NordBastion polar-bear mascot एक tactical mission-control workstation पर बैठे, cyan code दिखाते floating holographic terminal monitors के साथ, cyan-lit keycaps वाला mechanical keyboard और पास में झुकी cyan-N shield, aurora-lit window वाले exposed Nordic stone console room के अंदर

API.v1 · REST · 70+ endpoints · 5 SDKs

कोड से NordBastion चलाएं.
KYC-free, crypto-paid, पूरी तरह scriptable.

Servers provision करें, snapshots लें, cryptocurrency में top up करें, किसी भी bastion से ping चलाएँ. हर panel action में एक REST endpoint और चार SDKs हैं. Panel के same identity floor: एक email और एक password, कुछ और नहीं.

त्वरित शुरुआत सभी endpoints

Version: v1
Endpoints: 70+
SDKs: 4 + CLI
किले: 4 Nordic
दर सीमा: 1000/min read
KYC: कोई नहीं

त्वरित शुरुआत

एक signed-up खाते से कोड में booted सर्वर तक तीन चरण.

01 Create an account

POST /v1/auth/register

Email + password, no KYC. Returns a 24-hour access token straight away — no email confirmation step.

curl -sS https://nordbastion.com/v1/auth/register \
  -H "Content-Type: application/json" \
  -d '{"email":"[email protected]","password":"••••••••••••"}'

02 क्रिप्टो में टॉप-अप करें

POST /v1/billing/topups

Open a per-coin invoice. The response carries a deposit address, QR code and expiry timestamp.

amount_usd must be between $30 and $10,000 (server-enforced). Lower returns HTTP 422 amount_too_low, higher returns amount_too_high.

curl -sS https://nordbastion.com/v1/billing/topups \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"amount_usd":50,"coin":"xmr"}'

03 एक server provision करें

POST /v1/servers

Pick a tier (service_code), a bastion and an image. Server is booted with SSH in about ninety seconds.

curl -sS https://nordbastion.com/v1/servers \
  -H "Authorization: Bearer $TOKEN" \
  -d '{"service_code":"NB-V3","bastion":"STO","image":"debian-12"}'

SDKs & CLI

चार भाषाएँ, एक binary.

प्रत्येक SDK MIT-licensed, source-available, v1.0 से semver-stable है. सभी same authenticated client interface साझा करते हैं — किसी भी भाषा में servers list करें.

Planned for v1.1

These SDKs are planned for v1.1. The REST API at /v1/* is fully usable from any HTTP client today — see the agents page for cURL and MCP examples.

Python

pip

pip install nordbastion

from nordbastion import Client
nb = Client(api_key="nb_live_••••")

for s in nb.servers.list():
    print(s.id, s.name, s.status)

TypeScript

npm

npm i @nordbastion/api

import { NordBastion } from '@nordbastion/api';
const nb = new NordBastion({ apiKey: 'nb_live_••••' });

const servers = await nb.servers.list();
servers.forEach(s => console.log(s.id, s.name, s.status));

Go

go install

go get go.nordbastion.com/api

import nb "go.nordbastion.com/api"

c := nb.New(nb.WithAPIKey("nb_live_••••"))
servers, _ := c.Servers.List(ctx)
for _, s := range servers {
    fmt.Println(s.ID, s.Name, s.Status)
}

Rust

cargo

cargo add nordbastion

use nordbastion::Client;
let nb = Client::builder()
    .api_key("nb_live_••••").build()?;

for s in nb.servers().list().await? {
    println!("{} {} {}", s.id, s.name, s.status);
}

CLI · nb

Planned for v1.1

curl -sSL https://get.nordbastion.com | sh

nb auth login --api-key nb_live_••••
nb servers list
nb servers create --tier NB-V3 --bastion STO
nb servers snap NB-srv-1234 --name pre-upgrade

Curl-प्रथम

REST API किसी भी HTTP client के साथ काम करती है. JSON request और response bodies, JWT bearer या scoped API key, signed webhook payloads. कोई SDK lock-in नहीं.

curl -H "Authorization: Bearer nb_live_••••" https://nordbastion.com/v1/servers

Endpoint reference

70+ endpoints बारह resource groups में.

