2020-08-05 14:09:49 -04:00
---
stage: Create
group: Source Code
2020-11-26 01:09:20 -05:00
info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments"
2020-08-05 14:09:49 -04:00
type: reference, api
---
2021-02-09 13:09:59 -05:00
# Internal API **(FREE)**
2019-10-08 11:06:04 -04:00
The internal API is used by different GitLab components, it can not be
used by other consumers. This documentation is intended for people
working on the GitLab codebase.
2019-11-27 01:06:40 -05:00
This documentation does not yet include the internal API used by
GitLab Pages.
2019-10-08 11:06:04 -04:00
## Authentication
These methods are all authenticated using a shared secret. This secret
is stored in a file at the path configured in `config/gitlab.yml` by
default this is in the root of the rails app named
`.gitlab_shell_secret`
To authenticate using that token, clients read the contents of that
2020-03-26 23:07:56 -04:00
file, and include the token Base64 encoded in a `secret_token` parameter
2019-10-08 11:06:04 -04:00
or in the `Gitlab-Shared-Secret` header.
2020-12-04 16:09:29 -05:00
NOTE:
2021-01-22 19:08:46 -05:00
The internal API used by GitLab Pages, and GitLab Kubernetes Agent Server (`kas`) uses JSON Web Token (JWT)
2020-08-21 08:10:22 -04:00
authentication, which is different from GitLab Shell.
2019-10-08 11:06:04 -04:00
## Git Authentication
2020-08-05 14:09:49 -04:00
This is called by [Gitaly ](https://gitlab.com/gitlab-org/gitaly ) and
[GitLab Shell ](https://gitlab.com/gitlab-org/gitlab-shell ) to check access to a
2019-10-08 11:06:04 -04:00
repository.
2020-08-05 14:09:49 -04:00
When called from GitLab Shell no changes are passed and the internal
2019-10-08 11:06:04 -04:00
API replies with the information needed to pass the request on to
Gitaly.
When called from Gitaly in a `pre-receive` hook the changes are passed
and those are validated to determine if the push is allowed.
2020-03-25 02:07:58 -04:00
```plaintext
2019-10-08 11:06:04 -04:00
POST /internal/allowed
```
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
2020-08-05 14:09:49 -04:00
| `key_id` | string | no | ID of the SSH-key used to connect to GitLab Shell |
| `username` | string | no | Username from the certificate used to connect to GitLab Shell |
2019-10-08 11:06:04 -04:00
| `project` | string | no (if `gl_repository` is passed) | Path to the project |
2021-01-26 22:08:58 -05:00
| `gl_repository` | string | no (if `project` is passed) | Repository identifier, such as `project-7` |
2020-10-15 23:08:29 -04:00
| `protocol` | string | yes | SSH when called from GitLab Shell, HTTP or SSH when called from Gitaly |
2019-10-08 11:06:04 -04:00
| `action` | string | yes | Git command being run (`git-upload-pack`, `git-receive-pack` , `git-upload-archive` ) |
2020-08-05 14:09:49 -04:00
| `changes` | string | yes | `<oldrev> <newrev> <refname>` when called from Gitaly, the magic string `_any` when called from GitLab Shell |
2020-06-03 02:08:34 -04:00
| `check_ip` | string | no | IP address from which call to GitLab Shell was made |
2019-10-08 11:06:04 -04:00
Example request:
2020-01-30 10:09:15 -05:00
```shell
2020-12-09 01:09:41 -05:00
curl --request POST --header "Gitlab-Shared-Secret: < Base64 encoded token > " --data "key_id=11& project=gnuwget/wget2& action=git-upload-pack& protocol=ssh" "http://localhost:3001/api/v4/internal/allowed"
2019-10-08 11:06:04 -04:00
```
Example response:
2020-03-25 02:07:58 -04:00
```json
2019-10-08 11:06:04 -04:00
{
"status": true,
"gl_repository": "project-3",
"gl_project_path": "gnuwget/wget2",
"gl_id": "user-1",
"gl_username": "root",
"git_config_options": [],
"gitaly": {
"repository": {
"storage_name": "default",
"relative_path": "@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce.git",
"git_object_directory": "",
"git_alternate_object_directories": [],
"gl_repository": "project-3",
"gl_project_path": "gnuwget/wget2"
},
"address": "unix:/Users/bvl/repos/gitlab/gitaly.socket",
"token": null
},
"gl_console_messages": []
}
```
### Known consumers
- Gitaly
2020-08-05 14:09:49 -04:00
- GitLab Shell
2019-10-08 11:06:04 -04:00
## LFS Authentication
2020-08-05 14:09:49 -04:00
This is the endpoint that gets called from GitLab Shell to provide
2019-10-08 11:06:04 -04:00
information for LFS clients when the repository is accessed over SSH.
