Admin

Challenge management, uploads, teams, verifications, submissions, settings, and admin bot service routes.

These admin API pages cover challenge data, uploads, teams, pending email verifications, submission audit rows, runtime settings, admin bot service work, and external-auth client registration. Most user facing admin routes need a user auth token with the listed permission bits. Admin bot service routes use the shared admin bot bearer token instead. The end-user side of the external-auth flow lives under External auth.

Permissions, captcha actions, and rate limit conventions are documented in the API overview.

Permissions#

Permission	Used by
`challsRead`	Reading admin challenge data, upload state, instancer schemas, admin bot status, and admin user solve history.
`challsWrite`	Updating challenges and uploading files.
`challsSolveWrite`	Removing solves.
`usersWrite`	Listing and editing teams, creating team tokens, managing pending verifications, and reading submission audit rows.
`settingsWrite`	Reading and updating runtime settings.

When a route lists more than one permission bit, the token needs every listed bit.

`GET` Admin challenge list

GET /api/[v2,v1]/admin/challs

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/challs" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminChallenges",
  "message": "The retrieval of challenges as admin was successful.",
  "data": [
    {
      "id": "<id>",
      "name": "<name>",
      "description": "<description>",
      "category": "<category>",
      "author": "<author>",
      "files": [
        {
          "name": "<name>",
          "url": "<url>",
          "size": 0
        }
      ],
      "points": {
        "min": 0,
        "max": 0
      },
      "flag": "<flag>",
      "tiebreakEligible": false,
      "sortWeight": 0,
      "instancerConfig": {
        "challengeIntegrationId": "<challenge-integration-id>",
        "config": null,
        "expose": [
          {
            "kind": "tcp",
            "hostPrefix": "<host-prefix>",
            "containerName": "<container-name>",
            "containerPort": 0,
            "shouldDisplay": false,
            "title": "<title>"
          }
        ],
        "timeoutMilliseconds": 0,
        "extendable": false
      },
      "adminBotConfig": {
        "code": "<code>",
        "inputs": null,
        "revision": "<revision>",
        "timeoutMilliseconds": 0,
        "requireInstancerInstancesRunning": false
      },
      "hidden": false,
      "releaseTime": 0,
      "scoring": {
        "kind": "decay"
      }
    }
  ]
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v1/admin/challs" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminChallenges",
  "message": "The retrieval of challenges as admin was successful.",
  "data": [
    {
      "id": "<id>",
      "name": "<name>",
      "description": "<description>",
      "category": "<category>",
      "author": "<author>",
      "files": [
        {
          "name": "<name>",
          "url": "<url>"
        }
      ],
      "points": {
        "min": 0,
        "max": 0
      },
      "flag": "<flag>",
      "tiebreakEligible": false,
      "sortWeight": 0
    }
  ]
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: challsRead
Captcha: No captcha
Rate limit: No rate limit

This route shows every challenge with admin fields. Hidden and unreleased challenges are included so the admin panel can display the full challenge set.

For new clients, V2 is usually the best fit. It includes hidden state, release time, instancer config, admin bot config, and file sizes. V1 remains available for older admin tooling.

Response fields

idstring

Unique identifier.

namestring

Display name.

descriptionstring

Returned description value.

categorystring

Returned category value.

authorstring

Returned author value.

files[].namestring

Display name.

files[].urlstring

Resource URL.

files[].sizenumber | null

Size in bytes.

points.minnumber

Returned points min value.

points.maxnumber

Returned points max value.

flagstring

Returned flag value.

tiebreakEligibleboolean

Returned tiebreak eligible value.

sortWeightnumber | null | undefined

Returned sort weight value.

instancerConfigobject | null | undefined

Returned instancer config value.

adminBotConfigobject | null | undefined

Returned admin bot config value.

hiddenboolean

Returned hidden value.

releaseTimenumber | null | undefined

Returned release time value.

scoringobject | object | null | undefined

Returned scoring value.

Response fields

idstring

Unique identifier.

namestring

Display name.

descriptionstring

Returned description value.

categorystring

Returned category value.

authorstring

Returned author value.

files[].namestring

Display name.

files[].urlstring

Resource URL.

points.minnumber

Returned points min value.

points.maxnumber

Returned points max value.

flagstring

Returned flag value.

tiebreakEligibleboolean

Returned tiebreak eligible value.

sortWeightnumber | null | undefined

Returned sort weight value.

V1 challenge entries do not include hidden, releaseTime, instancerConfig, adminBotConfig, or file size.

`GET` Admin challenge detail

GET /api/[v2,v1]/admin/challs/:id

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/challs/challenge-id" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminChallenge",
  "message": "The retrieval of the challenge as admin was successful.",
  "data": {
    "id": "<id>",
    "name": "<name>",
    "description": "<description>",
    "category": "<category>",
    "author": "<author>",
    "files": [
      {
        "name": "<name>",
        "url": "<url>",
        "size": 0
      }
    ],
    "points": {
      "min": 0,
      "max": 0
    },
    "flag": "<flag>",
    "tiebreakEligible": false,
    "sortWeight": 0,
    "instancerConfig": {
      "challengeIntegrationId": "<challenge-integration-id>",
      "config": null,
      "expose": [
        {
          "kind": "tcp",
          "hostPrefix": "<host-prefix>",
          "containerName": "<container-name>",
          "containerPort": 0,
          "shouldDisplay": false,
          "title": "<title>"
        }
      ],
      "timeoutMilliseconds": 0,
      "extendable": false
    },
    "adminBotConfig": {
      "code": "<code>",
      "inputs": null,
      "revision": "<revision>",
      "timeoutMilliseconds": 0,
      "requireInstancerInstancesRunning": false
    },
    "hidden": false,
    "releaseTime": 0,
    "scoring": {
      "kind": "decay"
    }
  }
}

{
  "kind": "badChallenge",
  "message": "The challenge could not be found."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v1/admin/challs/challenge-id" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminChallenge",
  "message": "The retrieval of the challenge as admin was successful.",
  "data": {
    "id": "<id>",
    "name": "<name>",
    "description": "<description>",
    "category": "<category>",
    "author": "<author>",
    "files": [
      {
        "name": "<name>",
        "url": "<url>"
      }
    ],
    "points": {
      "min": 0,
      "max": 0
    },
    "flag": "<flag>",
    "tiebreakEligible": false,
    "sortWeight": 0
  }
}

{
  "kind": "badChallenge",
  "message": "The challenge could not be found."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: challsRead
Captcha: No captcha
Rate limit: No rate limit

This route reads one challenge with admin fields. The admin panel uses it when someone opens the challenge editor.

