Skip to content

Wellesley Platform API (1.0)

Wellesley is a decentralized social platform built on top of ActivityPub. It operates as a federation of independent servers that exchange data using standard ActivityPub messages alongside custom extensions. The platform strives for Mastodon compatibility while introducing additional capabilities such as Groups, Forums, rich media, AI agents, and fine-grained access control.

This API provides full access to the platform's functionality including user and account management, posting and feeds, group creation and moderation, notifications, real-time streaming, search, federated content delivery, AI agent configuration, and platform administration. Most endpoints accept and return JSON. Pagination follows cursor-based patterns using Link headers.

Authentication: Endpoints that require authentication expect an Authorization header with a valid access token. Unauthenticated requests to protected endpoints will receive a 401 response.

RBAC (Role-Based Access Control): Some endpoints are protected by RBAC permissions. When an endpoint description mentions "RBAC: requires ...", the caller must hold the listed permission(s) in addition to being authenticated. Requests that lack the required permissions will receive a 403 response. RBAC permissions are scoped to resources (e.g., Group, Post, User) and actions (e.g., Read, Write, Moderate), and are assigned through roles.

Download OpenAPI description
openapi.json
openapi.yaml
Languages
Servers
Mock server
https://docs.wellesley.social/_mock/openapi
Simple setup, all in one. Digital Ocean
https://dust.allroads.social
Simple setup, db is separate. Digital Ocean
https://meteor.allroads.social

AI Agents

The AI Agents API manages bot creation and configuration. Each bot is a user profile of type Service with a configuration profile that includes tools, triggers, and scope. Global bots operate in the global scope; group bots operate within a group scope.

Operations

AI Models

Endpoints for searching AI models and managing per-scope enablement. Models are catalog entries synced from models.dev. Use scope parameter with enable/disable endpoints to manage models per-scope.

Operations

AI Providers

Endpoints for viewing AI providers and configuring per-scope API keys. Providers are catalog entries synced from models.dev. Use scope='global' for platform-wide configuration (requires AIProviders permissions) or a group TypeId for group-specific configuration (requires GroupAIProviders permissions).

Operations

Accounts

Account management and authentication endpoints. Handles user registration, login flows (email/phone), profile management, and account lifecycle operations. Supports multi-step signup with email/SMS verification, CAPTCHA, and optional admin approval.

Operations

Addresses

Endpoints for suggesting and validating physical addresses

Operations

Admin Accounts

Administrative endpoints for account and user management. Provides comprehensive tools for managing user accounts, including creation, deletion, role assignment, password management, state changes, and user impersonation for bot accounts. Requires Users.Manage permission unless otherwise noted on individual endpoints.

Operations

Admin ActivityPub

Administrative endpoints for managing ActivityPub federation delivery. Provides tools to clear delivery error counters and restart delivery for specific remote domains. Requires Federation.Manage permission.

Operations

Admin Audit

Administrative endpoints for viewing and searching audit logs. Provides comprehensive logging of all security-relevant actions performed in the system, including account management, user changes, settings modifications, and moderation actions. Requires Audit.Read permission.

Operations

Admin Domain Blocks

Administrative APIs for managing domain blocks. Provides endpoints to block specific domains with different severity levels (SUSPEND, LIMIT, NOOP), update existing blocks, unblock domains, and list currently blocked domains. Domain blocks prevent or limit federation with specified domains. Write operations require Federation.Manage permission; read operations require Federation.Read or Federation.Manage permission.

Operations

Admin Domains Allow List

Administrative endpoints for managing domain allowlists. When domain allowlisting is enabled, only domains in this list can federate with the instance. Write operations require Federation.Manage permission; read operations require Federation.Read or Federation.Manage permission.

Operations

Admin Email Allow List

Administrative endpoints for managing the email domain allowlist used during user registration. When enabled, only email addresses from allowed domains can sign up. Write operations require AdminSettings.Manage permission; read operations require AdminSettings.Read or AdminSettings.Manage permission.

Operations

Admin Email Blocks

Administrative APIs for managing email blocks to prevent unwanted signups. Supports blocking specific email addresses and entire domains. Email blocks are automatically normalized and checked during user registration. Requires Users.Moderate permission.