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
2020-08-05 14:09:49 -04:00
| `key_id` | string | no | ID of the SSH-key used to connect to GitLab Shell |
| `username` | string | no | Username from the certificate used to connect to GitLab Shell |
2019-10-08 11:06:04 -04:00
| `project` | string | no | Path to the project |
Example request:
2020-01-30 10:09:15 -05:00
```shell
2020-12-09 01:09:41 -05:00
curl --request POST --header "Gitlab-Shared-Secret: < Base64 encoded token > " --data "key_id=11& project=gnuwget/wget2" "http://localhost:3001/api/v4/internal/lfs_authenticate"
2019-10-08 11:06:04 -04:00
```
2020-03-25 02:07:58 -04:00
```json
2019-10-08 11:06:04 -04:00
{
"username": "root",
"lfs_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjp7ImFjdG9yIjoicm9vdCJ9LCJqdGkiOiIyYWJhZDcxZC0xNDFlLTQ2NGUtOTZlMi1mODllYWRiMGVmZTYiLCJpYXQiOjE1NzAxMTc2NzYsIm5iZiI6MTU3MDExNzY3MSwiZXhwIjoxNTcwMTE5NDc2fQ.g7atlBw1QMY7QEBVPE0LZ8ZlKtaRzaMRmNn41r2YITM",
"repository_http_path": "http://localhost:3001/gnuwget/wget2.git",
"expires_in": 1800
}
```
### Known consumers
2020-08-05 14:09:49 -04:00
- GitLab Shell
2019-10-08 11:06:04 -04:00
## Authorized Keys Check
2020-08-05 14:09:49 -04:00
This endpoint is called by the GitLab Shell authorized keys
2019-11-27 01:06:40 -05:00
check. Which is called by OpenSSH for [fast SSH key
2019-10-08 11:06:04 -04:00
lookup](../administration/operations/fast_ssh_key_lookup.md).
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
2020-08-05 14:09:49 -04:00
| `key` | string | yes | SSH key as passed by OpenSSH to GitLab Shell |
2019-10-08 11:06:04 -04:00
2020-03-25 02:07:58 -04:00
```plaintext
2019-10-08 11:06:04 -04:00
GET /internal/authorized_keys
```
Example request:
2020-01-30 10:09:15 -05:00
```shell
2020-12-09 01:09:41 -05:00
curl --request GET --header "Gitlab-Shared-Secret: < Base64 encoded secret > " "http://localhost:3001/api/v4/internal/authorized_keys?key=< key as passed by OpenSSH > "
2019-10-08 11:06:04 -04:00
```
Example response:
2020-03-25 02:07:58 -04:00
```json
2019-10-08 11:06:04 -04:00
{
"id": 11,
"title": "admin@example.com",
"key": "ssh-rsa ...",
"created_at": "2019-06-27T15:29:02.219Z"
}
```
### Known consumers
2020-08-05 14:09:49 -04:00
- GitLab Shell
2019-10-08 11:06:04 -04:00
2020-05-07 02:09:38 -04:00
## Get user for user ID or key
2019-10-08 11:06:04 -04:00
This endpoint is used when a user performs `ssh git@gitlab.com` . It
discovers the user associated with an SSH key.
