API documentation for the EngineScript admin control panel. All endpoints are served from /api/ on the control panel host.

• Authentication & Security
• Rate Limiting
• Caching
• Endpoints
  • CSRF Token
  • System Info
  • Service Status
  • Sites
  • Sites Count
  • File Manager Status
  • Uptime Status
  • Uptime Monitors
  • Cache Clear
  • Cache Status
  • External Plugin Info
  • Cloudflare Status
  • Batch Requests
  • External Services Config
  • External Services Feed
• Error Responses

All API requests require an active PHP session (session-based authentication). Requests without a valid session receive a 403 Forbidden response.

CSRF Protection: State-changing methods (POST, PUT, DELETE, PATCH) require a valid CSRF token sent via:

• X-CSRF-Token request header, or
• _csrf_token parameter in the request body

Obtain a token from the GET /csrf-token endpoint. Token validation uses timing-safe comparison (hash_equals).

CORS: Same-origin only. Requests are restricted to the server's HTTP_HOST, localhost, and 127.0.0.1.

Security Headers: All responses include X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, and a restrictive Content Security Policy.

• Limit: 100 requests per minute per IP address
• Tracking: Session-based with SHA-256 hashed IP
• Exceeded: Returns 429 Too Many Requests

Responses are cached using a file-based cache at /var/cache/enginescript/api/. Cache TTLs vary per endpoint (noted below). Cached responses include a X-Cache: HIT header.

Retrieve a CSRF token for use with state-changing requests.

Response

{
  "csrf_token": "a1b2c3d4e5f6...64-char-hex-string",
  "token_name": "_csrf_token"
}

Get server operating system, kernel, and network information.

Response

{
  "os": "Ubuntu 24.04 LTS",
  "kernel": "6.8.0-40-generic",
  "network": "hostname (192.168.1.1)"
}

Get status of core LEMP stack services (Nginx, PHP-FPM, MariaDB, Redis).

Response

{
  "nginx": { "status": "online", "version": "1.27.4", "online": true },
  "php":   { "status": "online", "version": "8.4.1", "online": true },
  "mysql": { "status": "online", "version": "11.8.1", "online": true },
  "redis": { "status": "online", "version": "7.4.2", "online": true }
}

Note: The mysql key reports MariaDB status. The php key dynamically discovers the active php*-fpm service.

List all WordPress sites managed by EngineScript.

Response

[
  {
    "domain": "example.com",
    "status": "online",
    "wp_version": "6.7.1",
    "ssl_status": "Enabled"
  }
]

Get the total number of managed WordPress sites.

Response

{
  "count": 3
}

Note: /sites/ (with trailing slash) is an alias for /sites.

Check availability and configuration of the Tiny File Manager integration.

Response

{
  "available": true,
  "config_exists": true,
  "writable_dirs": {
    "/var/www": true,
    "/tmp": true
  },
  "url": "/tinyfilemanager/tinyfilemanager.php",
  "version": "2.5.3"
}

Get an aggregate overview of UptimeRobot monitor status.

Response (configured)

{
  "enabled": true,
  "overall_status": "healthy",
  "total_monitors": 5,
  "up": 4,
  "down": 1,
  "paused": 0
}

overall_status values: healthy, critical, partial, unknown

Response (not configured)

{
  "enabled": false,
  "reason": "UptimeRobot API not configured"
}

Get detailed information for each individual UptimeRobot monitor.

Response

{
  "enabled": true,
  "total": 5,
  "monitors": [
    {
      "id": 12345,
      "name": "example.com",
      "url": "https://example.com",
      "status": 2,
      "status_text": "Up",
      "uptime_day": 99.99,
      "uptime_week": 99.95,
      "uptime_month": 99.90,
      "last_check": 1709300000
    }
  ]
}

Monitor status codes: 0 Paused, 1 Not checked yet, 2 Up, 8 Seems down, 9 Down

Clear one or more server-side caches. Requires CSRF token.

Query Parameters

Response

{
  "success": true,
  "cleared": ["redis", "fastcgi"],
  "results": {
    "redis": { "success": true, "message": "Redis cache cleared successfully" },
    "fastcgi": { "success": true, "message": "FastCGI cache cleared successfully" }
  }
}

If invalid types are included, a warnings field is added:

{
  "warnings": {
    "invalid_types": ["foo"],
    "message": "Some requested cache types were invalid and ignored"
  }
}

Errors: 400 if type is empty or all types invalid. 405 if not POST.

Get the current status of all cache systems (Redis, FastCGI, OPcache).

Response

{
  "redis": { ... },
  "fastcgi": { ... },
  "opcache": { ... }
}

Look up a WordPress plugin from the WordPress.org Plugin API.

Query Parameters

Response

{
  "name": "WooCommerce",
  "slug": "woocommerce",
  "version": "9.5.1",
  "author": "Automattic",
  "requires": "6.4",
  "tested": "6.7",
  "requires_php": "7.4",
  "rating": 88,
  "active_installs": 5000000,
  "last_updated": "2025-01-15",
  "download_link": "https://downloads.wordpress.org/plugin/woocommerce.9.5.1.zip"
}

Errors: 400 if slug missing or invalid format. 502 if WordPress.org API is unreachable.

Get the current Cloudflare infrastructure status from their status page.

Response

{
  "indicator": "none",
  "description": "All Systems Operational",
  "updated_at": "2025-01-15T12:00:00Z"
}

indicator values: none (operational), minor, major, critical

Errors: 502 if Cloudflare status page is unreachable.

Execute multiple API calls in a single request. Requires CSRF token.

Request Body (JSON)

{
  "requests": ["/system/info", "/services/status", "/sites"]
}

• Maximum 10 requests per batch
• Allowed endpoints: /system/info, /services/status, /sites, /sites/count, /tools/filemanager/status, /monitoring/uptime, /monitoring/uptime/monitors

Response

{
  "results": {
    "/system/info": { "os": "Ubuntu 24.04 LTS", "kernel": "...", "network": "..." },
    "/services/status": { "nginx": { ... }, "php": { ... } }
  },
  "errors": {
    "/bad/endpoint": "Endpoint not allowed in batch requests"
  },
  "cached_count": 1
}

Errors: 400 if body invalid, missing requests array, or batch size exceeds 10. 405 if not POST.

Get the list of available external services and their enabled state.

Response

{
  "aws": true,
  "cloudflare": true,
  "github": true,
  "stripe": true,
  "anthropic": true,
  "openai": true
}

Returns all supported service keys (60+) mapped to true.

Fetch the status of an external service via its Atom/RSS status feed.

Query Parameters

Allowed feed values: vultr, googleworkspace, wistia, postmark, automattic, stripe, letsencrypt, flare, slack, gitlab, square, recurly, googleads, googlesearch, microsoftads, paypal, googlecloud, oracle, ovh, brevo, sendgrid, anthropic, spotify, metafb, metamarketingapi, metafbs, metalogin, trello, pipedream, codacy, openai, sparkpost, zoho, mailjet, mailersend, resend, smtp2go, sendlayer

Response

{
  "status": {
    "indicator": "none",
    "description": "All Systems Operational"
  }
}

indicator values: none (operational), minor, major

Errors: 400 if feed is missing or not in the allowed list.

All errors follow a consistent JSON structure:

{
  "error": "Error message description"
}