The Opterius API has two distinct authentication layers depending on which component you are talking to.
Panel API — the REST API exposed by the Opterius Panel at https://SERVER_IP:8443/api/v1/. This is the API you use for external integrations: WHMCS, custom billing systems, scripts, or any tooling that manages hosting accounts from outside the server. It uses Bearer token authentication.
Agent API — the internal HTTP API exposed by the Opterius Agent on 127.0.0.1:7443. The Panel calls this automatically to carry out server operations. Direct access is for developers building custom tooling. It uses HMAC-SHA256 request signing. See HMAC Signing for details.
This article covers the Panel API.
Getting an API Token
API tokens are scoped per server in Server Mode.
- Log in to the Opterius Panel.
- Navigate to Server Mode → Settings → API.
- Click New Token.
- Give the token a name (e.g.
whmcs-integration) and set the permission scope. - Copy the token — it is shown only once.
[!WARNING] Store the token securely. It grants full API access to your server. If compromised, revoke it immediately from the same screen and generate a new one.
Making Authenticated Requests
Include the token in every request using the Authorization header:
Authorization: Bearer {token}
Base URL:
https://SERVER_IP:8443/api/v1/
Replace SERVER_IP with your server's IP address or hostname. The Panel listens on port 8443 with TLS.
Example — list all accounts:
curl -sk \
-H "Authorization: Bearer YOUR_TOKEN_HERE" \
https://SERVER_IP:8443/api/v1/accounts
Response Format
All Panel API responses are JSON. Successful responses return a data key (single object or array). Error responses return an error key and a human-readable message.
Success:
{
"data": [
{ "id": 1, "username": "alice", "domain": "alice.example.com", "status": "active" }
]
}
Error:
{
"error": "validation_failed",
"message": "The username field is required.",
"errors": {
"username": ["The username field is required."]
}
}
HTTP Status Codes
| Code | Meaning |
|---|---|
| 200 | OK — request succeeded |
| 201 | Created — resource created |
| 204 | No Content — successful delete |
| 401 | Unauthorized — missing or invalid token |
| 403 | Forbidden — valid token but insufficient scope, or license required |
| 404 | Not Found — resource does not exist |
| 409 | Conflict — duplicate resource |
| 422 | Unprocessable Entity — validation failed |
| 500 | Server Error — check Panel logs |
TLS Verification
The Panel uses a self-signed certificate by default. Add -k / --insecure to curl during testing, or import the Panel's certificate into your trust store for production integrations. If you have configured a valid certificate on the Panel's own domain, TLS verification will pass normally.