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
2020-05-07 02:09:38 -04:00
| `key_id` | integer | no | The ID of the SSH key used as found in the authorized-keys file or through the `/authorized_keys` check |
2020-08-05 14:09:49 -04:00
| `username` | string | no | Username of the user being looked up, used by GitLab Shell when authenticating using a certificate |
2019-10-08 11:06:04 -04:00
2020-03-25 02:07:58 -04:00
```plaintext
2019-10-08 11:06:04 -04:00
GET /internal/discover
```
Example request:
2020-01-30 10:09:15 -05:00
```shell
2019-10-08 11:06:04 -04:00
curl --request GET --header "Gitlab-Shared-Secret: < Base64 encoded secret > " "http://localhost:3001/api/v4/internal/discover?key_id=7"
```
Example response:
2020-03-25 02:07:58 -04:00
```json
2019-10-08 11:06:04 -04:00
{
"id": 7,
"name": "Dede Eichmann",
"username": "rubi"
}
```
### Known consumers
2020-08-05 14:09:49 -04:00
- GitLab Shell
2019-10-08 11:06:04 -04:00
## Instance information
2020-03-25 23:07:43 -04:00
This gets some generic information about the instance. This is used
2020-08-05 14:09:49 -04:00
by Geo nodes to get information about each other.
2019-10-08 11:06:04 -04:00
2020-03-25 02:07:58 -04:00
```plaintext
2019-10-08 11:06:04 -04:00
GET /internal/check
```
Example request:
2020-01-30 10:09:15 -05:00
```shell
2019-10-08 11:06:04 -04:00
curl --request GET --header "Gitlab-Shared-Secret: < Base64 encoded secret > " "http://localhost:3001/api/v4/internal/check"
```
Example response:
2020-03-25 02:07:58 -04:00
```json
2019-10-08 11:06:04 -04:00
{
"api_version": "v4",
"gitlab_version": "12.3.0-pre",
"gitlab_rev": "d69c988e6a6",
"redis": true
}
```
### Known consumers
- GitLab Geo
2020-08-05 14:09:49 -04:00
- GitLab Shell's `bin/check`
2020-10-05 08:08:47 -04:00
- Gitaly
2019-10-08 11:06:04 -04:00
## Get new 2FA recovery codes using an SSH key
2020-08-05 14:09:49 -04:00
This is called from GitLab Shell and allows users to get new 2FA
recovery codes based on their SSH key.
2019-10-08 11:06:04 -04:00
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
2020-05-07 02:09:38 -04:00
| `key_id` | integer | no | The ID of the SSH key used as found in the authorized-keys file or through the `/authorized_keys` check |
2019-10-08 11:06:04 -04:00
| `user_id` | integer | no | **Deprecated** User_id for which to generate new recovery codes |
2020-03-25 02:07:58 -04:00
```plaintext
2019-10-08 11:06:04 -04:00
GET /internal/two_factor_recovery_codes
```
Example request:
2020-01-30 10:09:15 -05:00
```shell
2020-12-09 01:09:41 -05:00
curl --request POST --header "Gitlab-Shared-Secret: < Base64 encoded secret > " --data "key_id=7" "http://localhost:3001/api/v4/internal/two_factor_recovery_codes"
2019-10-08 11:06:04 -04:00
```
Example response:
2020-03-25 02:07:58 -04:00
```json
2019-10-08 11:06:04 -04:00
{
"success": true,
"recovery_codes": [
"d93ee7037944afd5",
"19d7b84862de93dd",
"1e8c52169195bf71",
"be50444dddb7ca84",
"26048c77d161d5b7",
"482d5c03d1628c47",
"d2c695e309ce7679",
"dfb4748afc4f12a7",
"0e5f53d1399d7979",
"af04d5622153b020"
]
}
```
### Known consumers
2020-08-05 14:09:49 -04:00
- GitLab Shell
## Get new personal access-token
This is called from GitLab Shell and allows users to generate a new
personal access token.
