We believe automation should be a right, not a premium feature. Every action in the HostUp control panel — VPS, domains, DNS, web hosting, and billing — is an API call, powered by the same 325 endpoints we build and run HostUp on.
If you can click it, you can script it. Our own team has no private endpoints. What we use, you use.
Everything in the dashboard is in the API. Do a task once, script it, and never do it by hand again.
No private endpoints, no enterprise tier. The API our team runs HostUp on is the one you build on — all of it.
We treat every support ticket as a product flaw. Predictable shapes, stable error codes, and typed IDs mean fewer surprises.
AI-agent-first
It’s 3am and Pushover just woke you — a server is down. Instead of fumbling through a dashboard half-asleep, you message a Telegram bot: “restore last night’s backup.” It does, confirms, and you go back to sleep.
That’s the idea. Clicking through a dashboard is the old way — every v2 response is shaped so an AI agent can act on it directly. Wire HostUp into a Telegram bot, Claude, or your own assistant, and just say what you want.
It only works if the model can trust the data. So v2 bakes units into field names, gives every resource a typed, prefixed ID, returns RFC 7807 errors with a stable code vocabulary, and states the result outright — nothing to infer. The lowest hallucination surface we could design.
On it — finding the latest backup for db-01.
/api/v2/vps/{id}/backups → bkp_01H… · 02:00 /api/v2/vps/{id}/backups/{backupId}/actions/restore → 202 job_… Restored from the 02:00 snapshot. db-01 is back online — go back to sleep.
Every resource is dom_…, vps_…, inv_… — a model can’t mistake a domain for a server.
memoryGb, taxRateDecimal — no guessing what a raw number means.
Every non-2xx response is RFC 7807 Problem Details with a stable code — a closed vocabulary, not free-text.
llms.txt hands an agent the whole API in one file, and every endpoint page has a Copy for LLM button.
Include API keys in the Authorization: Bearer <token> header. Dashboard sessions may also authenticate with the hostup_session cookie.
Create and manage API keys at cloud.hostup.se/api-management. You can define scopes for each key to limit permissions — for example, restrict a DNS key to only manage specific record types or zones.
For detailed setup instructions, see the API Authentication Guide.
250 requests per minute per API key. When you exceed the limit, you'll receive a 429 Too Many Requests response.
| Header | Description |
|---|---|
| X-RateLimit-Limit | Max requests allowed |
| X-RateLimit-Remaining | Requests remaining in current window |
| X-RateLimit-Reset | ISO timestamp when limit resets |
| Retry-After | Seconds until retry (on 429 only) |
Every non-2xx v2 response is an RFC 7807 Problem Details document with a stable code field for client branching:
{
"type": "https://developer.hostup.se/errors/invalid_request",
"title": "Invalid request",
"status": 400,
"detail": "The request body failed validation.",
"code": "invalid_request"
} Our customer portal at cloud.hostup.se uses the exact same API that you have access to as a developer. Open your browser's DevTools (F12), go to the Network tab, and perform any action in the portal to see the API calls being made. This is a great way to discover endpoints and understand request/response formats.
Each endpoint page has a "Copy for LLM" button that copies a structured prompt with all the endpoint details. Paste it into ChatGPT, Claude, or your preferred AI assistant to quickly generate integration code, understand the endpoint, or troubleshoot issues.
Domain registration, transfers, nameservers, DNS, redirects, CDN, and forwarding
/api/v2/dns-zones GET /api/v2/dns-zones/{id} GET /api/v2/dns-zones/{id}/records POST /api/v2/dns-zones/{id}/records PUT /api/v2/dns-zones/{id}/records/{recordId} PATCH /api/v2/dns-zones/{id}/records/{recordId} DELETE /api/v2/dns-zones/{id}/records/{recordId} GET /api/v2/domains CDN zones, edge proxy rules, security settings, and cache behavior
Hosting accounts, cPanel, files, databases, email, and WordPress operations
/api/v2/shared-hosting GET /api/v2/shared-hosting/{accountId} PATCH /api/v2/shared-hosting/{accountId} GET /api/v2/shared-hosting/{accountId}/account-details GET /api/v2/shared-hosting/{accountId}/account-stats GET /api/v2/shared-hosting/{accountId}/actions/billing-cycle POST /api/v2/shared-hosting/{accountId}/actions/billing-cycle POST /api/v2/shared-hosting/{accountId}/actions/cancel Fixed-cycle VPS instances, actions, backups, snapshots, console, networking, and maintenance
Pay-as-you-go Cloud VPS deployment, quotas, private networks, and block volumes
/api/v2/placement-groups POST /api/v2/placement-groups GET /api/v2/placement-groups/{id} PATCH /api/v2/placement-groups/{id} DELETE /api/v2/placement-groups/{id} POST /api/v2/placement-groups/{id}/actions/resolve POST /api/v2/placement-groups/{id}/members DELETE /api/v2/placement-groups/{id}/members/{vpsId} Invoices, payments, credits, pricing, and order creation
/api/v2/billing/activity GET /api/v2/billing/cards POST /api/v2/billing/cards DELETE /api/v2/billing/cards/{id} POST /api/v2/billing/credit/actions/add-funds GET /api/v2/billing/invoices GET /api/v2/billing/invoices/{id} POST /api/v2/billing/invoices/{id}/actions/apply-credit Profiles, delegated access, contacts, sessions, and account preferences
Support tickets, availability, feedback, and attachments
/api/v2/feedback POST /api/v2/support/attachments GET /api/v2/support/attachments/{id} GET /api/v2/support/departments POST /api/v2/support/port25-requests GET /api/v2/support/tickets POST /api/v2/support/tickets GET /api/v2/support/tickets/{id} We build infrastructure that gives you control. The same API we use internally is available to you. Our goal is that you should never need to contact support — and when you do, we see it as a sign that we can improve the product.