REST API
All console functionality is exposed through the same REST API. JSON responses, JWT or API key authentication, public OpenAPI specification.
Base URL
https://tesserra.io/api
OpenAPI specification available at /api/docs (Swagger UI) and /api/redoc (Redoc).
Authentication
JWT (user session)
Use for calls on behalf of an authenticated user.
# 1. login
curl -X POST https://tesserra.io/api/auth/login \
-H "Content-Type: application/json" \
-d '{ "email": "you@acme.com", "password": "..." }'
# resposta: { "access_token": "eyJ..." }
# 2. uso
curl https://tesserra.io/api/projetos \
-H "Authorization: Bearer eyJ..."Access tokens expire in 15 minutes. For continuous automation, use API keys.
API key (non-human)
In App → API keys, create a key with minimal scope. The secret is shown only once at creation time.
curl https://tesserra.io/api/agentes \ -H "X-Tesserra-Api-Key: tessera_<prefix>_<segredo>"
Rate limit
/auth/login: 5 req per 15 min per IP, lockout after 5 failures./auth/me: 60 req/min./projetos/*,/dominios/*: 60 req/min per token./admin/*: 120 req/min per token.
When exceeded, the API returns HTTP 429 with the Retry-After header.
Endpoint families
| Family | Path | Auth |
|---|---|---|
| Auth | /auth/login · /auth/me · /auth/logout · /auth/refresh | público / JWT |
| Tenants | /tenants/atual · /admin/tenants | JWT · admin |
| Planos | /planos · /assinatura/checkout · /admin/planos | público / JWT / admin |
| Projetos | /projetos · /projetos/{id} · /projetos/{id}/recursos | JWT |
| Catálogo | /projetos/catalogo | público |
| Recursos | /projetos/{id}/recursos · /recursos/{id} | JWT |
| Domínios | /dominios · /dominios/{id}/zonefile | JWT |
| E-mails | /emails · /emails/aliases | JWT |
| Arquivos | /projetos/{id}/arquivos | JWT |
| Saúde | /projetos/{id}/saude · /tenants/atual/saude | JWT |
| Agentes | /agentes · /verticais · /admin/agentes | público / JWT |
| Chat | /conversas · /conversas/{id}/mensagens | JWT |
| Financeiro | /admin/financeiro/* | admin |
| Webhooks Stripe | /webhooks/stripe | HMAC Stripe |
Pagination
List endpoints accept ?limite=N (1–500) and ?offset=N. Specific filters are documented in the OpenAPI specification.
Error format
{ "detail": "plano sem preço sincronizado para EUR" }Common codes: 400 validation, 401 unauthenticated, 402 missing subscription, 403 forbidden, 404 not found, 409 conflict, 429 rate limit, 503 external service unavailable.
Idempotency
POST calls that create resources accept the Idempotency-Key header. Reusing the same key within 24 hours returns the result of the previous call. Useful for CI/CD pipeline retries.