Authentication · 14 endpoints

POST	/v1/auth/register LIVE	Create a NordBastion account from email + password (no KYC).
POST	/v1/auth/login LIVE	Exchange email + password for a bearer token. Returns 24-hour JWT.
POST	/v1/auth/login/totp LIVE	Second step when the account has TOTP 2FA enabled.
POST	/v1/auth/token/refresh LIVE	Rotate a bearer token without re-entering credentials.
POST	/v1/auth/recover LIVE	Initiate account recovery (PGP-based, stubbed in v1.0).
GET	/v1/auth/sessions LIVE	List active sessions for the current account.
DELETE	/v1/auth/sessions/{token_id} LIVE	Revoke a session by token ID (logout-everywhere).
POST	/v1/auth/totp/setup LIVE	Begin TOTP enrollment — returns the provisioning URI.
POST	/v1/auth/totp/enable LIVE	Confirm a TOTP code and enable 2FA.
POST	/v1/auth/totp/disable LIVE	Disable 2FA with a current TOTP code.
POST	/v1/auth/password LIVE	Change the account password.
POST	/v1/auth/api-keys LIVE	Create a scoped, long-lived API key (read · billing · servers · full).
GET	/v1/auth/api-keys LIVE	List API keys for the current account (last-used + scopes).
DELETE	/v1/auth/api-keys/{key_id} LIVE	Revoke an API key immediately.

Account · 5 endpoints

GET	/v1/account LIVE	Get the authenticated account (email, status, locale, 2FA state).
PATCH	/v1/account LIVE	Update email, password, locale, default bastion preference.
GET	/v1/account/balance LIVE	Current prepaid balance in USD.
GET	/v1/account/usage LIVE	Trailing-30-day API usage totals.
GET	/v1/account/audit-log LIVE	Recent authenticated requests for this account.

Billing & crypto top-ups · 8 endpoints

POST	/v1/billing/topups LIVE	Create a top-up intent. Returns a per-coin address + QR + expiry.
GET	/v1/billing/topups LIVE	List pending and confirmed crypto top-ups.
GET	/v1/billing/topups/{order_number} LIVE	Status of a single top-up (confirmations, settle status).
POST	/v1/billing/topups/{order_number}/cancel LIVE	Cancel a still-open top-up.
GET	/v1/billing/bonus-tiers LIVE	Public top-up bonus tier ladder.
GET	/v1/billing/coins LIVE	12 supported cryptocurrencies + current settle threshold per coin.
GET	/v1/billing/invoices PLANNED	List invoices (monthly statements).	roadmap
GET	/v1/billing/invoices/{id} PLANNED	Single invoice. Format: JSON · PDF · PGP-signed PDF.	roadmap

Catalogue · 7 endpoints

GET	/v1/catalog LIVE	Bundle of all catalog resources in one call.
GET	/v1/catalog/vps LIVE	Five VPS tiers — Sentinel · Garrison · Ravelin · Bulwark · Citadel.
GET	/v1/catalog/dedicated LIVE	Five dedicated tiers — Bastion-Lite to Bastion-Hyperion.
GET	/v1/catalog/bastions LIVE	Four Nordic bastions — STO · HEL · OSL · RKV with live status.
GET	/v1/catalog/images LIVE	Default OS images — Debian · Ubuntu · Alpine · Arch · FreeBSD · Win.
GET	/v1/catalog/{code} LIVE	Lookup a single tier by service_code.
GET	/v1/catalog/iso PLANNED	Library of bootable ISO images for custom installs.	roadmap

