This endpoint has no path or query parameters. It has no request body.

Response: an array of objects with id (integer), username (string), display_name (string), is_admin (boolean), and created_at (string).

On this page