For new clients, V2 is usually the best fit. V1 returns the older admin challenge fields and remains available for existing integrations.

Path parameters

id
*
 required

string

Unique identifier.

Path parameters

id
*
 required

string

Unique identifier.

Response fields

idstring

Unique identifier.

namestring

Display name.

descriptionstring

Returned description value.

categorystring

Returned category value.

authorstring

Returned author value.

files[].namestring

Display name.

files[].urlstring

Resource URL.

files[].sizenumber | null

Size in bytes.

points.minnumber

Returned points min value.

points.maxnumber

Returned points max value.

flagstring

Returned flag value.

tiebreakEligibleboolean

Returned tiebreak eligible value.

sortWeightnumber | null | undefined

Returned sort weight value.

instancerConfigobject | null | undefined

Returned instancer config value.

adminBotConfigobject | null | undefined

Returned admin bot config value.

hiddenboolean

Returned hidden value.

releaseTimenumber | null | undefined

Returned release time value.

scoringobject | object | null | undefined

Returned scoring value.

Response fields

idstring

Unique identifier.

namestring

Display name.

descriptionstring

Returned description value.

categorystring

Returned category value.

authorstring

Returned author value.

files[].namestring

Display name.

files[].urlstring

Resource URL.

points.minnumber

Returned points min value.

points.maxnumber

Returned points max value.

flagstring

Returned flag value.

tiebreakEligibleboolean

Returned tiebreak eligible value.

sortWeightnumber | null | undefined

Returned sort weight value.

V1 challenge entries do not include hidden, releaseTime, instancerConfig, adminBotConfig, or file size.

`PUT` Create or update challenge

PUT /api/[v2,v1]/admin/challs/:id

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/challs/challenge-id" \
  -X PUT \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "data": {
      "name": "web demo",
      "category": "web",
      "author": "organizers",
      "description": "Solve it.",
      "flag": "flag{example}",
      "points": {
        "min": 100,
        "max": 500
      },
      "tiebreakEligible": true,
      "files": [
        {
          "name": "dist.zip",
          "url": "/uploads/dist.zip",
          "size": 12345
        }
      ],
      "sortWeight": 10,
      "hidden": false,
      "releaseTime": null
    }
  }'

{
  "kind": "goodChallengeUpdate",
  "message": "Challenge successfully updated.",
  "data": {
    "id": "<id>",
    "name": "<name>",
    "description": "<description>",
    "category": "<category>",
    "author": "<author>",
    "files": [
      {
        "name": "<name>",
        "url": "<url>",
        "size": 0
      }
    ],
    "points": {
      "min": 0,
      "max": 0
    },
    "flag": "<flag>",
    "tiebreakEligible": false,
    "sortWeight": 0,
    "instancerConfig": {
      "challengeIntegrationId": "<challenge-integration-id>",
      "config": null,
      "expose": [
        {
          "kind": "tcp",
          "hostPrefix": "<host-prefix>",
          "containerName": "<container-name>",
          "containerPort": 0,
          "shouldDisplay": false,
          "title": "<title>"
        }
      ],
      "timeoutMilliseconds": 0,
      "extendable": false
    },
    "adminBotConfig": {
      "code": "<code>",
      "inputs": null,
      "revision": "<revision>",
      "timeoutMilliseconds": 0,
      "requireInstancerInstancesRunning": false
    },
    "hidden": false,
    "releaseTime": 0,
    "scoring": {
      "kind": "decay"
    }
  }
}

{
  "kind": "badAdminBotConfig",
  "message": "Invalid admin bot configuration.",
  "data": {
    "error": "<error>"
  }
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badInstancerConfig",
  "message": "Invalid instancer configuration.",
  "data": {
    "error": "<error>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v1/admin/challs/challenge-id" \
  -X PUT \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "data": {
      "name": "web demo",
      "category": "web",
      "author": "organizers",
      "description": "Solve it.",
      "flag": "flag{example}",
      "points": {
        "min": 100,
        "max": 500
      },
      "tiebreakEligible": true,
      "files": [
        {
          "name": "dist.zip",
          "url": "/uploads/dist.zip"
        }
      ],
      "sortWeight": 10
    }
  }'

{
  "kind": "goodChallengeUpdate",
  "message": "Challenge successfully updated.",
  "data": {
    "id": "<id>",
    "name": "<name>",
    "description": "<description>",
    "category": "<category>",
    "author": "<author>",
    "files": [
      {
        "name": "<name>",
        "url": "<url>"
      }
    ],
    "points": {
      "min": 0,
      "max": 0
    },
    "flag": "<flag>",
    "tiebreakEligible": false,
    "sortWeight": 0
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

Auth: Required
Gate: None
Permissions: challsWrite
Captcha: No captcha
Rate limit: No rate limit

This route creates a new challenge or updates an existing one. Fields left out of data keep their current values. Setting instancerConfig or adminBotConfig to null clears that integration config.

After a challenge changes, the leaderboard is recalculated. The active instancer provider validates instancerConfig, and the active admin bot provider validates adminBotConfig before saving a new revision.

Path parameters

id
*
 required

string

Unique identifier.

Request body

data
*
 required

object

Request body field for data.

Path parameters

id
*
 required

string

Unique identifier.

Request body

data
*
 required

object

Request body field for data.

Response fields

idstring

Unique identifier.

namestring

Display name.

descriptionstring

Returned description value.

categorystring

Returned category value.

authorstring

Returned author value.

files[].namestring

Display name.

files[].urlstring

Resource URL.

files[].sizenumber | null

Size in bytes.

points.minnumber

Returned points min value.

points.maxnumber

Returned points max value.

flagstring

Returned flag value.

tiebreakEligibleboolean

Returned tiebreak eligible value.

sortWeightnumber | null | undefined

Returned sort weight value.

instancerConfigobject | null | undefined

Returned instancer config value.

adminBotConfigobject | null | undefined

Returned admin bot config value.

hiddenboolean

Returned hidden value.

releaseTimenumber | null | undefined

Returned release time value.

scoringobject | object | null | undefined

Returned scoring value.