Servers · 14 endpoints

POST	/v1/servers LIVE	Provision a new VPS or dedicated server. Returns 202 + order_number.
GET	/v1/servers LIVE	List servers — supports filter, sort, paginate, field selection.
GET	/v1/servers/{order_number} LIVE	Single server with full configuration + current status.
PATCH	/v1/servers/{order_number} LIVE	Mutate a server (hostname only in v1.0).
DELETE	/v1/servers/{order_number} LIVE	Cancel / decommission a server. Pro-rated credit returned.
POST	/v1/servers/{id}/power PLANNED	Start · stop · restart · poweroff · acpi-shutdown.	roadmap
POST	/v1/servers/{id}/reinstall PLANNED	Reinstall OS from any catalogue image or custom template.	roadmap
POST	/v1/servers/{id}/rescue PLANNED	Reboot into rescue mode (Alpine ramdisk · 1 hour timeout).	roadmap
POST	/v1/servers/{id}/resize PLANNED	Move a VPS up or down between tiers. Applies on next reboot.	roadmap
POST	/v1/servers/{id}/migrate PLANNED	Redeploy a snapshot to another bastion. Pin to STO · HEL · OSL · RKV.	roadmap
POST	/v1/servers/{id}/password-reset PLANNED	Reset root password. Returned once, never stored.	roadmap
GET	/v1/servers/{id}/metrics PLANNED	Per-minute CPU · RAM · disk · network for the last 90 days.	roadmap
GET	/v1/servers/{id}/console PLANNED	One-time URL to the web VNC/SPICE console (expires 5 min).	roadmap
GET	/v1/servers/{id}/serial PLANNED	One-time URL to the web serial console (expires 5 min).	roadmap

Snapshots · 5 endpoints

POST	/v1/servers/{id}/snapshots PLANNED	Create a live or quiesced snapshot (off-host, encrypted).	roadmap
GET	/v1/servers/{id}/snapshots PLANNED	List snapshots for a server (size, age, source).	roadmap
POST	/v1/servers/{id}/snapshots/{snapId}/restore PLANNED	Restore in place — server reboots into the snapshot.	roadmap
DELETE	/v1/servers/{id}/snapshots/{snapId} PLANNED	Delete a snapshot.	roadmap
POST	/v1/servers/{id}/snapshots/{snapId}/export PLANNED	Export a snapshot as a .qcow2 download. PGP-signed manifest.	roadmap

SSH keys · 4 endpoints

POST	/v1/ssh-keys LIVE	Register a new SSH public key. SHA-256 fingerprint indexed.
GET	/v1/ssh-keys LIVE	List SSH keys on the account.
GET	/v1/ssh-keys/{id} LIVE	A single SSH public key.
DELETE	/v1/ssh-keys/{id} LIVE	Remove a key (does not change any existing server's installed keys).

Networking · 8 endpoints

GET	/v1/networking/ips PLANNED	List IPv4 + IPv6 addresses assigned to your servers.	roadmap
POST	/v1/networking/ips/floating PLANNED	Request additional IPv4 or a /64 IPv6 block. Bastion-scoped.	roadmap
POST	/v1/networking/rdns PLANNED	Set reverse-DNS PTR. IPv4 + IPv6 supported.	roadmap
POST	/v1/networking/firewall PLANNED	Create or replace a firewall ruleset for one or more servers.	roadmap
GET	/v1/networking/firewall PLANNED	List firewall rulesets and their bindings.	roadmap
POST	/v1/networking/private-network PLANNED	Create a VPC-style private network between your own servers.	roadmap
POST	/v1/networking/byoip PLANNED	Announce your own /24 (IPv4) or /48 (IPv6). RPKI-verified.	roadmap
POST	/v1/networking/lookingglass PLANNED	Run ping · traceroute · MTR from any of the four bastions.	roadmap

Storage · 5 endpoints

POST	/v1/storage/volumes PLANNED	Provision an additional NVMe volume — 10 GB to 16 TB, bastion-scoped.	roadmap
GET	/v1/storage/volumes PLANNED	List volumes on the account.	roadmap
POST	/v1/storage/volumes/{id}/attach PLANNED	Attach a volume to a running or stopped server.	roadmap
POST	/v1/storage/volumes/{id}/detach PLANNED	Detach a volume (requires the server to be stopped).	roadmap
POST	/v1/storage/volumes/{id}/resize PLANNED	Grow a volume. Shrink not supported.	roadmap

Images & templates · 3 endpoints

POST	/v1/images/iso/upload PLANNED	Upload a custom .iso (≤ 4 GB) bootable from any server's rescue path.	roadmap
POST	/v1/images/templates PLANNED	Register a custom OS template from an existing snapshot.	roadmap
GET	/v1/images/templates PLANNED	List your custom templates.	roadmap

Webhooks · 4 endpoints

POST	/v1/webhooks LIVE	Subscribe a URL to one or more event types. HMAC-signed payloads.
GET	/v1/webhooks LIVE	List webhook subscriptions on the account.
DELETE	/v1/webhooks/{id} LIVE	Remove a webhook subscription.
POST	/v1/webhooks/{id}/test LIVE	Send a synthetic test event to a webhook URL.

