Skip to main content
Version: v1.0+

Authentication

The Pterodactyl API uses Bearer Token authentication for all requests. There are two types of API keys depending on which API you're accessing.

API Key Types

Client API Keys

Client API keys are created by users for accessing the Client API. These keys have access only to resources that the user creating them has access to.

Where to generate:

  • Navigate to https://your-panel.com/account/api
  • Click "Create API Key"
  • Optionally restrict by IP addresses

Application API Keys

Application API keys are created by administrators for accessing the Application API. These keys have full administrative access to the panel.

Where to generate:

  • Navigate to https://your-panel.com/admin/api (admin only)
  • Click "Create API Key"
  • Optionally restrict by IP addresses

Making Authenticated Requests

Include your API key in the Authorization header using the Bearer token format:

curl "https://your-panel.com/api/client" \
-H "Authorization: Bearer YOUR_API_KEY_HERE" \
-H "Content-Type: application/json" \
-H "Accept: Application/vnd.pterodactyl.v1+json"

Required Headers

Authorization Header

Authorization: Bearer YOUR_API_KEY_HERE

Content-Type Header

Content-Type: application/json

Accept Header

Accept: Application/vnd.pterodactyl.v1+json

Example Requests

Client API Example

# Get list of servers for the authenticated user
curl "https://your-panel.com/api/client" \
-H "Authorization: Bearer ptlc_1234567890abcdef" \
-H "Content-Type: application/json" \
-H "Accept: Application/vnd.pterodactyl.v1+json"

Application API Example

# Get list of all users (admin only)
curl "https://your-panel.com/api/application/users" \
-H "Authorization: Bearer ptla_1234567890abcdef" \
-H "Content-Type: application/json" \
-H "Accept: Application/vnd.pterodactyl.v1+json"

API Key Security

Security Best Practices
  • Never expose your API keys in client-side code or public repositories
  • Use IP restrictions when possible to limit key usage
  • Rotate keys regularly for enhanced security
  • Use the principle of least privilege - only grant necessary permissions

Key Naming Convention

Pterodactyl API keys follow this naming pattern:

  • Client API keys: ptlc_ followed by the key
  • Application API keys: ptla_ followed by the key

Common Authentication Errors

401 Unauthorized

{
"errors": [
{
"code": "InvalidCredentialsException",
"status": "401",
"detail": "The credentials provided were invalid."
}
]
}

403 Forbidden

{
"errors": [
{
"code": "InsufficientPermissionsException",
"status": "403",
"detail": "This action requires additional permissions."
}
]
}

Next Steps