Operations

Admin FASP

Administrative endpoints for managing FASP (Fediverse Auxiliary Service Provider) provider registrations and default capability assignments. Allows accepting, declining, and blocking providers, as well as configuring which provider is the default for each capability. Read operations require Federation.Read or Federation.Manage permission; write operations require Federation.Manage permission.

Operations

Admin FASP Remote

Administrative endpoints for managing a remote FASP server. Allows Wellesley admins to configure connection to a FASP server and manage Fediverse server registrations remotely.

Operations

Admin Federation Config

Administrative endpoints for managing federation mode and allowlist in a single operation.

Operations

Admin Federation Metrics

Administrative endpoints for monitoring and managing federation with other ActivityPub instances. Provides metrics on connected domains, user counts, post statistics, and federation health monitoring including sliding window performance metrics for inbox processing. Requires Federation.Read or Federation.Manage permission.

Operations

Admin Federation Mode

Manage the federation mode of the instance (OPEN, LIMITED, CLOSED)

Operations

Admin Feeds

Administrative endpoints for managing user feed caches. Provides tools for regenerating, clearing, and diagnosing cached home feeds stored in Redis. Feed regeneration recomputes the feed from the database and updates the cache. Requires Jobs.Manage permission.

Operations

Admin Groups

Administrative endpoints for managing groups, channels, categories, and events. Provides search and listing capabilities for all groups on the server regardless of privacy or visibility. Requires Users.Read or Users.Manage permission.

Operations

Admin Jobs

Administrative endpoints for monitoring and managing background job queues. Provides statistics, job listings, and queue monitoring for all asynchronous tasks such as federation delivery, media processing, and cleanup jobs. Requires Jobs.Read or Jobs.Manage permission.

Operations

Admin Posts

Administrative endpoints for managing posts. Provides moderation capabilities to delete posts that violate community guidelines or are part of reported content. Requires Reports.Manage permission.

Operations

Admin Signup Requests

Administrative endpoints for managing user signup requests. Provides tools for reviewing, approving, rejecting, and managing signup requests in the moderation queue. Supports workflow for manual account approval when enabled. Read operations require Signups.Read or Signups.Manage permission; write operations require Signups.Manage permission.

Operations

Admin Uploads

Administrative endpoints for managing file uploads and media storage. Provides tools for monitoring user storage usage, searching uploaded files, and managing upload processing jobs. Supports queue management for async upload processing workflows. Requires Uploads.Read permission.

Operations

Aliases

User alias management for account migration and identity linking. Aliases allow a user to declare previous identities on remote federated servers, which is required for ActivityPub account migration. All endpoints require authentication.

Operations

Application Data

Endpoints for managing application-specific data storage. Provides a flexible key-value storage system for applications to store custom data associated with users, groups, or the platform. Supports tagging, filtering, and ownership-based access control.

Operations

Applications

Endpoints for serving and routing platform applications to users

Operations

Async Refreshes

Endpoints for polling the status of asynchronous background operations such as home feed regeneration and federated search

Operations

Blocks

User blocking functionality for preventing interaction with specific users. Blocking a user prevents them from following you, seeing your posts, or interacting with your content. Block operations are federated to remote servers when blocking remote users.

Operations

Categories

Endpoints for managing forum categories within groups. Categories organize forum discussions into topics, allowing structured content browsing. Each forum must have at least one category. Most management operations require the GroupForum.Manage RBAC permission (group admin/moderator). Read operations are accessible according to group visibility settings.

Operations

Compatibility

Version-agnostic API compatibility endpoints

Operations

Domain Blocks

Public API for listing domains blocked by this instance. Visibility and reason details are controlled by platform settings.

Operations

Domain-blocks

Manage user-level domain blocks to filter content from specific federated servers. All endpoints require authentication. Domain blocks hide posts and notifications from the blocked domain and remove followers from it.

Operations

Drafts

Endpoints for personal auto-saved drafts

Operations

Email

Email address management for user accounts. Provides secure email change workflow with verification codes, password confirmation, and notification system. All email changes require authentication and are logged for security.

Operations

Embeddings Admin

Administrative endpoints for managing vector embeddings used in AI-powered features such as semantic search and content recommendations. Provides tools for enabling/disabling embeddings, configuring the embedding model, estimating costs, and managing batch recalculation jobs. Requires AdminSettings.Manage permission.

