API Overview
Getting started with the OrbitKit REST API for programmatic access to your apps and sites.
OrbitKit provides a REST API for programmatic access to all features. You can use the API to create apps, configure sites, manage subscriptions, and deploy β all without the Dashboard.
Base URL
https://api.orbitkit.io/api
Quick example
Hereβs how to check your account status:
# Use your API key (see Authentication guide)
API_KEY="your-api-key"
curl -H "Authorization: Bearer $API_KEY" \
https://api.orbitkit.io/api/status
let url = URL(string: "https://api.orbitkit.io/api/status")!
var request = URLRequest(url: url)
request.setValue("Bearer \(apiKey)", forHTTPHeaderField: "Authorization")
let (data, _) = try await URLSession.shared.data(for: request)
let status = try JSONDecoder().decode(AccountStatus.self, from: data)
const res = await fetch("https://api.orbitkit.io/api/status", {
headers: { Authorization: `Bearer ${apiKey}` },
});
const status = await res.json();
Response:
{
"subscription": "active",
"planType": "monthly",
"appCount": 2,
"hasPaymentMethod": true,
"hasApps": true
}
Authentication
All endpoints require an API key in the Authorization header. See the Authentication guide for details.
Rate limits
| Scope | Limit |
|---|---|
| General API | 300 requests/minute per user |
| App creation | 5/hour per user |
| Icon upload | 10/hour per user |
| Domain operations | 5/hour per user |
| Deploy | 10/hour per user |
| Export | 3/hour per user |
| Well-known file upload | 5/hour per user |
| API key creation | 5/hour per user |
When you hit a rate limit, the API returns 429 Too Many Requests.
Response format
All successful responses return JSON. Error responses use a consistent format β see the Error Handling guide.
Resources
| Resource | Endpoints | Description |
|---|---|---|
| App Sites | 6 | Create, list, get, delete app sites; get/update site configuration |
| Privacy Policy | 4 | Save/retrieve policy wizard data and version history |
| Sites & Deploy | 4 | Deploy to production, deploy history, Smart App Banner |
| Custom Domains | 3 | Set/remove custom domains, check SSL status |
| Subscriptions & Billing | 9 | Subscribe, cancel, reactivate, change plan, payment methods |
| Account | 4 | Account status, details, data export, account deletion |
| Support & Deletion Pages | 4 | Configure support and data deletion pages |
| Images & Files | 2 | Upload app icons and Apple verification files |
| AASA | 2 | Configure Universal Links, App Clips, Passkeys, Handoff |
| TestFlight Page | 2 | Configure TestFlight beta testing page |
| Workflows | β | End-to-end workflow guides |
Common patterns
Auth header
Every request must include an API key:
Authorization: Bearer <api-key>
See the Authentication guide for details.
Error handling
All errors return a consistent JSON body with a machine-readable code field. See the Error Handling guide for the complete list of error codes and how to handle them.
Request bodies
All POST and PUT endpoints accept JSON. Include Content-Type: application/json with every request that has a body.
Request IDs
Every response includes an X-Request-Id header. Include this when contacting support about a specific request.
Interactive reference
For complete endpoint documentation with request/response schemas, see the interactive API reference.