Response fields

idstring

Unique identifier.

namestring

Display name.

descriptionstring

Returned description value.

categorystring

Returned category value.

authorstring

Returned author value.

files[].namestring

Display name.

files[].urlstring

Resource URL.

points.minnumber

Returned points min value.

points.maxnumber

Returned points max value.

flagstring

Returned flag value.

tiebreakEligibleboolean

Returned tiebreak eligible value.

sortWeightnumber | null | undefined

Returned sort weight value.

V1 does not include hidden state, scheduled release time, instancer config, admin bot config, or file sizes.

`DELETE` Delete a solve

DELETE /api/v2/admin/challs/:challengeId/solves/:userId

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/challs/challenge-id/solves/team-id" \
  -X DELETE \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodChallengeSolveDelete",
  "message": "Challenge solve successfully deleted."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badUnknownSolve",
  "message": "The solve does not exist."
}

Auth: Required
Gate: None
Permissions: challsSolveWrite
Captcha: No captcha
Rate limit: No rate limit

This route removes one solve for a specific team and challenge. The challenge and team remain in place, and the leaderboard is recalculated after the solve is removed.

Path parameters

challengeId
*
 required

string

Challenge identifier.

userId
*
 required

string

Team identifier.

Response#

A successful request returns 200 goodChallengeSolveDelete with no data.

`DELETE` Delete a challenge

DELETE /api/v1/admin/challs/:id

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v1/admin/challs/challenge-id" \
  -X DELETE \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodChallengeDelete",
  "message": "Challenge successfully deleted."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: challsWrite
Captcha: No captcha
Rate limit: No rate limit

This legacy V1 route removes a challenge and its solves. There is no V2 delete route. V2 admin clients remove solves directly and update challenge data through create or update challenge.

The leaderboard is recalculated after the challenge is removed.

Path parameters

id
*
 required

string

Unique identifier.

Response#

A successful request returns 200 goodChallengeDelete with no data.

`POST` Upload files

POST /api/[v2,v1]/admin/upload

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/upload" \
  -H "Authorization: Bearer <auth-token>" \
  -F "files=@dist.zip"

{
  "kind": "goodFilesUpload",
  "message": "The files were successfully uploaded.",
  "data": [
    {
      "name": "<name>",
      "url": "<url>",
      "size": 0
    }
  ]
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v1/admin/upload" \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "files": [
      {
        "name": "dist.zip",
        "data": "data:application/zip;base64,..."
      }
    ]
  }'

{
  "kind": "goodFilesUpload",
  "message": "The files were successfully uploaded.",
  "data": [
    {
      "name": "<name>",
      "url": "<url>"
    }
  ]
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badDataUri",
  "message": "A data URI provided was malformed."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

Auth: Required
Gate: None
Permissions: challsWrite
Captcha: No captcha
Rate limit: No rate limit

This route uploads challenge files. Files are deduplicated by SHA 256, so uploading the same bytes again returns the existing URL.

V2 sends multipart/form-data with one or more files fields. V1 accepts JSON with base64 data URIs and remains available for older admin clients.

Request body

files
*
 required

transform

Request body field for files.

Request body

files
*
 required

object[]

Request body field for files.

Response fields

namestring

Display name.

urlstring

Resource URL.

sizenumber | null

Size in bytes.

Response fields

namestring

Display name.

urlstring

Resource URL.

V1 upload responses do not include file size.

`POST` Query uploads

POST /api/[v2,v1]/admin/upload/query

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/upload/query" \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "uploads": [
      {
        "sha256": "<hex-digest>",
        "name": "dist.zip"
      }
    ]
  }'

{
  "kind": "goodUploadsQuery",
  "message": "The status of uploads was successfully queried.",
  "data": [
    {
      "sha256": "<sha256>",
      "name": "<name>",
      "url": "<url>",
      "size": 0
    }
  ]
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v1/admin/upload/query" \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "uploads": [
      {
        "sha256": "<hex-digest>",
        "name": "dist.zip"
      }
    ]
  }'

{
  "kind": "goodUploadsQuery",
  "message": "The status of uploads was successfully queried.",
  "data": [
    {
      "sha256": "<sha256>",
      "name": "<name>",
      "url": "<url>"
    }
  ]
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

Auth: Required
Gate: None
Permissions: challsRead
Captcha: No captcha
Rate limit: No rate limit

This route lets the admin panel check whether files already exist by SHA 256 before uploading them. A null URL means the file has not been uploaded yet.

For new clients, V2 is usually the best fit because it also returns nullable file size. V1 only returns the nullable URL.

Request body

uploads
*
 required

object[]

Request body field for uploads.

Request body

uploads
*
 required

object[]

Request body field for uploads.

Response fields

sha256string

Returned sha256 value.

namestring

Display name.

urlstring | null

Resource URL.

sizenumber | null

Size in bytes.

Response fields

sha256string

Returned sha256 value.

namestring

Display name.

urlstring | null

Resource URL.

`GET` List teams

GET /api/v2/admin/users

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/users?limit=50&offset=0&search=<search>&sortBy=createdAt&sortOrder=asc" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminUsers",
  "message": "The users were retrieved.",
  "data": {
    "total": 0,
    "users": [
      {
        "id": "<id>",
        "name": "<name>",
        "email": "<email>",
        "division": "<division>",
        "perms": 0,
        "banned": false,
        "score": 0,
        "solveCount": 0,
        "avatarUrl": "<avatar-url>",
        "countryCode": "<country-code>",
        "statusText": "<status-text>",
        "createdAt": "<created-at>"
      }
    ]
  }
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route shows teams for the admin panel. Query parameters control pagination, sorting, and name or email search.

Filter teams is available when a UI also needs status or division filters.

Query parameters

limit
*
 required

number

Maximum number of records to return.

offset
*
 required

number

Number of records to skip before returning results.

searchstring

Search string.

Query parameter for sort by.

sortOrder"asc" | "desc"

Query parameter for sort order.

Response fields

totalnumber

Total number of matching records.

users[].idstring

Unique identifier.

users[].namestring

Display name.

users[].emailstring | null

Email address.

users[].divisionstring

Division name or filter.

users[].permsnumber

Returned users perms value.

users[].bannedboolean

Returned users banned value.

users[].scorenumber

Current score.

users[].solveCountnumber

Returned users solve count value.

users[].avatarUrlstring | null

Avatar image URL.

users[].countryCodestring | null

Country or region code.

users[].statusTextstring | null

Team status text.

users[].createdAtstring

Creation timestamp.

Each list item includes public profile fields, admin state, cached score data, and creation time.

