ZeroTier Central API (v1)

Download OpenAPI specification:Download

URL: https://discuss.zerotier.com License: Apache 2.0

ZeroTier Central Network Management Portal API.

All API requests must have an API token header specified in the Authorization: token xxxxx format. You can generate your API key by logging into ZeroTier Central and creating a token on the Account page.

eg. curl -X GET -H "Authorization: token xxxxx" https://api.zerotier.com/api/v1/network

Rate Limiting

The ZeroTier Central API implements rate limiting. Paid users are limited to 100 requests per second. Free users are limited to 20 requests per second.

You can get the OpenAPI spec here as well: https://docs.zerotier.com/openapi/central/v1.json

network

Network operations

Returns a list of Networks you have access to.

Authorizations:

tokenAuth

Responses

Response samples

200

Content type

application/json

[{"id": "8056c2e21c000001",
"clock": 12345,
"config": {"id": "8056c2e21c000001",
"creationTime": 1442292672978,
"capabilities": [{ }
],
"dns": {"domain": "some.domain",
"servers": ["10.0.0.3"
]
},
"enableBroadcast": true,
"ipAssignmentPools": [{"ipRangeStart": "10.0.0.1",
"ipRangeEnd": "10.0.0.255"
}
],
"lastModified": 1588184318235,
"mtu": 2800,
"multicastLimit": 32,
"name": "My ZeroTier Network",
"private": true,
"routes": [{"target": "10.0.0.0/24",
"via": null
}
],
"rules": [{ }
],
"ssoConfig": {"enabled": true,
"mode": "default",
"clientId": "some-client-id",
"issuer": "https://example.com/oidc",
"provider": "keycloak",
"authorizationEndpoint": "string",
"allowList": ["string"
]
},
"tags": [{ }
],
"v4AssignMode": {"zt": true
},
"v6AssignMode": {"6plane": true,
"rfc4193": false,
"zt": false
}
},
"description": "Some descriptive text about my network.",
"rulesSource": "accept;",
"permissions": {"00000000-0000-0000-0000-000000000000": {"a": true,
"d": true,
"m": true,
"r": true
}
},
"ownerId": "00000000-0000-0000-0000-000000000000",
"onlineMemberCount": 123,
"authorizedMemberCount": 200,
"totalMemberCount": 250,
"capabilitiesByName": { },
"tagsByName": { }
}
]

Create a new network.

Authorizations:

tokenAuth

Request Body schema: application/json
required

empty JSON object

object

Responses

Request samples

Payload

Content type

application/json

{ }

Response samples

200

Content type

application/json

{"id": "8056c2e21c000001",
"clock": 12345,
"config": {"id": "8056c2e21c000001",
"creationTime": 1442292672978,
"capabilities": [{ }
],
"dns": {"domain": "some.domain",
"servers": ["10.0.0.3"
]
},
"enableBroadcast": true,
"ipAssignmentPools": [{"ipRangeStart": "10.0.0.1",
"ipRangeEnd": "10.0.0.255"
}
],
"lastModified": 1588184318235,
"mtu": 2800,
"multicastLimit": 32,
"name": "My ZeroTier Network",
"private": true,
"routes": [{"target": "10.0.0.0/24",
"via": null
}
],
"rules": [{ }
],
"ssoConfig": {"enabled": true,
"mode": "default",
"clientId": "some-client-id",
"issuer": "https://example.com/oidc",
"provider": "keycloak",
"authorizationEndpoint": "string",
"allowList": ["string"
]
},
"tags": [{ }
],
"v4AssignMode": {"zt": true
},
"v6AssignMode": {"6plane": true,
"rfc4193": false,
"zt": false
}
},
"description": "Some descriptive text about my network.",
"rulesSource": "accept;",
"permissions": {"00000000-0000-0000-0000-000000000000": {"a": true,
"d": true,
"m": true,
"r": true
}
},
"ownerId": "00000000-0000-0000-0000-000000000000",
"onlineMemberCount": 123,
"authorizedMemberCount": 200,
"totalMemberCount": 250,
"capabilitiesByName": { },
"tagsByName": { }
}

