API Reference
The hstPanel REST API lets you automate server management, account creation, and monitoring from your own scripts or integrations.
The API server runs on port 8090 internally. All requests go through the nginx reverse proxy at https://YOUR-SERVER-IP:8443/api/.
Authentication
All API requests require a Bearer token in the Authorization header. Generate your token in WHM â Settings â API Keys.
curl -H "Authorization: Bearer YOUR_API_TOKEN" \
https://YOUR-SERVER-IP:8443/api/server/statsBase URL
https://YOUR-SERVER-IP:8443/apiServer Endpoints
GET /server/stats
Returns live server metrics.
GET /api/server/stats
Response 200:
{
"os": "Ubuntu 24.04 LTS",
"php": "8.3.4",
"uptime": "3d 7h 19m",
"load": "0.12",
"disk": { "used": "5.7 GB", "total": "20 GB", "percent": 28 },
"memory": { "used": "422 MB", "total": "2048 MB", "percent": 20 }
}GET /server/services
Returns the running status of all managed services.
GET /api/server/services
Response 200:
{
"apache": { "status": "running", "uptime": "3d 7h" },
"mariadb": { "status": "running", "uptime": "3d 7h" },
"postfix": { "status": "running", "uptime": "3d 7h" },
"dovecot": { "status": "running", "uptime": "3d 7h" },
"clamav": { "status": "running", "uptime": "3d 6h" },
"fail2ban":{ "status": "running", "uptime": "3d 7h" },
"nginx": { "status": "running", "uptime": "3d 7h" }
}POST /server/services/:name/:action
Start, stop, or restart a service. :name is one of apache, nginx, mariadb, postfix, dovecot, clamav, fail2ban. :action is start, stop, or restart.
POST /api/server/services/apache/restart
Response 200:
{ "service": "apache", "action": "restart", "result": "ok" }Account Endpoints
GET /accounts
List all hosting accounts.
GET /api/accounts
Response 200:
[
{
"username": "john",
"domain": "johndoe.com",
"disk_used": "1.2 GB",
"disk_limit": "5 GB",
"status": "active",
"created": "2026-01-15"
}
]POST /accounts
Create a new hosting account.
POST /api/accounts
Content-Type: application/json
{
"username": "jane",
"domain": "janesdomain.com",
"password": "SecurePass123!",
"package": "business",
"disk_mb": 20480,
"email_limit": 0,
"db_limit": 0
}
Response 201:
{ "username": "jane", "created": true, "cpanel_url": "https://IP:8443/login" }DELETE /accounts/:username
Delete a hosting account and all its data. This is irreversible.
DELETE /api/accounts/jane
Response 200:
{ "username": "jane", "deleted": true }POST /accounts/:username/suspend
Suspend a hosting account.
POST /api/accounts/jane/suspend
Response 200:
{ "username": "jane", "suspended": true }POST /accounts/:username/unsuspend
Restore a suspended account.
POST /api/accounts/jane/unsuspend
Response 200:
{ "username": "jane", "suspended": false }Domain Endpoints
GET /accounts/:username/domains
List all domains for an account.
GET /api/accounts/jane/domains
Response 200:
[
{ "domain": "janesdomain.com", "type": "main", "ssl": true },
{ "domain": "shop.janesdomain.com", "type": "subdomain", "ssl": false }
]Email Endpoints
POST /accounts/:username/email
Create an email account for a domain.
POST /api/accounts/jane/email
Content-Type: application/json
{
"address": "hello@janesdomain.com",
"password": "MailPass456!",
"quota_mb": 1024
}
Response 201:
{ "address": "hello@janesdomain.com", "created": true }Error Responses
| Status | Meaning |
|---|---|
400 | Bad request â missing or invalid parameters |
401 | Unauthorized â missing or invalid API token |
404 | Not found â account or resource doesn't exist |
409 | Conflict â account or domain already exists |
500 | Server error â check /var/log/hstpanel-api.log |
Rate Limits
The API enforces a limit of 120 requests per minute per token. Exceeding this returns a 429 Too Many Requests response with a Retry-After header.