`POST` Filter teams

POST /api/v2/admin/users

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/users?limit=50&offset=0&search=<search>&sortBy=createdAt&sortOrder=asc" \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "status": {
      "include": [
        "active"
      ]
    },
    "division": {
      "include": [
        "open"
      ]
    }
  }'

{
  "kind": "goodAdminUsers",
  "message": "The users were retrieved.",
  "data": {
    "total": 0,
    "users": [
      {
        "id": "<id>",
        "name": "<name>",
        "email": "<email>",
        "division": "<division>",
        "perms": 0,
        "banned": false,
        "score": 0,
        "solveCount": 0,
        "avatarUrl": "<avatar-url>",
        "countryCode": "<country-code>",
        "statusText": "<status-text>",
        "createdAt": "<created-at>"
      }
    ]
  }
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route lists teams with richer filters than the GET route can carry comfortably. The query string still controls pagination, sorting, and text search.

Filter objects can include nullable include and exclude arrays. A field can be omitted when that filter does not apply.

Query parameters

limit
*
 required

number

Maximum number of records to return.

offset
*
 required

number

Number of records to skip before returning results.

searchstring

Search string.

Query parameter for sort by.

sortOrder"asc" | "desc"

Query parameter for sort order.

Request body

statusobject

Request body field for status.

divisionobject

Division name or filter.

Response fields

totalnumber

Total number of matching records.

users[].idstring

Unique identifier.

users[].namestring

Display name.

users[].emailstring | null

Email address.

users[].divisionstring

Division name or filter.

users[].permsnumber

Returned users perms value.

users[].bannedboolean

Returned users banned value.

users[].scorenumber

Current score.

users[].solveCountnumber

Returned users solve count value.

users[].avatarUrlstring | null

Avatar image URL.

users[].countryCodestring | null

Country or region code.

users[].statusTextstring | null

Team status text.

users[].createdAtstring

Creation timestamp.

`GET` Team detail

GET /api/v2/admin/users/:id

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/users/team-id" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminUser",
  "message": "The user was retrieved.",
  "data": {
    "id": "<id>",
    "name": "<name>",
    "email": "<email>",
    "division": "<division>",
    "perms": 0,
    "banned": false,
    "score": 0,
    "solveCount": 0,
    "avatarUrl": "<avatar-url>",
    "countryCode": "<country-code>",
    "statusText": "<status-text>",
    "createdAt": "<created-at>",
    "solves": [
      {
        "challengeId": "<challenge-id>",
        "challengeName": "<challenge-name>",
        "challengeCategory": "<challenge-category>",
        "createdAt": "<created-at>"
      }
    ]
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badUnknownUser",
  "message": "The user does not exist."
}

Auth: Required
Gate: None
Permissions: challsRead, usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route shows full team details for the admin panel, including solve history. The token needs both usersWrite and challsRead because the response includes challenge solve data.

Path parameters

id
*
 required

string

Unique identifier.

Response fields

idstring

Unique identifier.

namestring

Display name.

emailstring | null

Email address.

divisionstring

Division name or filter.

permsnumber

Returned perms value.

bannedboolean

Returned banned value.

scorenumber

Current score.

solveCountnumber

Returned solve count value.

avatarUrlstring | null

Avatar image URL.

countryCodestring | null

Country or region code.

statusTextstring | null

Team status text.

createdAtstring

Creation timestamp.

solves[].challengeIdstring

Challenge identifier.

solves[].challengeNamestring

Returned solves challenge name value.

solves[].challengeCategorystring

Returned solves challenge category value.

solves[].createdAtstring

Creation timestamp.

Private account fields appear here, so this route belongs in trusted admin views.

`PUT` Update team

PUT /api/v2/admin/users/:id

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/users/team-id" \
  -X PUT \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "data": {
      "banned": true
    }
  }'

{
  "kind": "goodAdminUserUpdate",
  "message": "The user was updated."
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badKnownName",
  "message": "An account with this name already exists."
}

{
  "kind": "badName",
  "message": "The name should only use english letters, numbers, and symbols."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badUnknownUser",
  "message": "The user does not exist."
}

{
  "kind": "badUserPrivileged",
  "message": "The user is privileged and cannot be modified."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route changes admin controlled team state. The current route supports banning and unbanning teams.

Banning removes the team from leaderboard output after recalculation without deleting solves. Unbanning restores its rank after the leaderboard is recalculated. Admin users are protected from changes through this route.

Path parameters

id
*
 required

string

Unique identifier.

Request body

data
*
 required

object

Request body field for data.

Response#

A successful request returns 200 goodAdminUserUpdate with no data.

`DELETE` Delete team

DELETE /api/v2/admin/users/:id

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/users/team-id" \
  -X DELETE \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminUserDelete",
  "message": "The user was deleted."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badUnknownUser",
  "message": "The user does not exist."
}

{
  "kind": "badUserPrivileged",
  "message": "The user is privileged and cannot be modified."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route deletes a team account. Admin users are protected from deletion here.

This operation removes the team rather than hiding it from standings. Update team is the better fit when the intent is to ban a team while keeping its record.

Path parameters

id
*
 required

string

Unique identifier.

Response#

A successful request returns 200 goodAdminUserDelete with no data.

`POST` Create team token

POST /api/v2/admin/users/:id/token

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/users/team-id/token" \
  -X POST \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodCreateUserToken",
  "message": "The creation of user token was successful.",
  "data": {
    "token": "<token>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badUnknownUser",
  "message": "The user does not exist."
}

{
  "kind": "badUserPrivileged",
  "message": "The user is privileged and cannot be modified."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route creates a fresh team token. It helps organizers recover access for a team that has lost its original credential.

The returned token is a credential. This route does not issue tokens for admin users.

Path parameters

id
*
 required

string

Unique identifier.

Response fields

tokenstring

Returned token value.

`GET` Pending verifications

GET /api/v2/admin/user-verifications

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/user-verifications" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminUserVerifications",
  "message": "The pending user verifications were retrieved.",
  "data": {
    "verifications": [
      {
        "id": "<id>",
        "name": "<name>",
        "email": "<email>",
        "division": "<division>",
        "createdAt": 0,
        "expiresAt": 0
      }
    ]
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route shows teams that registered with email verification but have not completed the verification step yet.

Pending verification rows include the team name, email, division, creation time, and expiration time. Admins can complete or resend these rows through the related endpoints.

Response fields

verifications[].idstring

Unique identifier.

verifications[].namestring

Display name.

verifications[].emailstring

Email address.

verifications[].divisionstring

Division name or filter.

verifications[].createdAtnumber

Creation timestamp.

verifications[].expiresAtnumber

Expiration timestamp.