Get network by ID

Returns a single network

Authorizations:

tokenAuth

path Parameters

networkID

required

string

ID of the network to return

Responses

Response samples

200

Content type

application/json

{"id": "8056c2e21c000001",
"clock": 12345,
"config": {"id": "8056c2e21c000001",
"creationTime": 1442292672978,
"capabilities": [{ }
],
"dns": {"domain": "some.domain",
"servers": ["10.0.0.3"
]
},
"enableBroadcast": true,
"ipAssignmentPools": [{"ipRangeStart": "10.0.0.1",
"ipRangeEnd": "10.0.0.255"
}
],
"lastModified": 1588184318235,
"mtu": 2800,
"multicastLimit": 32,
"name": "My ZeroTier Network",
"private": true,
"routes": [{"target": "10.0.0.0/24",
"via": null
}
],
"rules": [{ }
],
"ssoConfig": {"enabled": true,
"mode": "default",
"clientId": "some-client-id",
"issuer": "https://example.com/oidc",
"provider": "keycloak",
"authorizationEndpoint": "string",
"allowList": ["string"
]
},
"tags": [{ }
],
"v4AssignMode": {"zt": true
},
"v6AssignMode": {"6plane": true,
"rfc4193": false,
"zt": false
}
},
"description": "Some descriptive text about my network.",
"rulesSource": "accept;",
"permissions": {"00000000-0000-0000-0000-000000000000": {"a": true,
"d": true,
"m": true,
"r": true
}
},
"ownerId": "00000000-0000-0000-0000-000000000000",
"onlineMemberCount": 123,
"authorizedMemberCount": 200,
"totalMemberCount": 250,
"capabilitiesByName": { },
"tagsByName": { }
}

update network configuration

Authorizations:

tokenAuth

path Parameters

networkID

required

string

ID of the network to change

Request Body schema: application/json
required

Network object JSON

	object (NetworkConfig)
description	string or null
rulesSource	string or null The flow rules source code in ZeroTier rule language. Set this field to update network rules.
	object (PermissionsMap)
ownerId	string or null
capabilitiesByName	object or null
tagsByName	object or null

Responses

Request samples

Payload

Content type

application/json

{"config": {"capabilities": [{ }
],
"dns": {"domain": "some.domain",
"servers": ["10.0.0.3"
]
},
"enableBroadcast": true,
"ipAssignmentPools": [{"ipRangeStart": "10.0.0.1",
"ipRangeEnd": "10.0.0.255"
}
],
"mtu": 2800,
"multicastLimit": 32,
"name": "My ZeroTier Network",
"private": true,
"routes": [{"target": "10.0.0.0/24",
"via": null
}
],
"rules": [{ }
],
"ssoConfig": {"enabled": true,
"mode": "default",
"clientId": "some-client-id",
"allowList": ["string"
]
},
"tags": [{ }
],
"v4AssignMode": {"zt": true
},
"v6AssignMode": {"6plane": true,
"rfc4193": false,
"zt": false
}
},
"description": "Some descriptive text about my network.",
"rulesSource": "accept;",
"permissions": {"00000000-0000-0000-0000-000000000000": {"a": true,
"d": true,
"m": true,
"r": true
}
},
"ownerId": "00000000-0000-0000-0000-000000000000",
"capabilitiesByName": { },
"tagsByName": { }
}