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
| `name` | string | yes | The name of the new token |
| `scopes` | string array | yes | The authorization scopes for the new token, these must be valid token scopes |
| `expires_at` | string | no | The expiry date for the new token |
| `key_id` | integer | no | The ID of the SSH key used as found in the authorized-keys file or through the `/authorized_keys` check |
| `user_id` | integer | no | User\_id for which to generate the new token |
```plaintext
POST /internal/personal_access_token
```
Example request:
```shell
2020-12-09 01:09:41 -05:00
curl --request POST --header "Gitlab-Shared-Secret: < Base64 encoded secret > " --data "user_id=29& name=mytokenname& scopes[]=read_user& scopes[]=read_repository& expires_at=2020-07-24" "http://localhost:3001/api/v4/internal/personal_access_token"
2020-08-05 14:09:49 -04:00
```
Example response:
```json
{
"success": true,
"token": "Hf_79B288hRv_3-TSD1R",
"scopes": ["read_user","read_repository"],
"expires_at": "2020-07-24"
}
```
### Known consumers
- GitLab Shell
2019-10-08 11:06:04 -04:00
## Incrementing counter on pre-receive
This is called from the Gitaly hooks increasing the reference counter
for a push that might be accepted.
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
| `gl_repository` | string | yes | repository identifier for the repository receiving the push |
2020-03-25 02:07:58 -04:00
```plaintext
2019-10-08 11:06:04 -04:00
POST /internal/pre_receive
```
Example request:
2020-01-30 10:09:15 -05:00
```shell
2020-12-09 01:09:41 -05:00
curl --request POST --header "Gitlab-Shared-Secret: < Base64 encoded secret > " --data "gl_repository=project-7" "http://localhost:3001/api/v4/internal/pre_receive"
2019-10-08 11:06:04 -04:00
```
Example response:
2020-03-25 02:07:58 -04:00
```json
2019-10-08 11:06:04 -04:00
{
"reference_counter_increased": true
}
```
## PostReceive
Called from Gitaly after a receiving a push. This triggers the
2019-11-27 01:06:40 -05:00
`PostReceive` -worker in Sidekiq, processes the passed push options and
2019-10-08 11:06:04 -04:00
builds the response including messages that need to be displayed to
the user.
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
| `identifier` | string | yes | `user-[id]` or `key-[id]` Identifying the user performing the push |
| `gl_repository` | string | yes | identifier of the repository being pushed to |
2019-12-10 22:07:31 -05:00
| `push_options` | string array | no | array of push options |
2019-10-08 11:06:04 -04:00
| `changes` | string | no | refs to be updated in the push in the format `oldrev newrev refname\n` . |
2020-03-25 02:07:58 -04:00
```plaintext
2019-10-08 11:06:04 -04:00
POST /internal/post_receive
```
Example Request:
2020-01-30 10:09:15 -05:00
```shell
2020-12-09 01:09:41 -05:00
curl --request POST --header "Gitlab-Shared-Secret: < Base64 encoded secret > " --data "gl_repository=project-7" --data "identifier=user-1" --data "changes=0000000000000000000000000000000000000000 fd9e76b9136bdd9fe217061b497745792fe5a5ee gh-pages\n" "http://localhost:3001/api/v4/internal/post_receive"
2019-10-08 11:06:04 -04:00
```
Example response:
2020-03-25 02:07:58 -04:00
```json
2019-10-08 11:06:04 -04:00
{
"messages": [
{
"message": "Hello from post-receive",
"type": "alert"
}
],
"reference_counter_decreased": true
}
```
2020-09-08 17:08:53 -04:00
2020-09-14 14:09:48 -04:00
## Kubernetes agent endpoints
> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/41045) in GitLab 13.4.
> - This feature is not deployed on GitLab.com
> - It's not recommended for production use.
2021-01-22 19:08:46 -05:00
The following endpoints are used by the GitLab Kubernetes Agent Server (`kas`)
2020-09-14 14:09:48 -04:00
for various purposes.
These endpoints are all authenticated using JWT. The JWT secret is stored in a file
specified in `config/gitlab.yml` . By default, the location is in the root of the
GitLab Rails app in a file called `.gitlab_kas_secret` .
