Developer overview
SuperSpace is fully programmable. There are two ways to build on it:
- The REST API — full programmatic control over sites, domains & DNS, orders & billing, backups, CDN, Shield, metrics, and accounts. Start with the API overview for authentication, conventions, and error handling.
- The MCP server — let an AI assistant (Claude and other MCP clients) manage your account over the Model Context Protocol. See the MCP server guide to connect a client.
Building a third-party app that acts on other users' behalf? Use OAuth 2.1 instead of a personal API key.
Get an API key
REST API requests authenticate with a personal API key tied to your user. Create one in the dashboard:
- Open the avatar menu and choose My Settings.
- In the Developer section, open API Keys.
- Enter a Name to identify the key, then click Create API Key.
- Copy the token immediately. It's shown only once, with the notice "Copy this token now. It will only be shown once." Use the Copy button and store it somewhere safe — if you lose it, delete the key and create a new one.
Send the key in the Authorization header on every /api/* request; both the Bearer
and Token schemes work:
curl -H "Authorization: Bearer $SUPERSPACE_TOKEN" \
https://control.superspace.nl/api/about
GET /api/about is a good first call — it reports who you're authenticated as and which
resources are available.
Trial accounts can't use the API
The API rejects any credential that resolves to a trial account. Finish onboarding first.
Your Account ID and the X-Auth-Account header
Many endpoints need to know which workspace you're acting in. You tell them with the
X-Auth-Account header, set to your Account ID.
You'll find it on the same API Keys page: the Account ID (Workspace) field shows the ID for the workspace you're currently in, with a Copy button. The dashboard spells out what it's for — "This is the X-Auth-Account header value required for API calls in this workspace."
curl -H "Authorization: Bearer $SUPERSPACE_TOKEN" \
-H "X-Auth-Account: $ACCOUNT_ID" \
https://control.superspace.nl/api/sites
A few things to know:
- It's per workspace. Each workspace has its own Account ID. If you manage several,
switch to the workspace you want and copy its ID (or read it from
account_scopedin theGET /api/aboutresponse). - When it's required. With a personal API key the header scopes a request to one
workspace; without it, list endpoints return resources across all workspaces your
key can access. Some endpoints require it — Orders, Carts, Subscriptions, Users,
Webhooks, DNS-zone creation, and all Domain Registration endpoints — and return
400when it's missing.
See Setting Account Scope for the full behavior.
Review your API requests
The dashboard logs every call made with your personal API keys, so you can confirm what an integration is doing or debug a failing request. Open My Settings → Developer → API Request Logs. Each entry lists:
| Column | Shows |
|---|---|
| Timestamp | When the request was made |
| API Key | Which of your keys was used |
| Method | The HTTP method (GET, POST, …) |
| URL | The endpoint that was called |
| IP Address | The client IP the request came from |
Click any entry to open its detail view, which also shows the request's Headers and Data (the body that was sent) — handy for seeing exactly what reached the API. Entries are listed newest first.
Where to go next
- API overview — authentication, conventions, pagination, rate limits, and errors
- MCP server — connect an AI assistant
- OAuth 2.1 — authorize third-party apps
- Billing webhooks — receive site and domain lifecycle events