Response samples

200

Content type

application/json

{"id": "8056c2e21c000001",
"clock": 12345,
"config": {"id": "8056c2e21c000001",
"creationTime": 1442292672978,
"capabilities": [{ }
],
"dns": {"domain": "some.domain",
"servers": ["10.0.0.3"
]
},
"enableBroadcast": true,
"ipAssignmentPools": [{"ipRangeStart": "10.0.0.1",
"ipRangeEnd": "10.0.0.255"
}
],
"lastModified": 1588184318235,
"mtu": 2800,
"multicastLimit": 32,
"name": "My ZeroTier Network",
"private": true,
"routes": [{"target": "10.0.0.0/24",
"via": null
}
],
"rules": [{ }
],
"ssoConfig": {"enabled": true,
"mode": "default",
"clientId": "some-client-id",
"issuer": "https://example.com/oidc",
"provider": "keycloak",
"authorizationEndpoint": "string",
"allowList": ["string"
]
},
"tags": [{ }
],
"v4AssignMode": {"zt": true
},
"v6AssignMode": {"6plane": true,
"rfc4193": false,
"zt": false
}
},
"description": "Some descriptive text about my network.",
"rulesSource": "accept;",
"permissions": {"00000000-0000-0000-0000-000000000000": {"a": true,
"d": true,
"m": true,
"r": true
}
},
"ownerId": "00000000-0000-0000-0000-000000000000",
"onlineMemberCount": 123,
"authorizedMemberCount": 200,
"totalMemberCount": 250,
"capabilitiesByName": { },
"tagsByName": { }
}

delete network

Authorizations:

tokenAuth

path Parameters

networkID

required

string

ID of the network

Responses

Set user permissions on a network

Assign or update permissions for a specific user on a network. Use this endpoint to grant read, authorize, modify, or delete permissions.

Authorizations:

tokenAuth

path Parameters

networkID

required

string

ID of the network

Request Body schema: application/json
required

User permissions object

id required	string The user ID to set permissions for
r	boolean Default: false Read permission - allows viewing network settings
a	boolean Default: false Authorize permission - allows authorizing new members
m	boolean Default: false Modify permission - allows changing network settings
d	boolean Default: false Delete permission - allows removing members

Responses

Request samples

Payload

Content type

application/json

{"id": "00000000-0000-0000-0000-000000000000",
"r": true,
"a": true,
"m": false,
"d": false
}

Response samples

200

Content type

application/json

{"id": "00000000-0000-0000-0000-000000000000",
"r": true,
"a": true,
"m": false,
"d": false
}

network-member

Network member operations

Returns a list of Members on the network.

Authorizations:

tokenAuth

path Parameters

networkID

required

string

ID of the network to return

Responses

Response samples

200

Content type

application/json

[{"id": "8056c2e21c000001-abcdef0123",
"clock": 1612993759070,
"networkId": "8056c2e21c000001",
"nodeId": "abcdef01234",
"controllerId": "8056c2e21c",
"hidden": false,
"name": "my-cray-supercomputer",
"description": "My super awesome cray that I got ZeroTier to run on",
"config": {"activeBridge": false,
"authorized": true,
"capabilities": [0
],
"creationTime": 1599853509872,
"id": "abcdef01234",
"identity": "abcdef0123:0:abcdef0123abcdef0123abcdef0123abcdef0123abcdef0123abcdef0123abcdef0123",
"ipAssignments": ["10.0.0.3"
],
"lastAuthorizedTime": 1599853637989,
"lastDeauthorizedTime": 0,
"noAutoAssignIps": false,
"revision": 123,
"ssoExempt": false,
"tags": [[123,
456
]
],
"vMajor": 1,
"vMinor": 6,
"vRev": 3,
"vProto": 12
},
"lastOnline": 1612993673254,
"lastSeen": 1612993673254,
"physicalAddress": "8.8.8.8",
"clientVersion": "1.6.3",
"protocolVersion": 12,
"supportsRulesEngine": true
}
]

Return an individual member on a network

Authorizations:

tokenAuth

path Parameters

networkID required	string ID of the network
memberID required	string ID of the member