`POST` Complete verification

POST /api/v2/admin/user-verifications/:id/complete

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/user-verifications/verification-id/complete" \
  -X POST \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminUserVerificationComplete",
  "message": "The pending user verification was completed.",
  "data": {
    "userId": "<user-id>"
  }
}

{
  "kind": "badKnownEmail",
  "message": "An account with this email already exists."
}

{
  "kind": "badKnownName",
  "message": "An account with this name already exists."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badUnknownVerification",
  "message": "The verification request does not exist."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route lets an organizer complete a pending email verification manually and create the team. It is useful when the registration has already been verified outside the normal email flow.

Duplicate email and duplicate name checks still apply.

Path parameters

id
*
 required

string

Unique identifier.

Response fields

userIdstring

Team identifier.

`POST` Resend verification

POST /api/v2/admin/user-verifications/:id/resend

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/user-verifications/verification-id/resend" \
  -X POST \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminUserVerificationResend",
  "message": "The pending user verification email was resent.",
  "data": {
    "id": "<id>"
  }
}

{
  "kind": "badEndpoint",
  "message": "The request endpoint could not be found."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badUnknownVerification",
  "message": "The verification request does not exist."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route sends another verification email for an outstanding pending verification row.

If email delivery is not configured, the route returns 404 badEndpoint because there is no provider available to send the message.

Path parameters

id
*
 required

string

Unique identifier.

Response fields

idstring

Unique identifier.

`GET` List submissions

GET /api/v2/admin/submissions

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/submissions?limit=50&offset=0&sortBy=createdAt&sortOrder=asc&challengeSearch=<challenge-search>&teamSearch=<team-search>" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminSubmissions",
  "message": "The submissions were retrieved successfully.",
  "data": {
    "total": 0,
    "submissions": [
      {
        "id": "<id>",
        "kind": "flag",
        "challengeId": "<challenge-id>",
        "challengeName": "<challenge-name>",
        "challengeCategory": "<challenge-category>",
        "userId": "<user-id>",
        "userName": "<user-name>",
        "userDivision": "<user-division>",
        "userAvatarUrl": "<user-avatar-url>",
        "userCountryCode": "<user-country-code>",
        "userStatusText": "<user-status-text>",
        "userBanned": false,
        "ip": "<ip>",
        "result": "correct",
        "details": null,
        "relatedId": "<related-id>",
        "createdAt": "<created-at>"
      }
    ]
  }
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: challsRead, usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route shows submission audit rows. The table records flag submissions and admin bot job submissions for review and abuse investigation.

Query parameters control pagination, sorting, and lightweight challenge or team search. Filter submissions adds category, division, kind, result, team status, and time filters.

Query parameters

limit
*
 required

number

Maximum number of records to return.

offset
*
 required

number

Number of records to skip before returning results.

Query parameter for sort by.

sortOrder"asc" | "desc"

Query parameter for sort order.

challengeSearchstring

Query parameter for challenge search.

teamSearchstring

Query parameter for team search.

Response fields

totalnumber

Total number of matching records.

submissions[].idstring

Unique identifier.

submissions[].kind"flag" | "admin_bot"

Response or object kind.

submissions[].challengeIdstring

Challenge identifier.

submissions[].challengeNamestring

Returned submissions challenge name value.

submissions[].challengeCategorystring

Returned submissions challenge category value.

submissions[].userIdstring

Team identifier.

submissions[].userNamestring

Returned submissions user name value.

submissions[].userDivisionstring

Returned submissions user division value.

submissions[].userAvatarUrlstring | null

Returned submissions user avatar url value.

submissions[].userCountryCodestring | null

Returned submissions user country code value.

submissions[].userStatusTextstring | null

Returned submissions user status text value.

submissions[].userBannedboolean

Returned submissions user banned value.

submissions[].ipstring

Returned submissions ip value.

Returned submissions result value.

submissions[].detailsRecord<string, any>

Returned submissions details value.

submissions[].relatedIdstring | null

Returned submissions related id value.

submissions[].createdAtstring

Creation timestamp.

Each row includes challenge metadata, team metadata, the source IP address, result details, and creation time.

`POST` Filter submissions

POST /api/v2/admin/submissions

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/submissions?limit=50&offset=0&sortBy=createdAt&sortOrder=asc&challengeSearch=<challenge-search>&teamSearch=<team-search>" \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "challenge": {
      "include": [
        "challenge-id"
      ]
    },
    "team": {
      "include": [
        "team-id"
      ]
    },
    "kind": {
      "include": [
        "flag"
      ]
    },
    "result": {
      "exclude": [
        "incorrect"
      ]
    },
    "teamStatus": {
      "include": [
        "not_banned"
      ]
    },
    "category": {
      "include": [
        "web"
      ]
    },
    "division": {
      "include": [
        "open"
      ]
    },
    "createdAfter": "2026-05-05T09:30:00.000Z",
    "createdBefore": "2026-05-05T10:30:00.000Z"
  }'

{
  "kind": "goodAdminSubmissions",
  "message": "The submissions were retrieved successfully.",
  "data": {
    "total": 0,
    "submissions": [
      {
        "id": "<id>",
        "kind": "flag",
        "challengeId": "<challenge-id>",
        "challengeName": "<challenge-name>",
        "challengeCategory": "<challenge-category>",
        "userId": "<user-id>",
        "userName": "<user-name>",
        "userDivision": "<user-division>",
        "userAvatarUrl": "<user-avatar-url>",
        "userCountryCode": "<user-country-code>",
        "userStatusText": "<user-status-text>",
        "userBanned": false,
        "ip": "<ip>",
        "result": "correct",
        "details": null,
        "relatedId": "<related-id>",
        "createdAt": "<created-at>"
      }
    ]
  }
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

Auth: Required
Gate: None
Permissions: challsRead, usersWrite
Captcha: No captcha
Rate limit: No rate limit

This route lists submission audit rows with richer filters. The query string still controls pagination, sorting, and lightweight text search.

Filter objects can include nullable include and exclude arrays. Date filters are parsed as ISO timestamps, and createdAfter needs to be earlier than createdBefore when both are provided.

Query parameters

limit
*
 required

number

Maximum number of records to return.

offset
*
 required

number

Number of records to skip before returning results.

Query parameter for sort by.

sortOrder"asc" | "desc"

Query parameter for sort order.

challengeSearchstring

Query parameter for challenge search.

teamSearchstring

Query parameter for team search.

