Skip to main content

Base URL

All endpoints are relative to your Openinary server URL. 
http://localhost:3000   # default local setup
https://your-domain.com # self-hosted production

Authentication

Protected endpoints require an API key passed as a Bearer token. 
Authorization: Bearer <your_api_key>
Generate API keys from the dashboard (/api-keys) or via the API Keys API. In API-only mode, the first key is printed to the server logs on startup.
Some endpoints (API key management) also accept a session cookie, used internally by the dashboard.

Rate limiting

Public endpoints are rate-limited by IP address.
DefaultConfigurable via
100 requests / 60 secondsPUBLIC_RATE_LIMIT_MAX, PUBLIC_RATE_LIMIT_WINDOW_MS
Rate limit headers are included in every response:
HeaderDescription
X-RateLimit-LimitMaximum requests allowed in the current window
X-RateLimit-RemainingRequests remaining in the current window
X-RateLimit-ResetUnix timestamp when the window resets
Protected endpoints (API key required) are not subject to public rate limiting.

Endpoints overview

GroupEndpointAuth
MediaGET /t/{transformations}/{path}Public
GET /authenticated/s--{sig}/{transformations}/{path}Signed URL
FilesPOST /uploadAPI Key
POST /upload/createfolderAPI Key
GET /download/{path}Public
StorageGET /storageAPI Key
GET /storage/{path}/metadataAPI Key
DELETE /storage/{path}API Key
CacheDELETE /invalidate/{path}API Key
QueueGET /queue/statsAPI Key
GET /queue/jobsAPI Key
POST /queue/jobs/{jobId}/retryAPI Key
POST /queue/jobs/{jobId}/cancelAPI Key
DELETE /queue/jobs/{jobId}API Key
GET /queue/eventsPublic
API KeysPOST /api-keys/createAPI Key / Session
GET /api-keys/listAPI Key / Session
PATCH /api-keys/{keyId}API Key / Session
DELETE /api-keys/{keyId}API Key / Session
HealthGET /healthPublic
GET /health/databaseAPI Key

Error responses

All errors follow a consistent shape: 
{
  "error": "Human-readable error message",
  "details": "Optional additional context"
}
StatusMeaning
400Bad request — invalid parameters or missing required fields
401Unauthorized — missing or invalid API key
403Forbidden — valid key but insufficient permissions
404Not found
409Conflict — resource already exists
429Rate limit exceeded
500Internal server error