3x-ui3x-ui
参考API 参考

身份验证

支持两种身份验证模式。UI 会话使用登录端点设置的 Cookie。程序化客户端(机器人、脚本、远程面板)则使用从“设置 → 安全 → API Token”获取的 Bearer token 进行身份验证。两者都适用于 /panel/api/* 下的所有端点。

Authenticate with username + password and receive a session cookie. Required before any cookie-based API call.

POST
/login

Authorization

AuthorizationBearer <token>

API token from Settings → Security → API Token. Send as Authorization: Bearer <token>.

In: header

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

Response Body

application/json

application/json

curl -X POST "https://example.com/login" \  -H "Content-Type: application/json" \  -d '{    "username": "admin",    "password": "admin",    "twoFactorCode": "123456"  }'
{  "success": true,  "msg": "Logged in successfully"}
{  "success": false,  "msg": "Wrong username or password"}
POST
/logout

Authorization

AuthorizationBearer <token>

API token from Settings → Security → API Token. Send as Authorization: Bearer <token>.

In: header

Response Body

application/json

curl -X POST "https://example.com/logout"
{  "success": true}

Mint a CSRF token for the current session. The SPA replays it in the X-CSRF-Token header on unsafe requests. Bearer-token callers can skip this — the middleware short-circuits CSRF for authenticated API requests.

GET
/csrf-token

Authorization

AuthorizationBearer <token>

API token from Settings → Security → API Token. Send as Authorization: Bearer <token>.

In: header

Response Body

application/json

curl -X GET "https://example.com/csrf-token"
{  "success": true,  "obj": "csrf-token-string"}

Returns whether 2FA is enabled on the panel — used by the login page to decide whether to show the OTP field.

POST
/getTwoFactorEnable

Authorization

AuthorizationBearer <token>

API token from Settings → Security → API Token. Send as Authorization: Bearer <token>.

In: header

Response Body

application/json

curl -X POST "https://example.com/getTwoFactorEnable"
{  "success": true,  "obj": false}

API 参考

3x-ui 面板的 REST API —— 涵盖认证、入站、客户端、服务器状态等,依据 OpenAPI 规范自动生成。

API 令牌

管理用于程序化认证的 Bearer 令牌(机器人、代表本节点操作的中心面板、CI)。每个令牌都有唯一的名称和一个启用标志——禁用即可在不删除的情况下吊销,删除则为永久吊销。令牌以 SHA-256 哈希形式存储,明文仅在创建响应中返回一次——此后无法再次获取,因此请当场复制保存。在任意 /panel/api/* 请求中以 <code>Authorization: Bearer &lt;token&gt;</code> 的形式发送令牌——该令牌是一份完全管理员凭据。