Request body

challengeobject

Request body field for challenge.

teamobject

Request body field for team.

kindobject

Response or object kind.

resultobject

Request body field for result.

teamStatusobject

Request body field for team status.

categoryobject

Request body field for category.

divisionobject

Division name or filter.

createdAfterstring

Request body field for created after.

createdBeforestring

Request body field for created before.

Response fields

totalnumber

Total number of matching records.

submissions[].idstring

Unique identifier.

submissions[].kind"flag" | "admin_bot"

Response or object kind.

submissions[].challengeIdstring

Challenge identifier.

submissions[].challengeNamestring

Returned submissions challenge name value.

submissions[].challengeCategorystring

Returned submissions challenge category value.

submissions[].userIdstring

Team identifier.

submissions[].userNamestring

Returned submissions user name value.

submissions[].userDivisionstring

Returned submissions user division value.

submissions[].userAvatarUrlstring | null

Returned submissions user avatar url value.

submissions[].userCountryCodestring | null

Returned submissions user country code value.

submissions[].userStatusTextstring | null

Returned submissions user status text value.

submissions[].userBannedboolean

Returned submissions user banned value.

submissions[].ipstring

Returned submissions ip value.

Returned submissions result value.

submissions[].detailsRecord<string, any>

Returned submissions details value.

submissions[].relatedIdstring | null

Returned submissions related id value.

submissions[].createdAtstring

Creation timestamp.

`GET` Read settings

GET /api/v2/admin/settings

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/settings" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminSettings",
  "message": "The retrieval of settings was successful.",
  "data": {
    "overrides": {
      "ctfName": "<ctf-name>",
      "homeContent": "<home-content>",
      "startTime": 0,
      "endTime": 0,
      "sponsors": [
        {
          "name": "<name>",
          "icon": "<icon>",
          "description": "<description>",
          "url": "<url>"
        }
      ],
      "meta": {
        "description": "<description>",
        "imageUrl": "<image-url>"
      },
      "faviconUrl": "<favicon-url>",
      "logoLightUrl": "<logo-light-url>",
      "logoDarkUrl": "<logo-dark-url>"
    },
    "defaults": {
      "ctfName": "<ctf-name>",
      "homeContent": "<home-content>",
      "startTime": 0,
      "endTime": 0,
      "sponsors": [
        {
          "name": "<name>",
          "icon": "<icon>",
          "description": "<description>",
          "url": "<url>"
        }
      ],
      "meta": {
        "description": "<description>",
        "imageUrl": "<image-url>"
      },
      "faviconUrl": "<favicon-url>",
      "logoLightUrl": "<logo-light-url>",
      "logoDarkUrl": "<logo-dark-url>"
    }
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: settingsWrite
Captcha: No captcha
Rate limit: No rate limit

This route shows runtime setting overrides and config defaults side by side. Runtime overrides come from the database. Defaults come from config files and environment variables.

Update settings can change or clear runtime overrides without restarting the server.

Response fields

overrides.ctfNamestring | undefined

Returned overrides ctf name value.

overrides.homeContentstring | undefined

Returned overrides home content value.

overrides.startTimenumber | undefined

Returned overrides start time value.

overrides.endTimenumber | undefined

Returned overrides end time value.

overrides.sponsors[].namestring

Display name.

overrides.sponsors[].iconstring

Returned overrides sponsors icon value.

overrides.sponsors[].descriptionstring

Returned overrides sponsors description value.

overrides.sponsors[].urlstring | undefined

Resource URL.

overrides.meta.descriptionstring | undefined

Returned overrides meta description value.

overrides.meta.imageUrlstring | undefined

Returned overrides meta image url value.

overrides.faviconUrlstring | undefined

Returned overrides favicon url value.

overrides.logoLightUrlstring | undefined

Returned overrides logo light url value.

overrides.logoDarkUrlstring | undefined

Returned overrides logo dark url value.

defaults.ctfNamestring | undefined

Returned defaults ctf name value.

defaults.homeContentstring | undefined

Returned defaults home content value.

defaults.startTimenumber | undefined

Returned defaults start time value.

defaults.endTimenumber | undefined

Returned defaults end time value.

defaults.sponsors[].namestring

Display name.

defaults.sponsors[].iconstring

Returned defaults sponsors icon value.

defaults.sponsors[].descriptionstring

Returned defaults sponsors description value.

defaults.sponsors[].urlstring | undefined

Resource URL.

defaults.meta.descriptionstring | undefined

Returned defaults meta description value.

defaults.meta.imageUrlstring | undefined

Returned defaults meta image url value.

defaults.faviconUrlstring | undefined

Returned defaults favicon url value.

defaults.logoLightUrlstring | undefined

Returned defaults logo light url value.

defaults.logoDarkUrlstring | undefined

Returned defaults logo dark url value.

`PUT` Update settings

PUT /api/v2/admin/settings

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/settings" \
  -X PUT \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "data": {
      "ctfName": "Example CTF",
      "homeContent": "# Welcome",
      "startTime": 1770000000000,
      "endTime": 1770100000000,
      "sponsors": [
        {
          "name": "Example",
          "icon": "https://example.com/icon.png",
          "description": "Sponsor",
          "url": "https://example.com"
        }
      ],
      "meta": {
        "description": "Example CTF",
        "imageUrl": "https://example.com/card.png"
      },
      "faviconUrl": null,
      "logoLightUrl": null,
      "logoDarkUrl": null
    }
  }'

{
  "kind": "goodAdminSettingsUpdate",
  "message": "Settings successfully updated.",
  "data": {
    "overrides": {
      "ctfName": "<ctf-name>",
      "homeContent": "<home-content>",
      "startTime": 0,
      "endTime": 0,
      "sponsors": [
        {
          "name": "<name>",
          "icon": "<icon>",
          "description": "<description>",
          "url": "<url>"
        }
      ],
      "meta": {
        "description": "<description>",
        "imageUrl": "<image-url>"
      },
      "faviconUrl": "<favicon-url>",
      "logoLightUrl": "<logo-light-url>",
      "logoDarkUrl": "<logo-dark-url>"
    },
    "defaults": {
      "ctfName": "<ctf-name>",
      "homeContent": "<home-content>",
      "startTime": 0,
      "endTime": 0,
      "sponsors": [
        {
          "name": "<name>",
          "icon": "<icon>",
          "description": "<description>",
          "url": "<url>"
        }
      ],
      "meta": {
        "description": "<description>",
        "imageUrl": "<image-url>"
      },
      "faviconUrl": "<favicon-url>",
      "logoLightUrl": "<logo-light-url>",
      "logoDarkUrl": "<logo-dark-url>"
    }
  }
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

Auth: Required
Gate: None
Permissions: settingsWrite
Captcha: No captcha
Rate limit: No rate limit

This route updates runtime setting overrides. A nullable field set to null clears that override and lets the configured default take effect again.