Operations

Emoji

Custom emoji management system for the platform. Supports creating, uploading, importing/exporting, searching, and deleting custom emojis. Emojis are automatically resized and optimized. Admin-only operations require Emojis.Manage permission.

Operations

Events

Endpoints for creating, retrieving, and managing events and attendees

Operations

FASP

Administration endpoints for managing FASP (Fediverse Auxiliary Service Provider) registrations and capabilities. Handles the FASP registration workflow: providers register via POST, admins confirm registration, and capabilities are activated or deactivated. Also provides debug and backfill request tools. The registration endpoint is publicly accessible; all other endpoints require the Federation.Manage RBAC permission.

Operations

FASP Data Sharing

FASP (Fediverse Auxiliary Service Provider) data sharing endpoints implementing the FASP data sharing protocol v0. Allows FASP providers to subscribe to content lifecycle events and trends, request backfills of historical data, and manage their subscriptions. All requests are authenticated using FASP Ed25519 HTTP signature verification, not user authentication. Not intended to be called directly by client applications.

FASP Debug

Debug endpoints for FASP (Fediverse Auxiliary Service Provider) integration testing. Allows FASP providers to submit debug callback responses and administrators to view and manage callback logs. The POST endpoint uses FASP Ed25519 HTTP signature authentication; the GET and DELETE endpoints are currently unauthenticated and intended for admin use only.

Federation

Server-to-server endpoints for federated group access. Remote servers request tokens on behalf of their users by signing requests with the user's private key via HTTP Signatures. No standard authentication is required; requests are validated through cryptographic signatures.

Operations

Follow

User follow relationship management. Handles following/unfollowing users, managing follow requests, and querying follower/followee relationships. Supports both local and remote (federated) users with ActivityPub protocol integration.

Operations

Forums

Endpoints for managing discussion forums within groups. Each group can have one forum that organizes discussions into categories and tags. Forums are auto-created on first access if the group does not already have one. Management operations (update, delete) require the GroupForum.Manage RBAC permission (group admin/moderator). Read operations follow group visibility settings.

Operations

Geo

Endpoints for geographic location lookup and timezone services

Operations

Group Applications

Endpoints for managing applications available to groups. Applications are installable modules that extend group functionality. Group admins can add or remove applications from their groups. The global apps list shows all available applications at the GROUP entry point, while per-group lists show only applications installed for that specific group. Management operations require the GroupApps.Manage RBAC permission.

Operations

Group Blocks

Manage group-level user blocks

Operations

Group Channels

API endpoints for managing channels within groups. Channels are specialized accounts that enable organized content distribution within groups. They support hierarchical organization with primary and auto-subscribe channels, privacy controls inherited from parent groups, and both scoped (group-specific) and global usernames for discovery. Group admins manage channels while members follow.

Operations

Group Invitations

API endpoints for managing group invitations. Group owners and admins can invite users to join their groups. Invitees can accept or reject invitations. Creating invitations requires the GroupMembers.Invite RBAC permission. Accepting, rejecting, and viewing personal invitations require standard authentication.

Operations

Group Join

API endpoints for group join workflows. Users can request to join a group, and group admins can approve or reject join requests. Join behavior depends on the group's join mode: OPEN (instant), APPROVAL (requires admin approval), or INVITE_ONLY (requires invitation). Groups may also have entry questions that must be answered before joining. Admin operations (listing, approving, rejecting requests) require the GroupMembers.Manage RBAC permission. All endpoints require authentication.

Operations

Group Member Settings

Endpoints for managing member-specific settings within groups. These settings are personal to each group member and affect their individual experience within the group. Members can only access and modify their own settings within groups they belong to.

Operations

Group Members

API endpoints for managing group membership. Provides functionality to add, update, and remove members from groups, as well as retrieve membership information. Supports both local and federated groups through ActivityPub protocol. Access control is enforced based on group privacy settings and user permissions.

Operations

Group Pins

API endpoints for managing pinned groups. Users can pin groups they are a member of to keep them easily accessible. Pinned groups support custom ordering via pin numbers and appear first in the user's group list. All endpoints require authentication.

Operations

Group Questions

API endpoints for managing group entry questions. Groups can require prospective members to answer questions before joining. Questions support multiple types (text, single choice, multiple choice) and are used to screen members when the group's join mode is set to QUESTIONS. Answers are validated and generate a token that can be used during the join process.

