Skip to main content
code<spar>
DocsServersReferenceCookbooksSandbox
API Reference

Projects API

HTTP API reference for creating, listing, updating, and deleting projects -- the second level of CodeSpar's org -> project tenancy model.

1 min read · updated

Projects API

The Projects API manages the second level of CodeSpar's tenancy model: Organization -> Project. See the Projects concept for the full model.

Base URL: https://api.codespar.dev

All endpoints require authentication via Bearer token. See Authentication.

Project object

FieldTypeDescription
idstringProject ID in the form prj_<16chars>
org_idstringParent organization ID
namestringDisplay name (free-form)
slugstringURL-safe identifier, unique per organization
is_defaultbooleantrue for the org's default project (exactly one per org)
created_atstringISO 8601 timestamp

Slug rules

  • Lowercase alphanumeric characters plus _ and -
  • Max length: 64 characters
  • default is reserved (only the auto-created default project uses it)
  • Must be unique within the organization

Violations return slug_invalid, slug_reserved, or slug_conflict (see Errors).

GET /v1/projects

Lists all projects in the authenticated organization.

Auth required: Yes

Query parameters

ParameterTypeDefaultDescription
is_defaultboolean--Filter to only the default project (true) or non-default projects (false)
limitnumber50Results per page (max 100)
offsetnumber0Pagination offset

curl example

curl https://api.codespar.dev/v1/projects \
  -H "Authorization: Bearer csk_live_abc123..."

Response -- 200 OK

{
  "data": [
    {
      "id": "prj_a1b2c3d4e5f6g7h8",
      "org_id": "org_xyz789",
      "name": "Default",
      "slug": "default",
      "is_default": true,
      "created_at": "2026-04-01T10:00:00Z"
    },
    {
      "id": "prj_i9j0k1l2m3n4o5p6",
      "org_id": "org_xyz789",
      "name": "Staging",
      "slug": "staging",
      "is_default": false,
      "created_at": "2026-04-15T09:12:00Z"
    }
  ],
  "total": 2,
  "limit": 50,
  "offset": 0
}

GET /v1/projects/:id

Retrieves a single project by ID.

Auth required: Yes

curl example

curl https://api.codespar.dev/v1/projects/prj_a1b2c3d4e5f6g7h8 \
  -H "Authorization: Bearer csk_live_abc123..."

Response -- 200 OK

{
  "id": "prj_a1b2c3d4e5f6g7h8",
  "org_id": "org_xyz789",
  "name": "Default",
  "slug": "default",
  "is_default": true,
  "created_at": "2026-04-01T10:00:00Z"
}

POST /v1/projects

Creates a new project in the authenticated organization.

Auth required: Yes

Request body

FieldTypeRequiredDescription
namestringYesDisplay name
slugstringYesURL-safe identifier (see slug rules)

New projects are always created with is_default: false. To promote a project to default, use PATCH /v1/projects/:id with {"is_default": true}.

curl example

curl -X POST https://api.codespar.dev/v1/projects \
  -H "Authorization: Bearer csk_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production",
    "slug": "prod"
  }'

Response -- 201 Created

{
  "id": "prj_q7r8s9t0u1v2w3x4",
  "org_id": "org_xyz789",
  "name": "Production",
  "slug": "prod",
  "is_default": false,
  "created_at": "2026-04-20T14:22:00Z"
}

PATCH /v1/projects/:id

Updates a project's name, slug, or default status.

Auth required: Yes

Request body

FieldTypeRequiredDescription
namestringNoNew display name
slugstringNoNew slug (subject to slug rules)
is_defaultbooleanNoSet to true to promote this project to default. Atomic: the previous default is demoted in the same transaction.

is_default can only be set to true. You cannot un-set it directly -- to change the default, promote a different project instead. Sending {"is_default": false} on the current default project is a no-op or error (exact behavior: TODO -- confirm).

curl example -- promote to default

curl -X PATCH https://api.codespar.dev/v1/projects/prj_q7r8s9t0u1v2w3x4 \
  -H "Authorization: Bearer csk_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"is_default": true}'

Response -- 200 OK

{
  "id": "prj_q7r8s9t0u1v2w3x4",
  "org_id": "org_xyz789",
  "name": "Production",
  "slug": "prod",
  "is_default": true,
  "created_at": "2026-04-20T14:22:00Z"
}

DELETE /v1/projects/:id

Deletes a project and all of its scoped resources (API keys, triggers, session history, connection records).

Auth required: Yes

Deletion cascades. There is no undo. Export audit logs first if you need to retain them.

curl example

curl -X DELETE https://api.codespar.dev/v1/projects/prj_q7r8s9t0u1v2w3x4 \
  -H "Authorization: Bearer csk_live_abc123..."

Response -- 200 OK

{
  "id": "prj_q7r8s9t0u1v2w3x4",
  "deleted": true
}

Deletion fails with cannot_delete_default or cannot_delete_last_project (see below).