Responses

Response samples

200

Content type

application/json

{"id": "8056c2e21c000001-abcdef0123",
"clock": 1612993759070,
"networkId": "8056c2e21c000001",
"nodeId": "abcdef01234",
"controllerId": "8056c2e21c",
"hidden": false,
"name": "my-cray-supercomputer",
"description": "My super awesome cray that I got ZeroTier to run on",
"config": {"activeBridge": false,
"authorized": true,
"capabilities": [0
],
"creationTime": 1599853509872,
"id": "abcdef01234",
"identity": "abcdef0123:0:abcdef0123abcdef0123abcdef0123abcdef0123abcdef0123abcdef0123abcdef0123",
"ipAssignments": ["10.0.0.3"
],
"lastAuthorizedTime": 1599853637989,
"lastDeauthorizedTime": 0,
"noAutoAssignIps": false,
"revision": 123,
"ssoExempt": false,
"tags": [[123,
456
]
],
"vMajor": 1,
"vMinor": 6,
"vRev": 3,
"vProto": 12
},
"lastOnline": 1612993673254,
"lastSeen": 1612993673254,
"physicalAddress": "8.8.8.8",
"clientVersion": "1.6.3",
"protocolVersion": 12,
"supportsRulesEngine": true
}

Modify a network member

Authorizations:

tokenAuth

path Parameters

networkID required	string ID of the network
memberID required	string ID of the member

Request Body schema: application/json
required

Member object JSON

hidden	boolean or null Whether or not the member is hidden in the UI
name	string or null User defined name of the member
description	string or null User defined description of the member
	object (MemberConfig)

Responses

Request samples

Payload

Content type

application/json

{"hidden": false,
"name": "my-cray-supercomputer",
"description": "My super awesome cray that I got ZeroTier to run on",
"config": {"activeBridge": false,
"authorized": true,
"capabilities": [0
],
"ipAssignments": ["10.0.0.3"
],
"noAutoAssignIps": false,
"ssoExempt": false,
"tags": [[123,
456
]
]
}
}

Response samples

200

Content type

application/json

{"id": "8056c2e21c000001-abcdef0123",
"clock": 1612993759070,
"networkId": "8056c2e21c000001",
"nodeId": "abcdef01234",
"controllerId": "8056c2e21c",
"hidden": false,
"name": "my-cray-supercomputer",
"description": "My super awesome cray that I got ZeroTier to run on",
"config": {"activeBridge": false,
"authorized": true,
"capabilities": [0
],
"creationTime": 1599853509872,
"id": "abcdef01234",
"identity": "abcdef0123:0:abcdef0123abcdef0123abcdef0123abcdef0123abcdef0123abcdef0123abcdef0123",
"ipAssignments": ["10.0.0.3"
],
"lastAuthorizedTime": 1599853637989,
"lastDeauthorizedTime": 0,
"noAutoAssignIps": false,
"revision": 123,
"ssoExempt": false,
"tags": [[123,
456
]
],
"vMajor": 1,
"vMinor": 6,
"vRev": 3,
"vProto": 12
},
"lastOnline": 1612993673254,
"lastSeen": 1612993673254,
"physicalAddress": "8.8.8.8",
"clientVersion": "1.6.3",
"protocolVersion": 12,
"supportsRulesEngine": true
}

Delete a network member

Authorizations:

tokenAuth

path Parameters

networkID required	string ID of the network
memberID required	string ID of the member

Responses

user

User management operations

Get user record

Authorizations:

tokenAuth

path Parameters

userID

required

string

User ID

Responses

Response samples

200

Content type

application/json

{"id": "00000000-0000-0000-0000-000000000000",
"orgId": "00000000-0000-0000-0000-000000000000",
"globalPermissions": {"a": true,
"d": true,
"m": true,
"r": true
},
"displayName": "Joe User",
"email": "[email protected]",
"auth": {"local": "[email protected]",
"google": "156162346876134683",
"oidc": "00000000-0000-0000-0000-000000000000"
},
"smsNumber": "+1-800-555-1212",
"tokens": ["my-token-id"
]
}

Update user record (SMS number or Display Name only)

