v0.9.17
External programmatic API with scoped API keys
A new Settings → API access tab (admin only) exposes an optional, token-authenticated REST API for external tools.
Highlights
- Master toggle to enable/disable the whole API at runtime. While disabled, every key is rejected; keys keep their configuration.
- Named keys with granular scopes —
system:read,containers:read,stats:read,containers:start,containers:stop,containers:restart,containers:update— and an optional expiration (in days). - Reversible revocation: pause/resume a key without deleting it, or delete it to cut off access instantly.
- Tokens are shown once on creation and stored only as a SHA-256 hash — the plaintext is never persisted.
Endpoints (under /api/v1): GET /ping, GET /me, GET /system (CPU cores, max RAM, Docker info, counts), GET /containers, GET /containers/<id>, GET /stats, GET /containers/<id>/stats, and POST /containers/<id>/{start,stop,restart,update}. Authenticate with Authorization: Bearer <token>; the base URL follows however you reach the dashboard (direct IP:port or a reverse-proxy domain).
Hardening: per-key rate limiting, per-IP auth-failure throttling, audit logging of key management and write actions, optional HTTPS-only writes, and isolation from the session-auth UI routes.
New tuning env vars: EXTERNAL_API_RATE_LIMIT_MAX, EXTERNAL_API_RATE_LIMIT_WINDOW_SECONDS, EXTERNAL_API_AUTH_FAIL_MAX, EXTERNAL_API_AUTH_FAIL_WINDOW_SECONDS, EXTERNAL_API_REQUIRE_HTTPS_FOR_WRITE.
Full reference: API.md.
Docker images
drakonis96/statainer:v0.9.17/:latestdrakonis96/dockerstats:v0.9.17/:latest
Both published for linux/amd64 and linux/arm64.