Project members (RBAC overrides)

Every user with org membership inherits a base role (owner, admin, member) that applies across every project in that org. The four endpoints below let an org admin narrow or widen that role for a specific project — useful when a contractor should see exactly one project, or a member needs admin rights on staging without becoming a full org admin.

A user absent from project_members inherits their org-level role unchanged. Explicit rows are overrides, not the source of truth.

GET /v1/projects/:id/members

Lists every user with effective access to the project, including org-level inherited members. The source field tells you whether the role came from a project override or from the org membership.

curl https://api.codespar.dev/v1/projects/prj_a1b2c3d4e5f6g7h8/members \
  -H "Authorization: Bearer csk_live_..."

Response — 200 OK

{
  "members": [
    {
      "user_id": "user_owner123",
      "role": "owner",
      "source": "org",
      "email": "founder@codespar.dev",
      "display_name": "Founder",
      "avatar_url": null,
      "added_at": "2026-04-15T10:00:00Z"
    },
    {
      "user_id": "user_contractor456",
      "role": "admin",
      "source": "project",
      "email": "ana@contractor.com",
      "display_name": "Ana",
      "avatar_url": null,
      "added_at": "2026-04-22T18:30:00Z"
    }
  ]
}

Sorted: owner first, then admin, then member — oldest first within each tier.

POST /v1/projects/:id/members

Adds or upserts a project-level override. Requires org-level admin or owner.

Request body

FieldTypeRequiredNotes
user_idstringYesMust already be a member of the org.
roleadmin | memberYesCannot override an org owner — they always retain full access.
curl -X POST https://api.codespar.dev/v1/projects/prj_.../members \
  -H "Authorization: Bearer csk_live_..." \
  -H "Content-Type: application/json" \
  -d '{"user_id": "user_contractor456", "role": "admin"}'

PATCH /v1/projects/:id/members/:user_id

Updates an existing override's role. Same gate (admin+ at org level).

curl -X PATCH https://api.codespar.dev/v1/projects/prj_.../members/user_contractor456 \
  -H "Authorization: Bearer csk_live_..." \
  -H "Content-Type: application/json" \
  -d '{"role": "member"}'

DELETE /v1/projects/:id/members/:user_id

Removes the override. The user falls back to their org-level role for this project.

curl -X DELETE https://api.codespar.dev/v1/projects/prj_.../members/user_contractor456 \
  -H "Authorization: Bearer csk_live_..."
StatusError codeWhen
403requires_org_adminPOST/PATCH/DELETE called by a non-admin org member
404member_not_in_orguser_id is not a member of this organization
404override_not_foundPATCH/DELETE on a user that has no override row (they only inherit)
409cannot_override_ownerTried to override an org owner's role

Errors

All endpoints follow the standard error format:

{
  "error": "error_code",
  "message": "Human-readable error description.",
  "status": 400
}

Project-specific error codes

StatusError codeWhen
400slug_invalidSlug contains disallowed characters, exceeds 64 chars, or is empty
400slug_reservedSlug is default (reserved for the auto-created default project)
409slug_conflictAnother project in the organization already uses this slug
409cannot_delete_defaultDELETE on the default project. Promote another project first.
409cannot_delete_last_projectDELETE on the only remaining project. Every org must have at least one project.

Standard error codes

StatusError codeWhen
401unauthorizedInvalid or missing API key
403forbiddenAPI key lacks permission (e.g. a project-scoped key trying to manage a different project)
404not_foundProject ID does not exist or does not belong to the authenticated organization
429rate_limitedToo many requests
500internal_errorServer error. Retry with exponential backoff.

Next steps

CONCEPT
Projects
Org → Project tenancy model, default project, and scoping rules.
REFERENCE
Sessions API
How the x-codespar-project header scopes session creation.
CONCEPT
Authentication
API key types, project-pinned keys, and scope control.
COOKBOOK
Multi-Tenant Agent
One userId per tenant + metadata for per-tenant billing.
Edit on GitHub

Last updated on

Servers API

HTTP API reference for browsing and filtering CodeSpar's catalog of MCP servers across payments, fiscal, logistics, messaging, banking, ERP, and crypto.

Wallets API

HTTP API reference for Programmable Wallets — create wallets, post ledger entries, bind funding sources, execute mandate-gated payments, triage reconciliation anomalies.

On this page

Projects APIProject objectSlug rulesGET /v1/projectsQuery parameterscurl exampleResponse -- 200 OKGET /v1/projects/:idcurl exampleResponse -- 200 OKPOST /v1/projectsRequest bodycurl exampleResponse -- 201 CreatedPATCH /v1/projects/:idRequest bodycurl example -- promote to defaultResponse -- 200 OKDELETE /v1/projects/:idcurl exampleResponse -- 200 OKProject members (RBAC overrides)GET /v1/projects/:id/membersResponse — 200 OKPOST /v1/projects/:id/membersRequest bodyPATCH /v1/projects/:id/members/:user_idDELETE /v1/projects/:id/members/:user_idMember-related error codesErrorsProject-specific error codesStandard error codesNext steps