Authorizations:

tokenAuth

path Parameters

userID

required

string

User ID

Request Body schema: application/json
required

User object JSON

displayName	string Display Name
smsNumber	string Deprecated SMS number

Responses

Request samples

Payload

Content type

application/json

{"displayName": "Joe User",
"smsNumber": "+1-800-555-1212"
}

Response samples

200

Content type

application/json

{"id": "00000000-0000-0000-0000-000000000000",
"orgId": "00000000-0000-0000-0000-000000000000",
"globalPermissions": {"a": true,
"d": true,
"m": true,
"r": true
},
"displayName": "Joe User",
"email": "[email protected]",
"auth": {"local": "[email protected]",
"google": "156162346876134683",
"oidc": "00000000-0000-0000-0000-000000000000"
},
"smsNumber": "+1-800-555-1212",
"tokens": ["my-token-id"
]
}

Delete user

Deletes the user and all associated networks. This is not reversible. Delete at your own risk.

Authorizations:

tokenAuth

path Parameters

userID

required

string

User ID

Responses

Add an API token

Authorizations:

tokenAuth

path Parameters

userID

required

string

User ID

Request Body schema: application/json
required

APIToken JSON object

tokenName	string user specified token name
token	string API Token. Minimum 32 characters. This token is encrypted in the database and can not be retrieved once set

Responses

Request samples

Payload

Content type

application/json

{"tokenName": "my-super-secret-token",
"token": "adsf98ashdkjh3689adsfnj3$ADn"
}

Response samples

200

Content type

application/json

{"tokenName": "my-super-secret-token"
}

Delete API Token

Authorizations:

tokenAuth

path Parameters

userID required	string User ID
tokenName required	string Token Name

Responses

organizations

Organization management. Note: Organizations require a paid account and cannot be created via the API

Get the current user's organization

Authorizations:

tokenAuth

Responses

Response samples

200

Content type

application/json

{"id": "00000000-0000-0000-0000-000000000000",
"ownerId": "00000000-0000-0000-0000-000000000000",
"ownerEmail": "[email protected]",
"members": [{"orgId": "00000000-0000-0000-0000-000000000000",
"userId": "00000000-0000-0000-0000-000000000000",
"name": "Joe User",
"email": "string"
}
],
"ssoConfig": {"enabled": true,
"issuers": [{"provider": "keycloak",
"clientId": "oidc-client-id",
"issuer": "https://example.com/oidc/auth",
"authorization_endpoint": "https://example.com/oidc/auth/endpoint"
}
]
}
}

Get organization by ID

Authorizations:

tokenAuth

path Parameters

orgID

required

string

Organization ID

Responses

Response samples

200

Content type

application/json

{"id": "00000000-0000-0000-0000-000000000000",
"ownerId": "00000000-0000-0000-0000-000000000000",
"ownerEmail": "[email protected]",
"members": [{"orgId": "00000000-0000-0000-0000-000000000000",
"userId": "00000000-0000-0000-0000-000000000000",
"name": "Joe User",
"email": "string"
}
],
"ssoConfig": {"enabled": true,
"issuers": [{"provider": "keycloak",
"clientId": "oidc-client-id",
"issuer": "https://example.com/oidc/auth",
"authorization_endpoint": "https://example.com/oidc/auth/endpoint"
}
]
}
}

Get list of organization members

Authorizations:

tokenAuth

path Parameters

orgID

required

string

Organization ID

Responses

Response samples

200

Content type

application/json

{"orgId": "00000000-0000-0000-0000-000000000000",
"userId": "00000000-0000-0000-0000-000000000000",
"name": "Joe User",
"email": "string"
}

Get list of organization invitations

Authorizations:

tokenAuth

Responses

Response samples

200

Content type

application/json

[{"orgId": "00000000-0000-0000-0000-000000000000",
"email": "[email protected]",
"id": "00000000-0000-0000-0000-000000000000",
"creation_time": 1613067920454,
"status": "pending",
"update_time": 1613067920454,
"ownerEmail": "[email protected]"
}
]

