ContextQMD
Back to Sunshine

API

docs/api.md

2025.628.45102.9 KB
Original Source

API

Sunshine has a RESTful API which can be used to interact with the service.

Unless otherwise specified, authentication is required for all API calls. You can authenticate using basic authentication with the admin username and password.

CSRF Protection

State-changing API endpoints (POST, DELETE) are protected against Cross-Site Request Forgery (CSRF) attacks.

For Web Browsers:

  • Requests from same-origin (configured via csrf_allowed_origins) are automatically allowed
  • Cross-origin requests require a CSRF token

For Non-Browser Applications:

  • Non-browser clients (e.g. curl, scripts, custom apps) are exempt from CSRF protection
  • CSRF attacks require a browser to silently attach credentials to a cross-origin request — this threat does not apply to non-browser clients that explicitly provide credentials with every request
  • Requests with no Origin or Referer header (as is typical for non-browser clients) are automatically allowed without a CSRF token

Example (browser-equivalent cross-origin request):

bash
# Get CSRF token
curl -u user:pass https://localhost:47990/api/csrf-token

# Use token in request
curl -u user:pass -H "X-CSRF-Token: your_token_here" \
  -X POST https://localhost:47990/api/restart

@htmlonly

<script src="api.js"></script>

@endhtmlonly

GET /api/csrf-token

@copydoc confighttp::getCSRFToken()

GET /api/apps

@copydoc confighttp::getApps()

POST /api/apps

@copydoc confighttp::saveApp()

POST /api/apps/close

@copydoc confighttp::closeApp()

DELETE /api/apps/{index}

@copydoc confighttp::deleteApp()

GET /api/browse

@copydoc confighttp::browseDirectory()

GET /api/clients/list

@copydoc confighttp::getClients()

POST /api/clients/unpair

@copydoc confighttp::unpair()

POST /api/clients/unpair-all

@copydoc confighttp::unpairAll()

GET /api/config

@copydoc confighttp::getConfig()

GET /api/configLocale

@copydoc confighttp::getLocale()

POST /api/config

@copydoc confighttp::saveConfig()

GET /api/covers/{index}

@copydoc confighttp::getCover()

POST /api/covers/upload

@copydoc confighttp::uploadCover()

GET /api/logs

@copydoc confighttp::getLogs()

POST /api/password

@copydoc confighttp::savePassword()

POST /api/pin

@copydoc confighttp::savePin()

POST /api/reset-display-device-persistence

@copydoc confighttp::resetDisplayDevicePersistence()

POST /api/restart

@copydoc confighttp::restart()

GET /api/vigembus/status

@copydoc confighttp::getViGEmBusStatus()

POST /api/vigembus/install

@copydoc confighttp::installViGEmBus()

<div class="section_buttons">
PreviousNext
Performance TuningTroubleshooting
</div> <details style="display: none;"> <summary></summary> [TOC] </details>