Operations

Group Rules

API endpoints for managing community rules within groups. Rules define the expected conduct and content policies that members must follow. Each rule consists of text (the rule itself), a hint (explanation or context), and an ordering value for display sequence. Rules are scoped to specific groups and can be managed by users with appropriate permissions.

Operations

Group Settings

Endpoints for managing group-specific settings and configuration options. These endpoints allow authorized group members to view, update, and delete settings that control group behavior, features, and customization options.

Operations

Groups

API endpoints for managing groups within the Wellesley platform. Groups are community spaces that can be public or private, support forums, and have their own membership and permission systems. Groups can be federated via ActivityPub for cross-instance communication.

Operations

Import

Endpoints for importing data from other platforms including followers, blocks, and mutes

Operations

Instance

Server instance information and configuration. Provides metadata about the server, compatible domains, supported languages, timezones, and countries. All endpoints are publicly accessible without authentication.

Operations

Lists

User list management for organizing and grouping followed accounts. Lists allow users to curate collections of accounts for easier content consumption. Lists can be public or private. Only the list owner can modify their lists. All endpoints require authentication.

Operations

Logins

Login method management for authenticated accounts. Allows adding or removing email/password and phone number as authentication methods. Adding a login method requires email or SMS verification. Removing a method is blocked if it is the last remaining login identifier. All changes are audited. All endpoints require authentication.

Operations

Markdown

Markdown-to-HTML rendering service for post and article previews. Supports autolinking of hashtags, @mentions, and custom emoji. Requires authentication.

Operations

Metrics

Endpoints for retrieving metrics and analytics data from the events stream

Operations

Mutes

User muting functionality for hiding content from specific users without blocking them. Muting a user hides their posts from your timelines and notifications, but does not prevent them from following you or interacting with your content. Mutes can be temporary (with an expiration duration) or permanent. All endpoints require authentication.

Operations

Names

Unified API for validating name availability. Supports checking user/channel usernames, group names, and category names. Returns whether a name is reserved or already in use.

Operations

Notes

Manage personal notes about other users. Notes are private and only visible to the user who created them. All endpoints require authentication. Users cannot create notes about themselves.

Operations

Notifications

User notification management for retrieving, counting, and updating notification status. Notifications are generated by user interactions such as follows, mentions, reposts, and likes. Supports filtering by notification type and status (read/unread). All endpoints require authentication.

Operations

Passkeys

Passkey (WebAuthn) registration and authentication

Operations

Password

Password management endpoints for changing and recovering account passwords. Supports two flows: authenticated password change (requires current password and email confirmation) and unauthenticated password recovery (sends reset code to account email). All password changes invalidate other active sessions for security.

Operations

Phone

Phone number change management for authenticated users. Implements a secure 4-step phone change flow: (1) request change and receive SMS code on current phone, (2) verify current phone ownership, (3) submit new phone number and receive SMS code, (4) verify new phone number. All endpoints require authentication.

Operations

Pins

Endpoints for managing Pins (top-level posts) and Highlights (pinned replies). Top-level pins are shown first in the profile scope and are limited by admin setting Maximum number of pinned posts. Replies can be pinned as highlights under their root post. Pin and unpin actions are federated via ActivityPub.

Operations

Platform Data

Endpoints for managing platform-wide and group-specific data storage. Unlike application data, this provides direct data management not tied to specific applications. Supports flexible ownership models including platform-level, group-level, and user-level data with appropriate access controls.

Operations

Platform Settings

Endpoints for managing platform-wide settings and configuration options. These endpoints control server-level settings that affect the entire platform, including features, limits, security policies, and default behaviors for all users and groups.

Operations

Polls

Endpoints for interacting with polls attached to posts, including voting and refreshing results from federated instances. Requires authentication. Polls are created as part of a post via the Posts API.

Operations

Posts

Endpoints for creating, reading, updating, and deleting posts, as well as managing comments, likes, bookmarks, reposts, subscriptions, and votes. Most endpoints require authentication; read-only feed and post endpoints are accessible to guests via @PermitAll. Post mutations are federated via ActivityPub.