Invite a user to your organization by email

Authorizations:

tokenAuth

Request Body schema: application/json
required

Organization Invitation JSON object

email

string

Email address of invitee

Responses

Request samples

Payload

Content type

application/json

{"email": "[email protected]"
}

Response samples

200

Content type

application/json

{"orgId": "00000000-0000-0000-0000-000000000000",
"email": "[email protected]",
"id": "00000000-0000-0000-0000-000000000000",
"creation_time": 1613067920454,
"status": "pending",
"update_time": 1613067920454,
"ownerEmail": "[email protected]"
}

Get organization invitation

Authorizations:

tokenAuth

path Parameters

inviteID

required

string

Invitation ID

Responses

Response samples

200

Content type

application/json

{"orgId": "00000000-0000-0000-0000-000000000000",
"email": "[email protected]",
"id": "00000000-0000-0000-0000-000000000000",
"creation_time": 1613067920454,
"status": "pending",
"update_time": 1613067920454,
"ownerEmail": "[email protected]"
}

Accept organization invitation

Authorizations:

tokenAuth

path Parameters

inviteID

required

string

Invitation ID

Responses

Response samples

200

Content type

application/json

{"orgId": "00000000-0000-0000-0000-000000000000",
"email": "[email protected]",
"id": "00000000-0000-0000-0000-000000000000",
"creation_time": 1613067920454,
"status": "pending",
"update_time": 1613067920454,
"ownerEmail": "[email protected]"
}

Decline organization invitation

Authorizations:

tokenAuth

path Parameters

inviteID

required

string

Invitation ID

Responses

util

Utility endpoints

Obtain the overall status of the account tied to the API token in use.

Authorizations:

tokenAuth

Responses

Response samples

200

Content type

application/json

{"id": "central_status",
"type": "CentralStatus",
"clock": 1613067920454,
"version": "1.6.5",
"apiVersion": "4",
"uptime": 1613067920454,
"user": {"id": "00000000-0000-0000-0000-000000000000",
"orgId": "00000000-0000-0000-0000-000000000000",
"globalPermissions": {"a": true,
"d": true,
"m": true,
"r": true
},
"displayName": "Joe User",
"email": "[email protected]",
"auth": {"local": "[email protected]",
"google": "156162346876134683",
"oidc": "00000000-0000-0000-0000-000000000000"
},
"smsNumber": "+1-800-555-1212",
"tokens": ["my-token-id"
]
},
"readOnlyMode": true,
"loginMethods": {"local": true,
"google": true,
"twitter": true,
"facebook": true,
"github": true,
"saml": true,
"oidc": true
}
}

Get a random 32 character token

Get a random 32 character. Used by the web UI to generate API keys

Authorizations:

tokenAuth

Responses

Response samples

200

Content type

application/json

{"clock": 1613067920454,
"hex": "16924f3ff478526cffb1b89b1040b33c8dbd3c09e07f39691f615769121c0d76",
"token": "wwrb66uUh18Fqc38rd8jMd5RFJzRsCn4"
}

ZeroTier Central API (v1)

Rate Limiting

network

Returns a list of Networks you have access to.

Authorizations:

Responses

Response samples

Create a new network.

Authorizations:

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

Get network by ID

Authorizations:

path Parameters

Responses

Response samples

update network configuration

Authorizations:

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

delete network

Authorizations:

path Parameters

Responses

Set user permissions on a network

Authorizations:

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

network-member

Returns a list of Members on the network.

Authorizations:

path Parameters

Responses

Response samples

Return an individual member on a network

Authorizations:

path Parameters

Responses

Response samples

Modify a network member

Authorizations:

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

Delete a network member

Authorizations:

path Parameters

Responses

user

Get user record

Authorizations:

path Parameters

Responses

Response samples

Update user record (SMS number or Display Name only)

Authorizations:

path Parameters

Request Body schema: application/jsonrequired

Responses

Request samples

Response samples

Delete user

Authorizations:

path Parameters

Responses

Add an API token

Authorizations:

path Parameters

Request Body schema: application/jsonrequired

Responses

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required

Request Body schema: application/json
required