Management API - Overview
The Management API gives trusted integrations programmatic access to AppTego Portal operations. Use it to read configuration, manage builds, query logs, administer users, and integrate tenant data into internal systems.
Use this API for administrative and reporting workflows. For the narrower CI/CD upload-status-download workflow, use the Automation API.
Base URL: https://app.apptego.com/frontend
Authentication
Most Management API endpoints require an authenticated user or API token. The API supports two authenticated request styles.
API Token
Create API tokens in the AppTego Portal under User Management -> API Tokens. API tokens require a Team or Enterprise tenant.
When you create a token, AppTego returns a token_key and token_secret. The secret is shown only once. Combine them with a colon separator, Base64-encode the result, and send it as a Bearer token.
token_key:token_secret -> Base64 encode -> Authorization: Bearer <encoded-value>Example:
TOKEN=$(printf '%s' "$TOKEN_KEY:$TOKEN_SECRET" | base64)
curl -sS -X POST https://app.apptego.com/frontend/get_applications \
-H "Authorization: Bearer $TOKEN" \
-H "tenant: $TENANT_ID" \
-H "Content-Type: application/json" \
--data-binary '{}'API token permissions are stored on the token as tenant-user permissions. New API tokens are created with no permissions; assign only the permissions the integration needs.
Browser Session JWT
The AppTego Portal uses Cognito browser session tokens automatically. Browser session authentication supports email/password login with MFA, Google or social login, and SAML SSO for Enterprise tenants.
Server-side integrations should use API tokens instead of browser session credentials.
Public And Special-Purpose Routes
Some routes do not use the Management API token model:
| Route family | Authentication |
|---|---|
/frontend/get_tenants and /frontend/create_tenant | Authenticated user, no tenant header. |
/frontend/saml/* browser-flow routes | Public SAML browser flow endpoints. |
/automate/* | Automation API keys, not Management API tokens. |
/frontend/payment/webhook-stripe-445692 | Stripe webhook signature verification. |
Required Headers
| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer <base64(token_key:token_secret)> for API tokens, or a Cognito JWT for browser sessions. |
tenant | Usually | Tenant ID for tenant-scoped /frontend/* calls. Not used by pre-tenant routes such as /frontend/get_tenants and /frontend/create_tenant. |
Content-Type | For JSON requests | application/json. |
The tenant ID is returned by /frontend/get_tenants and is also visible in the portal tenant context.
Response Format
The API returns standard HTTP status codes. The Lambda transport body is JSON, and the JSON body is the endpoint response directly. Successful responses are not wrapped in a data object.
Success example:
{
"applications": [
{
"application_id": "app-uuid-1234",
"platform": "android"
}
]
}Permission denied:
{
"error": "You don't have permission to do this. The 'Configuration' permission is required.",
"permission_denied": true,
"required_permission": "modify_configuration"
}Plan required:
{
"error": "API tokens require a Team or Enterprise plan"
}Authentication failed:
{
"error": "Authentication failed"
}Validation error:
{
"error": "Version is missing"
}Server error:
{
"error": "An internal error occurred"
}Permissions
Tenant membership stores comma-separated internal permission keys. Public docs use the corresponding AppTego Portal labels.
| Portal Permission | Internal Key | Controls Access To |
|---|---|---|
Configuration | modify_configuration | Modify security controls, promote configuration, push live configuration, and manage App Integrity settings. |
Builds | build_applications | Upload and delete builds, manage signing keys, run legacy signing flows, delete applications, and delete custom library builds. |
Certificates | update_certificates | Manage Certificate Pinning certificate entries. |
Custom Messages | manage_custom_messages | Edit custom message content and active state. |
Users & API Management | user_and_api_management | Add/remove users, update permissions, manage API tokens, manage automation keys, and manage SAML group mappings. |
Tenant Settings | modify_tenant_settings | Rename tenant, update deployment-environment support, manage billing helpers, and configure SAML SSO or custom library identifiers. |
Read-only endpoints that do not require a specific permission are accessible to authenticated tenant users and API tokens that belong to the tenant, subject to plan gates.
Subscription Tiers
Some endpoints are restricted by tenant plan.
| Feature | Free | Team | Enterprise |
|---|---|---|---|
| API tokens | No | Yes | Yes |
| Automation API keys | No | Yes | Yes |
| User management beyond the owner | No | Yes | Yes |
| Config promotion | No | Yes | Yes |
| Code signing and signing keys | No | Yes | Yes |
| Custom messages | No | Yes | Yes |
| Support tickets | No | Yes | Yes |
AI Search (/frontend/nl_search_query) | No | Yes | Yes |
Tego Assistant (/frontend/helpbot/*) | Yes, limited | Yes | Yes |
| Live config push | No | No | Yes |
| Audit and device logs | No | No | Yes |
| App Integrity | No | No | Yes |
| SAML SSO | No | No | Yes |
| Custom Library / BYOA | No | No | Yes |
Feature availability for individual controls is also governed by the tenant's current configuration options. Read the relevant options endpoint before enabling controls by API.
Operational Limits
| Area | Implemented Limit |
|---|---|
| API tokens | Maximum 20 per tenant. |
| Automation keys | Maximum 10 per tenant. |
| Portal users | Team defaults to 20 users; Enterprise defaults to 100 users. |
| Signing keys | Maximum 10 signing keys per platform. |
| Custom certificates | Maximum 50 custom Certificate Pinning entries per version. |
| Support tickets | Maximum 10 open tickets per tenant. |
| Support comments | Maximum 20 comments per ticket. |
| Tego Assistant | Default weekly limits are 10 Free, 100 Team, and 1000 Enterprise messages per tenant. |
| AI Search | Monthly limits are 100 Team and 200 Enterprise queries per tenant. |
Build upload concurrency and build quotas are plan-dependent and may be overridden by tenant-specific limits.
Quick Reference
See the detailed docs for full request and response examples:
- Configuration: read and modify security control settings.
- Applications And Builds: upload, download, and manage protected apps.
- Code Signing: manage signing keys and signing workflows.
- Users And Access: tenant membership, API tokens, automation keys, SAML SSO, and tenant settings.
- Monitoring And Logs: dashboard data, WebSocket notifications, audit logs, device logs, and App Integrity.
- Tenant And Features: certificates, custom messages, custom libraries, support, billing helpers, documents, sales contact, Tego Assistant, and AI Search.
Production Integration Checklist
| Check | Recommended practice |
|---|---|
| Token ownership | Use a named token for each integration. |
| Permissions | Grant only the required permission categories. |
| Secret storage | Store key material in a vault or secret manager. |
| Tenant context | Send the intended tenant header for tenant-scoped calls. |
| Request shape | Use the exact field names documented for each endpoint. |
| Error handling | Handle authentication, permission, subscription, validation, not-found, rate-limit, and server errors separately. |
| Auditability | Record the integration name, request purpose, and relevant AppTego IDs in your internal logs. |