Transparency · 4 endpoints

GET	/v1/transparency/canary LIVE	Current warrant canary, PGP-signed payload. Same content as /warrant-canary/.
GET	/v1/transparency/peering LIVE	AS213232 peering announcements + current prefix list.
GET	/v1/transparency/status LIVE	Live operational status of every bastion + shared services.
GET	/v1/transparency/incidents PLANNED	Operational incidents (last 12 months, rolling).	roadmap

Agents directory · 2 endpoints

GET	/v1/agents/directory LIVE	Public listing of agents using NordBastion.
POST	/v1/agents/directory LIVE	Submit this account's agent for the public directory.

OAuth 2.1 / DCR · 4 endpoints

POST	/v1/oauth/register LIVE	RFC 7591 Dynamic Client Registration.
POST	/v1/oauth/token LIVE	Token endpoint — client_credentials, password, refresh_token.
POST	/v1/oauth/revoke LIVE	Revoke an access or refresh token.
GET	/v1/oauth/introspect LIVE	Introspect a token (RFC 7662, basic info only).

सभी endpoints JSON in / JSON out follow करते हैं, ?page= & ?per_page= द्वारा pagination, ?filter[field]= द्वारा filtering और ?fields= द्वारा field selection. प्रत्येक request एक Idempotency-Key header carry कर सकती है.

प्रमाणीकरण

तीन credential प्रकार, दो गोपनीयता modes.

Bearer token LIVE

Email + password · JWT · 24 घंटे की expiry

POST /v1/auth/login द्वारा जारी short-lived JWT. scope claims और session-revocation ID वहन करता है. /v1/auth/token/refresh के माध्यम से 30 दिनों के लिए refreshable.

Authorization: Bearer eyJhbGciOi••••

Scoped API key LIVE

Long-lived · scoped · revocable

Scopes: read-only, billing-read, billing-write, servers-read, servers-write, full. वैकल्पिक IP allowlist (CIDR), वैकल्पिक expiry. CI और infrastructure scripts के लिए अनुशंसित.

Authorization: Bearer nb_live_3f9c2a••••

Mutual TLS Planned v1.1

क्लाइंट प्रमाणपत्र · एंटरप्राइज़ / अनुपालन

एक API key पर एक mTLS client certificate pin करें. जो requests गलत client certificate present करते हैं उन्हें TLS layer पर reject किया जाता है इससे पहले कि कोई application logic चले. Panel के माध्यम से request पर उपलब्ध.

curl --cert client.pem --key client.key https://nordbastion.com/v1/servers

PGP-signed responses Planned v1.1

Opt-in detached signature · offline verifiable

किसी भी request पर X-NB-Sign: 1 सेट करें. response body NordBastion key का उपयोग करके एक detached PGP cleartext signature में लपेटी जाती है (fingerprint /pgp/ पर). compliance pipelines द्वारा उपयोग किया जाता है जो केवल TLS chain पर भरोसा नहीं करते.

curl -H "X-NB-Sign: 1" -H "Authorization: Bearer ..." https://nordbastion.com/v1/transparency/canary

NordBastion signup पर identity collect नहीं करता, और API उस floor को नहीं बदलता. कोई SMS verification webhook नहीं है, कोई email-confirmation flow नहीं, कोई identity-document upload endpoint नहीं. API money, machines और metadata expose करता है — यही पूरा surface area है.

दर सीमाएं

Per-key, per-minute publish

Read endpoints: 1000 / min
Write endpoints: 100 / min
Auth-sensitive: 10 / min
429 पुनः प्रयास: Retry-After

हर response X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset carry करता है. Higher tiers panel से request पर उपलब्ध हैं.