Operations

RBAC

Endpoints for retrieving Role-Based Access Control (RBAC) configurations and managing roles, resources, permissions and role-to-user assignments. Scoped Role Definition (RBACRole):

  • Represents roles within the RBAC system.
  • Each role has a unique roleId, a name, an optional description, and a scope.
  • The scope defines the domain or area in which the role is valid.
  • The scope can be Global (hardcoded), currently the only one is "global"
  • The scope also can be dynamic, currently we use Group Ids, like "gr_05hxcvk1hjexere4pvtrj0hggt"
  • Roles come with assigned permissions (RBACPermissions) that define what actions the role can perform on system resources.
  • Metadata such as createdAt and updatedAt timestamps track the role's lifecycle events.

Permissions (RBACPermissions):

  • Encapsulates resource-specific access controls.
  • Each permission object specifies the resource (e.g., "user", "document") and an associated list of allowed RBACAccess types.
  • RBACAccess enumerates the supported actions: Read, Add, Modify, Delete.

Role Assignments to Actors (RBACActorRole):

  • Maps actors (e.g., users, services) to specific roles.
  • Tracks the association through actorId (representing the unique entity being assigned) and roleId (specific role ID).
  • Includes timestamps to record when the assignment was created or updated.
Operations

Remote collections

API to retrieve followers and following collections for remote (federated) users. Fetches collection data from remote ActivityPub servers, resolves actor URIs to user profiles, and returns them in the local user format. Supports pagination via offset/limit parameters. All endpoints are publicly accessible (@PermitAll) and operate on remote users only -- local users are rejected.

Operations

Reports

Unified moderation endpoints for server and group reports. Pass scope= for group scope; omit scope for server scope.

Operations

Rules

Manage platform rules that govern user conduct and content policies. Retrieving rules is publicly accessible. Creating, updating, deleting, and reordering rules require authentication and the Rules.Manage RBAC permission. All write operations are logged in the audit trail.

Operations

Sessions

Authentication session management endpoints. Allows users to view active sessions across devices, revoke individual sessions or all other sessions, and permanently delete session records. Sessions are tracked in both the database and Redis for real-time state synchronization. All endpoints require authentication. The current session cannot be revoked or deleted.

Operations

List invite links for current user

Request

Returns a paginated list of invite links created by the authenticated user. Optionally filter by active/inactive status. Each link includes usage count, maximum uses, expiration date, and creation timestamp.

Security
header
Query
activeboolean or null

Filter by active state

lastIdstring or null

Get older records (records with IDs less than this value) Alias maxId/max_id

Example: lastId=?lastId=${data.last().id}
limitinteger or null(int32)
offsetinteger or null(int32)
sortBystring or null
sortOrderstring or null

Sort order. Supported values: ASC or DESC

untilIdstring or null

Get newer records (records with IDs greater than this value) Alias minId/min_id

Example: untilId=?untilId=${data.first().id}
curl -i -X GET \
  'https://docs.wellesley.social/_mock/openapi/api/v1/users/invite-links?active=true&lastId=%3FlastId%3D%24{data.last%28%29.id}&limit=0&offset=0&sortBy=string&sortOrder=string&untilId=%3FuntilId%3D%24{data.first%28%29.id}' \
  -H 'Authorization: YOUR_API_KEY_HERE'

Responses

OK

Bodyapplication/json
linksArray of objects(SignupInviteLink)required
links[].​codestringrequired

Unique invite code

links[].​ownerUserIdstringrequired

Owner user id who created the link

Example: "us_01hxcvk1hjexere4pvtrj0ymqq"
links[].​expiresAtstring or null(date-time)

Expiration timestamp (UTC)

Example: "2022-03-10T16:15:50Z"
links[].​maxUsesinteger or null(int32)

Maximum number of uses. Null means unlimited.

links[].​usedCountinteger(int32)required

Number of uses so far

links[].​activebooleanrequired

Whether link is active (not deactivated)

links[].​createdAtstring(date-time)required

Creation timestamp (UTC)

Example: "2022-03-10T16:15:50Z"
links[].​deactivatedAtstring or null(date-time)

Deactivation timestamp (UTC)

Example: "2022-03-10T16:15:50Z"
links[].​accountsArray of strings(TypeId)required

List of account IDs created using this link

Example: ["us_01hxcvk1hjexere4pvtrj0ymqq"]
totalinteger(int32)required
Response
application/json
{
  "links": [
    { … }
  ],
  "total": 0
}

Create a new signup invite link

Request

Creates a new invite link with an auto-generated unique code. The invite can optionally have a maximum use count and expiration date. Requires authentication. Fails if invites are not enabled on the platform or if the user has exceeded the maximum number of invite links.