2020-12-04 16:09:29 -05:00
WARNING:
2020-09-14 14:09:48 -04:00
The Kubernetes agent is under development and is not recommended for production use.
### Kubernetes agent information
2020-09-08 17:08:53 -04:00
2021-01-22 19:08:46 -05:00
Called from GitLab Kubernetes Agent Server (`kas`) to retrieve agent
2020-09-08 17:08:53 -04:00
information for the given agent token. This returns the Gitaly connection
2021-01-22 19:08:46 -05:00
information for the agent's project in order for `kas` to fetch and update
2020-09-08 17:08:53 -04:00
the agent's configuration.
```plaintext
GET /internal/kubernetes/agent_info
```
Example Request:
```shell
curl --request GET --header "Gitlab-Kas-Api-Request: < JWT token > " --header "Authorization: Bearer < agent token > " "http://localhost:3000/api/v4/internal/kubernetes/agent_info"
```
2020-09-14 14:09:48 -04:00
### Kubernetes agent project information
2020-09-08 17:08:53 -04:00
2021-01-22 19:08:46 -05:00
Called from GitLab Kubernetes Agent Server (`kas`) to retrieve project
2020-09-08 17:08:53 -04:00
information for the given agent token. This returns the Gitaly
2021-01-22 19:08:46 -05:00
connection for the requested project. GitLab `kas` uses this to configure
2020-09-08 17:08:53 -04:00
the agent to fetch Kubernetes resources from the project repository to
sync.
2021-01-26 22:08:58 -05:00
Only public projects are supported. For private projects, the ability for the
2020-09-08 17:08:53 -04:00
agent to be authorized is [not yet implemented ](https://gitlab.com/gitlab-org/gitlab/-/issues/220912 ).
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
| `id` | integer/string | yes | The ID or [URL-encoded path of the project ](../api/README.md#namespaced-path-encoding ) |
```plaintext
GET /internal/kubernetes/project_info
```
Example Request:
```shell
curl --request GET --header "Gitlab-Kas-Api-Request: < JWT token > " --header "Authorization: Bearer < agent token > " "http://localhost:3000/api/v4/internal/kubernetes/project_info?id=7"
```
2020-09-14 14:09:48 -04:00
### Kubernetes agent usage metrics
2020-09-08 17:08:53 -04:00
2021-01-22 19:08:46 -05:00
Called from GitLab Kubernetes Agent Server (`kas`) to increase the usage
2020-09-08 17:08:53 -04:00
metric counters.
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
| `gitops_sync_count` | integer| yes | The number to increase the `gitops_sync_count` counter by |
```plaintext
POST /internal/kubernetes/usage_metrics
```
Example Request:
```shell
curl --request POST --header "Gitlab-Kas-Api-Request: < JWT token > " --header "Content-Type: application/json" --data '{"gitops_sync_count":1}' "http://localhost:3000/api/v4/internal/kubernetes/usage_metrics"
```
2020-12-17 16:09:57 -05:00
### Kubernetes agent alert metrics
Called from GitLab Kubernetes Agent Server (KAS) to save alerts derived from Cilium on Kubernetes
Cluster.
| Attribute | Type | Required | Description |
|:----------|:-------|:---------|:------------|
2021-02-03 19:09:18 -05:00
| `alert` | Hash | yes | Alerts detail. Same format as [3rd party alert ](../operations/incident_management/integrations.md#customize-the-alert-payload-outside-of-gitlab ). |
2020-12-17 16:09:57 -05:00
```plaintext
2021-01-04 19:10:20 -05:00
POST internal/kubernetes/modules/cilium_alert
2020-12-17 16:09:57 -05:00
```
Example Request:
```shell
2021-01-04 19:10:20 -05:00
curl --request POST --header "Gitlab-Kas-Api-Request: < JWT token > " --header "Authorization: Bearer < agent token > " --header "Content-Type: application/json" --data '"{\"alert\":{\"title\":\"minimal\",\"message\":\"network problem\",\"evalMatches\":[{\"value\":1,\"metric\":\"Count\",\"tags\":{}}]}}"' "http://localhost:3000/api/v4/internal/kubernetes/modules/cilium_alert"
2020-12-17 16:09:57 -05:00
```
2021-02-07 22:09:27 -05:00
## Subscriptions
The subscriptions endpoint is used by `[customers.gitlab.com](https://gitlab.com/gitlab-org/customers-gitlab-com)` (CustomersDot)
in order to apply subscriptions including trials, and add-on purchases, for personal namespaces or top-level groups within GitLab.com.