Versioning

बारह-महीने deprecation न्यूनतम

Endpoints /v1/ के अंतर्गत URL-versioned हैं. Breaking changes केवल एक new major version में ship होती हैं. पिछला major कम से कम बारह महीनों तक supported रहता है. Deprecated endpoints Sunset और Deprecation response headers carry करते हैं.

Sunset: Wed, 01 Jul 2027 00:00:00 GMT
Deprecation: true

Error format

स्थिर envelope, machine-readable code

{
  "error": {
    "type":    "invalid_request",
    "code":    "invalid_bastion",
    "message": "Unknown bastion 'mxp'.",
    "request_id": "req_2VqK8e...",
    "doc_url": "https://nordbastion.com/api/#errors"
  }
}

Webhooks

हस्ताक्षरित events, backoff के साथ पुनः प्रयास.

प्रत्येक event payload आपके webhook secret से HMAC-signed है. एक घंटे में exponential backoff के साथ तीन retry attempts, फिर dropped. POST /v1/webhooks/{id}/test से test deliveries उपलब्ध हैं.

account.balance.low

Balance dropped below the configured threshold.

topup.created

Crypto top-up address generated, waiting for first confirmation.

topup.confirmed

Top-up settled on-chain. Balance credited.

topup.failed

Top-up address expired without confirmation.

invoice.issued

Monthly invoice issued. PDF + PGP-signed PDF available.

server.provisioning

Provisioning started — image being written.

server.provisioned

Server is booted and reachable on SSH.

server.power.on

Server powered on (manual or scheduled).

server.power.off

Server powered off (manual or scheduled).

server.reinstalled

OS reinstalled. Root password rotated.

server.resized

VPS tier changed. Applied on the next reboot.

server.migrated

Server moved to another bastion via snapshot redeploy.

server.deleted

Server terminated. Pro-rated credit returned.

snapshot.created

Snapshot completed and is downloadable.

snapshot.restored

Snapshot restored in place.

snapshot.deleted

Snapshot removed.

volume.attached

Block volume attached to a server.

volume.detached

Block volume detached.

firewall.changed

Firewall ruleset applied to one or more servers.

canary.updated

Warrant canary reaffirmed (first of every month).

incident.opened

Operational incident opened on a bastion or shared service.

incident.resolved

Operational incident closed.

peering.changed

AS213232 peering or prefix announcement updated.

Transparency endpoints

Canary तक Programmatic access, incident log, peering record.

अधिकतर cloud APIs products और billing expose करती हैं. NordBastion अपनी transparency surface भी expose करता है — programmatically. Same warrant canary जो /warrant-canary/ पर published है /v1/transparency/canary पर एक signed JSON payload के रूप में उपलब्ध है. Same incident history जो /status/ drive करती है /v1/transparency/incidents पर है. Same peering record जो /peering/ पर रहता है /v1/transparency/peering पर है. Same AS213232 prefix announcements real time में queryable हैं.

canary.updated webhook की सदस्यता लें और आपको हर महीने के पहले दिन एक push notification मिलती है — यदि यह firing बंद कर दे, तो canary टूट गया है, और आप बिना polling के जान जाते हैं. स्वयं alert बनाएं, अपने infrastructure में, उस cryptographic signature के साथ जिसे आप प्रकाशित PGP key के विरुद्ध offline verify कर सकते हैं.

यह API का वह हिस्सा है जो किसी भी commercial cloud के पास नहीं है, क्योंकि किसी भी commercial cloud के पास इसे समर्थन देने का सिद्धांत नहीं है.

नमूना · GET /v1/transparency/canary

{
  "as_of": "2026-05-01T00:00:00Z",
  "statement": "NordBastion has received no...",
  "signature": "-----BEGIN PGP SIGNATURE-----...",
  "key_fingerprint": "B9BB 3413 6FDC C3DA 8356 50C8 1A32 1442 3855 B282",
  "next_reaffirmation": "2026-06-01T00:00:00Z"
}

canary page पढ़ें पारदर्शिता रिपोर्ट पढ़ें PGP key

FAQ · API

Developer प्रश्न, उत्तरित.