Changing startTime or endTime also queues a leaderboard recalculation so standings match the updated event window.

Request body

data
*
 required

object

Request body field for data.

Response fields

overrides.ctfNamestring | undefined

Returned overrides ctf name value.

overrides.homeContentstring | undefined

Returned overrides home content value.

overrides.startTimenumber | undefined

Returned overrides start time value.

overrides.endTimenumber | undefined

Returned overrides end time value.

overrides.sponsors[].namestring

Display name.

overrides.sponsors[].iconstring

Returned overrides sponsors icon value.

overrides.sponsors[].descriptionstring

Returned overrides sponsors description value.

overrides.sponsors[].urlstring | undefined

Resource URL.

overrides.meta.descriptionstring | undefined

Returned overrides meta description value.

overrides.meta.imageUrlstring | undefined

Returned overrides meta image url value.

overrides.faviconUrlstring | undefined

Returned overrides favicon url value.

overrides.logoLightUrlstring | undefined

Returned overrides logo light url value.

overrides.logoDarkUrlstring | undefined

Returned overrides logo dark url value.

defaults.ctfNamestring | undefined

Returned defaults ctf name value.

defaults.homeContentstring | undefined

Returned defaults home content value.

defaults.startTimenumber | undefined

Returned defaults start time value.

defaults.endTimenumber | undefined

Returned defaults end time value.

defaults.sponsors[].namestring

Display name.

defaults.sponsors[].iconstring

Returned defaults sponsors icon value.

defaults.sponsors[].descriptionstring

Returned defaults sponsors description value.

defaults.sponsors[].urlstring | undefined

Resource URL.

defaults.meta.descriptionstring | undefined

Returned defaults meta description value.

defaults.meta.imageUrlstring | undefined

Returned defaults meta image url value.

defaults.faviconUrlstring | undefined

Returned defaults favicon url value.

defaults.logoLightUrlstring | undefined

Returned defaults logo light url value.

defaults.logoDarkUrlstring | undefined

Returned defaults logo dark url value.

`GET` Instancer schema

GET /api/v2/admin/instancer/schema

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/instancer/schema" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodInstancerSchema",
  "message": "The instancer configuration schema was retrieved successfully.",
  "data": {
    "schema": null,
    "defaults": null
  }
}

{
  "kind": "badEndpoint",
  "message": "The request endpoint could not be found."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: challsRead
Captcha: No captcha
Rate limit: No rate limit

This route provides the active instancer provider JSON schema and defaults. The challenge editor uses this response to validate instancerConfig before saving a challenge.

When no instancer provider is configured, the route returns 404 badEndpoint.

Response fields

schemaRecord<string, unknown>

Returned schema value.

defaultsRecord<string, unknown>

Returned defaults value.

`GET` Admin bot status

GET /api/v2/admin/admin-bot/status

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/admin-bot/status" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminBotStatus",
  "message": "The admin bot status was retrieved successfully.",
  "data": {
    "enabled": false,
    "configLanguage": "<config-language>"
  }
}

{
  "kind": "badEndpoint",
  "message": "The request endpoint could not be found."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: challsRead
Captcha: No captcha
Rate limit: No rate limit

This route shows whether the admin bot provider is enabled and which source language the configured provider expects.

When no admin bot provider is configured, the route returns 404 badEndpoint.

Response fields

enabledboolean

Returned enabled value.

configLanguagestring

Returned config language value.

`POST` Pull admin bot job

POST /api/v2/admin/admin-bot/jobs/pull

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/admin-bot/jobs/pull" \
  -X POST \
  -H "Authorization: Bearer <admin-bot-token>"

{
  "kind": "goodAdminBotJobPull",
  "message": "The admin bot job was pulled successfully.",
  "data": {
    "job": {
      "id": "<id>",
      "challengeId": "<challenge-id>",
      "configRevision": "<config-revision>",
      "userId": "<user-id>",
      "submittedAt": "<submitted-at>",
      "flag": "<flag>",
      "inputs": null,
      "instancerInstances": [
        {
          "type": "<type>",
          "host": "<host>",
          "port": 0,
          "title": "<title>"
        }
      ]
    }
  }
}

Auth: Service
Gate: None
Permissions: No extra permissions
Captcha: No captcha
Rate limit: No rate limit

The admin bot worker calls this service route when it is ready for more work. It receives the oldest queued job. When nothing is waiting, the response has job set to null.

The request is authenticated with the shared admin bot bearer token from adminBot.provider.options.secretKey in rctf.d/.

Response fields

job.idstring

Unique identifier.

job.challengeIdstring

Challenge identifier.

job.configRevisionstring

Returned job config revision value.

job.userIdstring

Team identifier.

job.submittedAtstring

Returned job submitted at value.

job.flagstring

Returned job flag value.

job.inputsRecord<string, string>

Returned job inputs value.

job.instancerInstances[].typestring

Object type.

job.instancerInstances[].hoststring

Returned job instancer instances host value.

job.instancerInstances[].portnumber

Returned job instancer instances port value.

job.instancerInstances[].titlestring | undefined

Returned job instancer instances title value.

`GET` Admin bot source

GET /api/v2/admin/admin-bot/challenges/:id/source

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/admin-bot/challenges/challenge-id/source" \
  -H "Authorization: Bearer <admin-bot-token>"

{
  "kind": "goodAdminBotChallengeSource",
  "message": "The admin bot challenge source was retrieved successfully.",
  "data": {
    "sourceCode": "<source-code>",
    "configRevision": "<config-revision>"
  }
}

{
  "kind": "badEndpoint",
  "message": "The request endpoint could not be found."
}

Auth: Service
Gate: None
Permissions: No extra permissions
Captcha: No captcha
Rate limit: No rate limit

The admin bot worker calls this service route to read the source code saved for a challenge config revision.

The request is authenticated with the shared admin bot bearer token from adminBot.provider.options.secretKey in rctf.d/.

Path parameters

id
*
 required

string

Unique identifier.

