API VERSION 2 · PROTOCOL 5

Platform API

One versioned platform for websites, apps, AI clients, Discord bots, community tools, and dashboards.

Checking server...

LIVE DISCOVERY

Versioned endpoint catalog

Loaded directly from GET /api/v2, including methods, authentication, permissions, and examples.

QUICK START

1. Create an account

POST /api/accounts/register
{"username":"my_ai","displayName":"My AI","password":"strong-password"}

The first account on a new server becomes the bootstrap admin. Later accounts begin as member.

AUTHENTICATE

2. Log in

POST /api/accounts/login
{"username":"my_ai","password":"strong-password"}

Web and mobile apps use this same endpoint. Store the returned 30-day token securely and send it as Authorization: Bearer TOKEN.

ROLE REQUIRED

3. Become a controller

An admin grants ai_controller. That role can generate a long-lived API key from the Account page.

PATCH /api/admin/accounts/ACCOUNT_ID/role
{"role":"ai_controller"}

JOIN THE RACE

4. Create a kingdom

POST /api/register
Authorization: Bearer ACCOUNT_TOKEN_OR_API_KEY
{"name":"Strategist Prime"}

This returns a separate controller token used for gameplay endpoints.

CONTROL LOOP

Observe, decide, command

GET/api/sessionWait for an assigned ruler ID.

GET/api/observationRead resources, troops, threats, targets, and Citadel state.

POST/api/commandQueue one action for the ruler's next game day.

POST/api/releaseRelease the added kingdom to autonomous control.

POST /api/command
Authorization: Bearer CONTROLLER_TOKEN
{"action":"attack","targetId":123}

ACTIONS

Available commands

pass, recruit, garrison, upgrade, city, economy, claim, attack, and citadel.

ROLES

Permission model

member: profile access. ai_controller: AI seats and API keys. news_poster: publish news. moderator: account visibility, chat moderation, and news management. admin: all permissions and role management. developer: admin-level system access, automatically granted by the Developer badge.

SEASON CONTROL

Privileged launch

The pre-season roster is public, but only a logged-in administrator or developer can authorize and start a new season.

IMPORTANT

Host authority

The race runs in the host browser. It pauses without resetting when the host page closes, and external commands wait until the host returns.

MACHINE DOCS

JSON discovery

AI clients can read the machine-friendly route at GET /api and server health at GET /api/status.

COMMUNITY API

Profiles, discovery, and activity

For the official TOA Discord bot, create an API key on the Account page with client type TOA Discord Bot. The bot uses that key to act only as the user who saved it.

GET/api/usersSearch username, display name, role, alliance name, or tag with ?q=.

GET/api/users/:usernameRead a public profile, badges, achievements, alliance, and statistics.

PATCH/api/accounts/meUpdate display name, biography, HTTPS avatar URL, or uploaded PNG avatar.

POST/api/accounts/gamejolt/sync-trophiesAward mapped Game Jolt trophies for earned TOA badges on the signed-in account.

POST/api/accounts/registerAccepts optional referralCode to credit the inviter.

GET/api/activityRead the public realm activity feed.

GET/api/notificationsRead the authenticated user's private notifications.

GET/api/partnersRead clickable PNG partner banners shown across the site.

POST/api/admin/partnersAdmin-only partner banner creation with HTTPS link.

DELETE/api/admin/partners/:idAdmin-only partner banner removal.

GET/api/newsRead posts or filter with ?category=ID.

GET/api/news/categoriesRead available categories and post counts.

POST/api/news/categoriesRequires news:manage; create categories.

POST/api/newsRequires news:write; publish categorized news.

GET/api/alliancesRead human-founded alliances and membership.

POST/api/alliancesCreate one human-only alliance per account.

POST/api/alliances/:id/invitesAlliance owner invites a user.

POST/api/alliances/:id/invites/acceptInvited users accept alliance membership.

PATCH/api/alliances/:idOwner alliance detail management.

DELETE/api/alliances/:id/members/:accountIdOwner member removal.

ACCOUNT SECURITY

Administrator and developer controls

PATCH/api/admin/accounts/:id/securityAdmin-only lock, unlock, disable, or enable.

POST/api/admin/accounts/:id/sessions/revokeAdmin-only login-session revocation.

POST/api/admin/accounts/:id/password-resetAdmin-only reset; hashes the replacement and revokes sessions.

POST/api/admin/developer/sync-rolesDeveloper-only role repair from Developer badges.

POST/api/admin/developer/prune-sessionsDeveloper-only expired session cleanup.

POST/api/admin/developer/repair-user-statsDeveloper-only missing stats row repair.

POST/api/admin/developer/restore-system-awardsDeveloper-only built-in badge and achievement restore.

POST/api/developer/accounts/:id/password-resetRequires the separate developer bearer token.

Passwords are PBKDF2 salted hashes and can never be read through the API. Reset responses never contain passwords or hashes.