Ctrlk

Automation Hub

API for Automation Hub configuration and shareable link management

The Automation Hub API provides endpoints for managing hub settings, analytics, and shareable link authentication for public marketplace access.

Overview

The Automation Hub API includes three main areas:

  • Settings: Configure hub appearance, behavior, and access controls (admin only)

  • Analytics: Track template usage and performance metrics (see Analytics API)

  • Shareable Links: Enable public access via email-based authentication with OTP tokens

Hub Settings

Get Settings

GET http://[API-URL]/automation-hub/settings

Retrieve the current Automation Hub settings. All authenticated users can read settings, but sensitive fields (like email allow lists) are filtered for non-admin users.

curl -XGET "http://[API-URL]/automation-hub/settings" \
  -H "Authorization: Bearer [ACCESS_TOKEN]"
{
  "id": "default",
  "settings": {
    "sharing": {
      "allowedEmails": [  // Only visible to admin users
        "[email protected]",
        "[email protected]"
      ]
    },
    "theme": {
      "primaryColor": "#007bff",
      "logoUrl": "https://example.com/logo.png"
    },
    "customField": "any-value"  // Settings support flexible schema
  },
  "createdAt": "2026-01-15T10:30:00.000Z",
  "updatedAt": "2026-04-20T14:45:00.000Z"
}

Field Filtering:

  • Admin users: See all settings including sharing.allowedEmails

  • Regular users: Sensitive fields are automatically filtered from the response

Update Settings

POST http://[API-URL]/automation-hub/settings

Create or update Automation Hub settings. This endpoint performs an upsert operation. Admin token required.

Request Body

Name
Type
Description

settings*

object

Settings object with flexible schema

settings.sharing.allowedEmails

array

Email addresses allowed to access Hub via share link

Flexible Settings Schema

The settings object supports any properties, allowing you to add custom fields without backend changes. Only settings.sharing.allowedEmails has validation (must be array of valid email addresses).

Delete Settings

DELETE http://[API-URL]/automation-hub/settings

Delete all Automation Hub settings and reset to defaults. Admin token required.

Settings successfully deleted.

Shareable Links

Shareable links allow you to provide public access to your Automation Hub marketplace using email-based authentication with one-time passwords (OTP). Users receive activation links via email to authenticate without traditional login credentials.

Architecture

  1. Email Allow List: Admin configures allowed emails in hub settings

  2. Request Login: User requests access with their email

  3. Activation Link: System sends time-limited activation code

  4. Token Generation: User activates link to receive JWT token with OTP flag

  5. Virtual User: System creates virtual user account automatically

Request Login

POST http://[API-URL]/automation-hub/share/request-login

Request an activation link for email-based login. No authentication required. Rate limited by email and IP address.

Request Body

Name
Type
Description

email*

string

Email address (max 255 characters)

Email will be sent automatically with the activation link.

Rate Limits:

  • Per email: Configurable via AUTOMATION_HUB_RATE_LIMIT_REQUEST_LOGIN_EMAIL (default: 5 requests per minute)

  • Per IP: Configurable via AUTOMATION_HUB_RATE_LIMIT_REQUEST_LOGIN_IP (default: 20 requests per minute)

Email Delivery: The system automatically selects the email service:

  • If SMTP_HOST is configured, uses SMTP

  • Otherwise, uses Cloud Email API (requires APPMIXER_CLOUD_EMAIL_API and APPMIXER_CLOUD_EMAIL_API_KEY)

Activate Link

GET http://[API-URL]/automation-hub/share/activate?code=[CODE]

Activate the link, create or find virtual user, and return JWT token. No authentication required. Rate limited by IP address.

Query Parameters

Name
Type
Description

code*

string

Activation code from email link

The JWT token includes an otp: true flag and can be used for authentication.

Rate Limits:

  • Per IP: Configurable via AUTOMATION_HUB_RATE_LIMIT_ACTIVATE_IP (default: 10 requests per minute)

Virtual Users:

  • Automatically created on first activation

  • Username and email set to the activation email address

  • Flagged as virtual users in the system

  • Can access only the Automation Hub marketplace

Refresh Link

POST http://[API-URL]/automation-hub/share/refresh

Request a new activation link for users with expired tokens. Works exactly like /request-login but intended for users who already have an expired session. No authentication required. Rate limited by email and IP address.

Request Body

Name
Type
Description

email*

string

Email address (max 255 characters)

Refresh vs Request Login

Both endpoints function identically but serve different use cases:

  • /request-login: Initial access request

  • /refresh: Token renewal for existing users

Both share the same allow list validation and rate limiting.

Rate Limits:

  • Per email: Configurable via AUTOMATION_HUB_RATE_LIMIT_REFRESH_EMAIL (default: 5 requests per minute)

  • Per IP: Configurable via AUTOMATION_HUB_RATE_LIMIT_REFRESH_IP (default: 20 requests per minute)

Configuration

Environment Variables

Email Configuration

SMTP (Option 1):

Cloud Email API (Option 2):

The system automatically uses SMTP if SMTP_HOST is set, otherwise falls back to Cloud Email API.

Activation Link Settings

Rate Limiting

Use Cases

Public Marketplace Access

Enable public users to access your Automation Hub marketplace:

Custom Hub Theming

Configure custom theme and branding:

Programmatic Allow List Management

Dynamically manage email access:

Security

Email Allow List

The email allow list provides the primary access control mechanism:

  • Only emails on the list can request activation links

  • Case-insensitive matching

  • Constant-time response prevents email enumeration attacks

  • Administrators manage the list via settings API

Rate Limiting

Multiple rate limits protect against abuse:

  • Per Email: Prevents spam to specific addresses

  • Per IP: Prevents brute-force attacks from single source

  • Separate Limits: Different limits for request, activate, and refresh operations

Activation Link Security

Activation links include several security features:

  • Time-Limited: Configurable TTL (default: 1 hour)

  • Single-Use: Each code can only be activated once

  • Atomic Marking: Race condition protection prevents double-use

  • Random Codes: Cryptographically secure token generation

Virtual Users

Virtual users have restricted capabilities:

  • Created automatically on activation

  • Limited to Automation Hub marketplace access

  • Separated from regular user accounts

  • JWT tokens include otp: true flag for identification

Audit Logging

All hub settings operations are automatically logged:

Settings Update:

Settings Delete:

Each audit log entry includes:

  • Operation type (upsert/delete)

  • Before and after state

  • Timestamp and admin user who performed the action

  • Full settings object (including sensitive fields)

See Audit Logs for more information.

Error Handling

Common Errors

Email Not Authorized (403)

Solution: Add email to allow list via settings API

Rate Limit Exceeded (429)

Solution: Wait 60 seconds before retrying

Invalid Activation Code (404)

Solution: Request new activation link via /request-login or /refresh

Link Already Used (400)

Solution: Request new activation link - each code can only be used once

Email Sending Failures

If email sending fails:

  1. Check SMTP configuration (host, port, credentials)

  2. Verify Cloud Email API configuration (URL, API key)

  3. Review server logs for detailed error messages

  4. Ensure firewall allows outbound email connections

PreviousAuthenticationNextFlows

Last updated

Was this helpful?