Response fields

sourceCodestring

Returned source code value.

configRevisionstring

Returned config revision value.

`POST` Complete admin bot job

POST /api/v2/admin/admin-bot/jobs/:id/complete

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/admin-bot/jobs/job-id/complete" \
  -H "Authorization: Bearer <admin-bot-token>" \
  --json '{
    "logs": "newline-delimited log data"
  }'

{
  "kind": "goodAdminBotJobUpdate",
  "message": "The admin bot job was updated successfully.",
  "data": {
    "ok": false
  }
}

{
  "kind": "badEndpoint",
  "message": "The request endpoint could not be found."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

Auth: Service
Gate: None
Permissions: No extra permissions
Captcha: No captcha
Rate limit: No rate limit

The admin bot worker calls this service route after a job finishes successfully. The request can include logs so organizers can review what happened later.

Logs are optional. When included, the server accepts up to 1048576 characters.

Path parameters

id
*
 required

string

Unique identifier.

Request body

logsstring

Request body field for logs.

Response fields

okboolean

Returned ok value.

`POST` Fail admin bot job

POST /api/v2/admin/admin-bot/jobs/:id/fail

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/admin-bot/jobs/job-id/fail" \
  -H "Authorization: Bearer <admin-bot-token>" \
  --json '{
    "logs": "newline-delimited log data"
  }'

{
  "kind": "goodAdminBotJobUpdate",
  "message": "The admin bot job was updated successfully.",
  "data": {
    "ok": false
  }
}

{
  "kind": "badEndpoint",
  "message": "The request endpoint could not be found."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

Auth: Service
Gate: None
Permissions: No extra permissions
Captcha: No captcha
Rate limit: No rate limit

The admin bot worker calls this service route when a job cannot complete successfully. The request can include logs so organizers can inspect the failure.

Logs are optional. When included, the server accepts up to 1048576 characters.

Path parameters

id
*
 required

string

Unique identifier.

Request body

logsstring

Request body field for logs.

Response fields

okboolean

Returned ok value.

`GET` Admin bot queue depth

GET /api/v2/admin/admin-bot/queue-depth

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/admin-bot/queue-depth" \
  -H "Authorization: Bearer <admin-bot-token>"

{
  "kind": "goodAdminBotQueueDepth",
  "message": "The admin bot queue depth was retrieved successfully.",
  "data": {
    "depth": 0
  }
}

Auth: Service
Gate: None
Permissions: No extra permissions
Captcha: No captcha
Rate limit: No rate limit

The admin bot worker can call this service route to check how many jobs are waiting in the queue.

The request is authenticated with the shared admin bot bearer token from adminBot.provider.options.secretKey in rctf.d/.

Response fields

depthnumber

Returned depth value.

`GET` List external-auth clients

GET /api/v2/admin/external-auth/clients

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/external-auth/clients" \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminExternalAuthClients",
  "message": "External-auth clients listed.",
  "data": [
    {
      "id": "<id>",
      "name": "<name>",
      "redirectUri": "<redirect-uri>",
      "createdAt": "<created-at>",
      "createdBy": "<created-by>"
    }
  ]
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

Returns every registered external-auth client. Client secrets are never returned by this route - they are shown exactly once at creation time by Create external-auth client and cannot be retrieved afterward.

The end-user side of the external-auth flow lives at External auth, and the operator walkthrough lives at External apps.

Response fields

idstring

Unique identifier.

namestring

Display name.

redirectUristring

Returned redirect uri value.

createdAtstring

Creation timestamp.

createdBystring | null

Returned created by value.

`POST` Create external-auth client

POST /api/v2/admin/external-auth/clients

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/external-auth/clients" \
  -H "Authorization: Bearer <auth-token>" \
  --json '{
    "name": "Dynamic scoring backend",
    "redirectUri": "https://my-service.example.com/auth/rctf/callback"
  }'

{
  "kind": "goodAdminExternalAuthClientCreate",
  "message": "External-auth client created. Store the secret now - it cannot be retrieved later.",
  "data": {
    "id": "<id>",
    "name": "<name>",
    "redirectUri": "<redirect-uri>",
    "createdAt": "<created-at>",
    "createdBy": "<created-by>",
    "secret": "<secret>"
  }
}

{
  "kind": "badBody",
  "message": "The request body does not meet requirements.",
  "data": {
    "reason": "<reason>"
  }
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

{
  "kind": "badJson",
  "message": "The request JSON body is malformed."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

Registers a new external-auth client. rCTF generates a UUID id and a 32-byte base64url secret. The redirect URI is stored exactly as supplied and is matched byte-for-byte at authorize time - no wildcards, no path normalization.

Warning (The secret is shown exactly once)

The response is the only place where the client secret is ever returned. Store it immediately somewhere the integrator can retrieve it. If it gets lost the client must be deleted and re-created.

Request body

name
*
 required

string

Display name.

redirectUri
*
 required

string

Request body field for redirect uri.

Response fields

idstring

Unique identifier.

namestring

Display name.

redirectUristring

Returned redirect uri value.

createdAtstring

Creation timestamp.

createdBystring | null

Returned created by value.

secretstring

Returned secret value.

`DELETE` Delete external-auth client

DELETE /api/v2/admin/external-auth/clients/:id

$curl -sS "https://rctf-new-dev.es3n1n.io/api/v2/admin/external-auth/clients/11111111-2222-3333-4444-555555555555" \
  -X DELETE \
  -H "Authorization: Bearer <auth-token>"

{
  "kind": "goodAdminExternalAuthClientDelete",
  "message": "External-auth client deleted."
}

{
  "kind": "badExternalAuthRequest",
  "message": "External-auth request rejected."
}

{
  "kind": "badPerms",
  "message": "The user does not have the required permissions."
}

{
  "kind": "badToken",
  "message": "The token provided is invalid."
}

Auth: Required
Gate: None
Permissions: usersWrite
Captcha: No captcha
Rate limit: No rate limit

Removes an external-auth client. After this returns, POST /api/v2/external-auth/token exchanges with that clientId always fail with 400 badExternalAuthRequest.

Access tokens that were already minted through this client stay valid. There is no per-app token registry, so per-client revocation is not possible. If you need to invalidate outstanding tokens, rotate the global tokenKey (this invalidates every token in the system).

Unknown client IDs return 400 badExternalAuthRequest.

Path parameters

id
*
 required

string

Unique identifier.

Response#

A successful request returns 200 goodAdminExternalAuthClientDelete with no data.