एक developer host की API को infrastructure सौंपने से पहले जो प्रश्न पूछता है.

क्या वास्तव में एक API है और क्या यह KYC-free है?

हां — control panel में आप जो भी action ले सकते हैं उसका API equivalent आज या published roadmap पर है, और API खुद उसी authenticated panel account द्वारा gated है: एक email और password. API credentials प्राप्त करने या उपयोग करने के लिए कोई identity verification आवश्यक नहीं है.

किन programming languages के official SDKs हैं?

चार official SDKs और एक CLI. Python (pip install nordbastion), TypeScript / Node (npm install @nordbastion/api), Go (go install go.nordbastion.com/cli/nb@latest), Rust (cargo add nordbastion) और एक single-binary cross-platform CLI (nb) curl के माध्यम से installable. सभी SDKs MIT-licensed और source-available हैं.

क्या मैं code से, cryptocurrency में अपना balance top up कर सकता हूँ?

हां. POST /v1/billing/topups एक top-up intent बनाता है और per-coin destination address, QR code और expiry timestamp लौटाता है. जब network payment confirm करता है, आपका prepaid balance स्वचालित रूप से credit होता है और topup.confirmed webhook fire होती है. बारह cryptocurrencies supported हैं, /v1/billing/coins पर listed.

क्या API endpoints Tor के माध्यम से reachable हैं?

clearnet endpoint api.nordbastion.com आज Tor-friendly है, बिना special-case rate limits या anti-Tor blocking के. API surface का एक v3 onion mirror panel roadmap पर है और जब यह जारी होगा तो Onion-Location response headers के माध्यम से वही TLS-certified material share करेगा.

"PGP-signed responses" का क्या अर्थ है?

आप अपनी API key को PGP-signed response bodies में opt कर सकते हैं. प्रत्येक JSON response NordBastion key का उपयोग करके एक detached cleartext PGP signature में लपेटा जाता है (fingerprint /pgp/ पर). wrapping offline verifiable है और TLS chain पर अकेले भरोसा न करने वाले environments में compliance और source-attestation के लिए उपयोगी है.

Rate limits कैसे enforce किए जाते हैं?

Per API key. Published baseline 1000 read requests प्रति मिनट और 100 write requests प्रति मिनट है, plus auth-sensitive endpoints (login, password reset, key creation) पर 10 requests प्रति मिनट. हर response X-RateLimit-Limit, X-RateLimit-Remaining और X-RateLimit-Reset headers carry करता है; 429 responses में Retry-After header शामिल है. Verified developer accounts panel से higher tiers request कर सकते हैं.

Versioning कैसे काम करता है?

Endpoints /v1/ के अंतर्गत URL-versioned हैं. Breaking changes केवल एक new major version (/v2/, /v3/) में ship होती हैं और अगला release होने के बाद पिछला major कम से कम बारह महीनों तक supported रहता है. Deprecated endpoints हर response पर cut-off date के साथ एक Sunset header और एक Deprecation: true header carry करते हैं.

audit-log opt-in क्यों है?

क्योंकि NordBastion doctrine कहता है कि हम केवल वही log करते हैं जो हमें करना होगा. Operational request metrics उस rolling window के लिए रहती हैं जो rate-limiter को चाहिए और फिर expire होती हैं; API actions का per-customer audit log platform चलाने के लिए हमें जितनी ज़रूरत है उससे अधिक data है, इसलिए यह default रूप से off है. जो customers इसे चाहते हैं वे /v1/account/audit-log enable कर सकते हैं; एक बार enable होने पर यह panel + API दोनों को समान रूप से cover करता है और export किया जा सकता है.

इसे script करने के लिए तैयार

Panel से एक API key प्राप्त करें.

panel जैसा ही email-और-password आधार. कोई पहचान जांच नहीं. crypto में भुगतान करें. Stockholm, Helsinki, Oslo या Reykjavík सर्वर लगभग नब्बे सेकंड में बूट करें.

API key प्राप्त करें VPS catalogue देखें सिद्धांत पढ़ें

Base URL · https://nordbastion.com/v1/ · स्थिति · live operational status · लुकिंग ग्लास · live ping/MTR चलाएं