Conventions & catalog

Once you know the response envelope, the rest of the API is mostly knowing the names. Functions group into namespaces; common verbs repeat across namespaces with the same shape.

Naming#

Function names are <namespace>.<action>. Namespaces are singular and lowerCamelCase — deployment, serviceAccount, workloadIdentity. Actions are short verbs:

VerbShape
list(project[, location]){ items: […] }
get(project, …id fields) → the resource
create(project, …spec) → resource or empty
update(project, …id fields, …spec) → resource or empty
delete(project, …id fields) → empty

For some resources a list item is a reduced, non-sensitive projection of what get returns, not the full resource — list is an index, get is the detail. Most notably deployment.list omits the environment, mounted files, command/args, annotations and the signed log URLs (read them with deployment.get), and envgroup.list returns a variable count rather than the values (read them with envgroup.get). This is an authorization boundary: deployment.list/envgroup.list can be granted without exposing secrets. See Roles & permissions.

Resources scoped to a location (deployments, domains, routes, disks, pull secrets, workload identities) take both project and location on every call. Project-only resources (roles, service accounts, env groups, audit-log) take only project.

Partial updates#

Most update calls replace the whole resource — pass the full desired state. A few resources have a partial-update model because the full state would be unwieldy to re-state on every change. The biggest one is deployment.deploy:

  • env replaces all environment variables.
  • addEnv / removeEnv operate on top of the previous revision’s env.
  • envGroups replaces the list of group references.
  • addEnvGroups / removeEnvGroups operate on top of the previous list.

This same model could appear on other functions in the future; assume replace by default unless the schema explicitly has an add* / remove* pair.

Pagination#

List endpoints return all items in one response today. If your project grows beyond a thousand or so of any resource type, expect pagination tokens to appear in the response — they’ll be added compatibly.

Idempotency#

create calls are idempotent on their (project[, location], name): a second call with the same identifier and the same spec returns success without creating a duplicate. A second call with a different spec is treated as an update of the existing resource (so be careful — there’s no “create only if not exists” mode).

Function catalog#

The big picture. Each row is a fully-qualified API function.

Identity#

FunctionWhat it does
me.getCurrent user/service-account profile
me.authorizedCheck if a principal has a given permission

Workspace#

FunctionWhat it does
location.list / .getClusters available to you
project.list / .get / .create / .update / .deleteProject CRUD
project.usageMonth-to-date usage for one project

Deployments#

FunctionWhat it does
deployment.list / .getList or fetch deployments
deployment.deployCreate or update; rolls out a new revision
deployment.deleteDelete
deployment.pause / .resumeStop / restart without losing config
deployment.rollbackRe-apply an older revision as a new revision
deployment.revisionsHistory of revisions
deployment.metricsCPU / mem / requests / egress time-series
error.list / .get / .updateApplication error issues — list, fetch, and triage
error.createReport an application error directly from a running deployment

Routing#

FunctionWhat it does
domain.list / .get / .create / .deleteDomain CRUD
domain.purgeCacheCDN cache purge for a domain
route.list / .create / .createV2 / .deleteRoute CRUD
waf.list / .get / .set / .deleteFirewall zone CRUD (rules + rate limits)
waf.metrics / .limitMetricsFirewall match counts and rate-limit decisions over time
cache.list / .get / .set / .deleteCache-override zone CRUD
cache.metricsCache-override decision counts over time

Storage and registry#

FunctionWhat it does
disk.list / .get / .create / .update / .deleteDisk CRUD
disk.metricsDisk usage time-series
registry.list / .deleteRepositories in the project
registry.getTags / .untagTag inspection and deletion
registry.getManifests / .deleteManifestManifest inspection and deletion
registry.metrics / .getProjectStorageStorage usage
registry.gcGarbage-collect manifests no deployment uses (dry-run supported)
pullsecret.list / .get / .create / .deletePull-secret CRUD

Access#

FunctionWhat it does
role.list / .get / .create / .deleteRole CRUD
role.bindSet the role list for a principal
role.usersWho has access to this project
role.permissionsThe catalog of permission strings
serviceaccount.list / .get / .create / .update / .deleteAccount CRUD
serviceaccount.createKey / .deleteKeyKey lifecycle
workloadidentity.list / .get / .create / .deleteGCP federation CRUD
envgroup.list / .get / .create / .update / .deleteEnv group CRUD
auditlog.listAudit entries with filters

Billing#

FunctionWhat it does
billing.list / .get / .create / .update / .deleteBilling account CRUD. The account type (individual/company) drives the Head Office line on tax documents
billing.projectSet the billing account on a project
billing.reportUsage rolled up over a date range
billing.listInvoices / .getInvoice / .downloadInvoiceInvoices. An invoice carries taxEntityType (buyer entity, snapshotted) and, once paid, a receiptNumber (DPLY-RC-YYYYMM-NNNN) separate from number, plus withholdingTaxRate/withholdingTaxAmount when a company buyer withheld tax
billing.downloadReceiptDownload the receipt / tax-invoice PDF of a paid invoice; shows any withholding-tax deduction
billing.uploadTransferSlipSubmit a bank-transfer slip (multipart). A company buyer may set withholdingTax to declare a 3% deduction and attach the withholding-tax certificate (whtCert)
billing.uploadWHTCertificateAttach a withholding-tax certificate (whtCert, multipart) to an invoice later — company invoices only, allowed even after the invoice is paid

GitHub#

For build-and-deploy from GitHub. These manage the link between a repository and the service account it deploys as.

FunctionWhat it does
github.listRepositories linked in the project
github.link / .unlinkLink or unlink a repository to a service account
github.updateChange a link’s service account, deploy trigger, or production branch

The keyless token exchange and build/deploy status reporting (github.exchangeToken, github.notify) are authenticated by the workflow’s GitHub OIDC token and called by the build-and-deploy action, not directly.

Other#

FunctionWhat it does
email.list / .sendList project email domains; send a transactional email
dropbox.list / .metricsDropbox stored files and usage

Typed clients#

If you’re calling the API from Go, the github.com/deploys-app/api/client package wraps every function in a typed client — the same client the deploys CLI uses internally.

c := &client.Client{
    Auth: func(r *http.Request) {
        r.Header.Set("Authorization", "Bearer "+token)
    },
}
port := 8080
resp, err := c.Deployment().Deploy(ctx, &api.DeploymentDeploy{
    Project:  "acme",
    Location: "gke.cluster-rcf2",
    Name:     "web",
    Image:    "registry.deploys.app/acme/web:v2.4.1",
    Type:     api.DeploymentTypeWebService,
    Port:     &port,
})