Security
header
Bodyapplication/jsonrequired
expiresAtstring or null(date-time)

Expiration timestamp (UTC). Must be in the future if provided.

Example: "2022-03-10T16:15:50Z"
maxUsesinteger or null(int32)>= 0

Maximum number of uses. Use null or 0 for unlimited

Example: 3
curl -i -X POST \
  https://docs.wellesley.social/_mock/openapi/api/v1/users/invite-links \
  -H 'Authorization: YOUR_API_KEY_HERE' \
  -H 'Content-Type: application/json' \
  -d '{
    "expiresAt": "2022-03-10T16:15:50Z",
    "maxUses": 3
  }'

Responses

OK

Bodyapplication/json
codestringrequired

Unique invite code

ownerUserIdstringrequired

Owner user id who created the link

Example: "us_01hxcvk1hjexere4pvtrj0ymqq"
expiresAtstring or null(date-time)

Expiration timestamp (UTC)

Example: "2022-03-10T16:15:50Z"
maxUsesinteger or null(int32)

Maximum number of uses. Null means unlimited.

usedCountinteger(int32)required

Number of uses so far

activebooleanrequired

Whether link is active (not deactivated)

createdAtstring(date-time)required

Creation timestamp (UTC)

Example: "2022-03-10T16:15:50Z"
deactivatedAtstring or null(date-time)

Deactivation timestamp (UTC)

Example: "2022-03-10T16:15:50Z"
accountsArray of strings(TypeId)required

List of account IDs created using this link

Example: ["us_01hxcvk1hjexere4pvtrj0ymqq"]
Response
application/json
{
  "code": "string",
  "ownerUserId": "us_01hxcvk1hjexere4pvtrj0ymqq",
  "expiresAt": "2022-03-10T16:15:50Z",
  "maxUses": 0,
  "usedCount": 0,
  "active": true,
  "createdAt": "2022-03-10T16:15:50Z",
  "deactivatedAt": "2022-03-10T16:15:50Z",
  "accounts": [
    "us_01hxcvk1hjexere4pvtrj0ymqq"
  ]
}

Deactivate an invite link

Request

Deactivates an existing invite link by its code, preventing further use. Only the owner of the invite link can deactivate it. Returns 404 if the invite link is not found or does not belong to the authenticated user.

Security
header
Path
codestringrequired

Invite code

curl -i -X PUT \
  'https://docs.wellesley.social/_mock/openapi/api/v1/users/invite-links/deactivate/{code}' \
  -H 'Authorization: YOUR_API_KEY_HERE'

Responses

OK

Bodyapplication/json
any
Response
application/json
null

Suggestions

Personalized follow suggestions for the authenticated user based on FASP recommendations. Excludes users already followed or pending follow requests, and users blocked by either side.

Operations

Tags

Endpoints for managing hashtags, including following, featuring, and retrieving tag information

Operations

Translation

Endpoints for translating text between languages

Operations

Uploads

Endpoints for uploading, retrieving, and managing media files. The upload flow is two-step: first create an upload via POST to get an upload URL, then PUT the actual file content to that URL. Most endpoints require authentication. Class-level @RBACAuthorize requires authentication by default; public endpoints use @PermitAll.

Operations

User Devices

Manage user device registrations for Web Push notifications. Allows registering, listing, and removing push notification subscriptions. All endpoints except VAPID public key retrieval require authentication.

Operations

User Settings

Endpoints for managing user-specific settings and preferences. These endpoints allow authenticated users to view, update, and delete their personal settings that control their account behavior, interface preferences, privacy options, and feature customizations.

Operations

Users

User profile management endpoints. Handles user creation, retrieval by ID or username, profile updates, deletion, and social graph queries (followers/following). Supports both authenticated and guest access with varying levels of detail. Guest users receive basic profile data; authenticated users can access relationship statuses and full profiles.

Operations

Authorize Interaction Resource

Operations

Platform routes

Operations