### Creating a subscription
Use a POST to create a subscription.
```plaintext
POST /namespaces/:id/gitlab_subscription
```
| Attribute | Type | Required | Description |
|:------------|:--------|:---------|:------------|
| `start_date` | date | yes | Start date of subscription |
| `end_date` | date | no | End date of subscription |
| `plan_code` | string | no | Subscription tier code |
| `seats` | integer | no | Number of seats in subscription |
| `max_seats_used` | integer | no | Highest number of active users in the last month |
| `auto_renew` | boolean | no | Whether subscription will auto renew on end date |
| `trial` | boolean | no | Whether subscription is a trial |
| `trial_starts_on` | date | no | Start date of trial |
| `trial_ends_on` | date | no | End date of trial |
Example request:
```shell
curl --request POST --header "TOKEN: < admin_access_token > " "https://gitlab.com/api/v4/namespaces/1234/gitlab_subscription?start_date="2020-07-15"& plan="silver"& seats=10"
```
Example response:
```json
{
"plan": {
"code":"silver",
"name":"Silver",
"trial":false,
"auto_renew":null,
"upgradable":false
},
"usage": {
"seats_in_subscription":10,
"seats_in_use":1,
"max_seats_used":0,
"seats_owed":0
},
"billing": {
"subscription_start_date":"2020-07-15",
"subscription_end_date":null,
"trial_ends_on":null
}
}
```
### Updating a subscription
Use a PUT command to update an existing subscription.
```plaintext
PUT /namespaces/:id/gitlab_subscription
```
| Attribute | Type | Required | Description |
|:------------|:--------|:---------|:------------|
| `start_date` | date | no | Start date of subscription |
| `end_date` | date | no | End date of subscription |
| `plan_code` | string | no | Subscription tier code |
| `seats` | integer | no | Number of seats in subscription |
| `max_seats_used` | integer | no | Highest number of active users in the last month |
| `auto_renew` | boolean | no | Whether subscription will auto renew on end date |
| `trial` | boolean | no | Whether subscription is a trial |
| `trial_starts_on` | date | no | Start date of trial. Required if trial is true. |
| `trial_ends_on` | date | no | End date of trial |
Example request:
```shell
curl --request PUT --header "TOKEN: < admin_access_token > " "https://gitlab.com/api/v4/namespaces/1234/gitlab_subscription?max_seats_used=0"
```
Example response:
```json
{
"plan": {
"code":"silver",
"name":"Silver",
"trial":false,
"auto_renew":null,
"upgradable":false
},
"usage": {
"seats_in_subscription":80,
"seats_in_use":82,
"max_seats_used":0,
"seats_owed":2
},
"billing": {
"subscription_start_date":"2020-07-15",
"subscription_end_date":"2021-07-15",
"trial_ends_on":null
}
}
```
### Retrieving a subscription
Use a GET command to view an existing subscription.
```plaintext
GET /namespaces/:id/gitlab_subscription
```
Example request:
```shell
curl --header "TOKEN: < admin_access_token > " "https://gitlab.com/api/v4/namespaces/1234/gitlab_subscription"
```
Example response:
```json
{
"plan": {
"code":"silver",
"name":"Silver",
"trial":false,
"auto_renew":null,
"upgradable":false
},
"usage": {
"seats_in_subscription":80,
"seats_in_use":82,
"max_seats_used":82,
"seats_owed":2
},
"billing": {
"subscription_start_date":"2020-07-15",
"subscription_end_date":"2021-07-15",
"trial_ends_on":null
}
}
```
### Known consumers
- CustomersDot