REST Quickstart
ProA five-minute walkthrough: create a token, read data, perform a reversible write, and complete a destructive write through the re-auth window.
What is this?
A copy-paste curl walkthrough that takes you from no token to a successful destructive write in six steps. Create the token, list strikes, claim a ticket, try a strike call without re-auth (watch it fail), open the 15-minute re-auth window, retry the strike call (watch it succeed).
Why you might want it
The fastest way to confirm REST works end-to-end for your guild before you wire it into a real script. If something is going to break, it breaks here, on a terminal you control, with one curl command to point at.
What this is for
Confirming the Arkanis REST API works end to end for your guild before you wire it into a real script: mint a token, read data, do a reversible write, watch the destructive guard fire, open a re-auth window, retry.
Before you start
- ·Your guild is on the Pro tier.
- ·You are the Discord guild owner (the API mint surface is owner-gated).
- ·Developer Mode is enabled in Settings Panel so the API & MCP sidebar entry is visible.
- ·Local terminal with
curl. The base URL ishttps://api.arkanis.gg; every public endpoint lives under/api/public/v1/.
5-minute setup
- 1Mint a REST token from Settings → API & MCP → REST Tokens, copy the plaintext into your shell as
$ARK_TOKEN. - 2Run a read:
GET /api/public/v1/guilds/$GUILD_ID/strikes?limit=10with the Bearer header. Expect a paginated envelope, even ifdatais empty. - 3Run a reversible write:
POST /tickets/<TICKET_ID>/claim. Reads and reversible writes skip the re-auth window. - 4Run a destructive write (a strike) without opening a window. Expect
403 RE_AUTH_REQUIREDwith areauth_urlindetails. - 5Open the window:
POST /api/api-tokens/$TOKEN_ID/reauth-window. Response saysopen: truefor 15 minutes. - 6Retry the destructive call with the same body. Expect 201 Created and a strike row in the audit log tagged with your token name.
Common failure modes
- 401 TOKEN_INVALID on every callToken shape wrong or leading/trailing whitespace from a copy. Confirm the value starts with
arkpat_, has no quotes inside the header, andecho "$ARK_TOKEN" | wc -creports 56 (55 chars + newline). - 403 CAPABILITY_DENIED on a destructive callToken snapshot doesn't include the capability that endpoint needs. Grant yourself the capability in the dashboard, then mint a fresh token. The snapshot is the ceiling; existing tokens cannot upgrade.
- 423 LOCKED or 403 RE_AUTH_REQUIRED on retry inside the windowThe window is bound to one token, not all tokens on your account. Confirm
$TOKEN_IDin the reauth-window URL matches the token whose Bearer you're sending. Also check the window hasn't already expired (15 min from open).
Before You Start
Total time is about five minutes if your token is ready, or ten minutes if you need to issue one first. You will need a Pro guild, owner access on that guild, and a terminal with curl installed.
Throughout the page, placeholders are written as <GUILD_ID>, <TOKEN_ID>, <TICKET_ID>, and so on. Replace them with real values from your dashboard before running each command. The token prefix is always arkpat_ followed by a base64url secret.
https://api.arkanis.gg. Every public endpoint lives under /api/public/v1/. Token endpoints for re-auth window management live at /api/api-tokens/<TOKEN_ID>/... and require the same Bearer authentication.Step 1 — Create a Token
Tokens are minted from the dashboard. Open the Settings Panel from your sidebar, find the Developer Mode card (owner-only — the panel is gated to the Discord guild owner), and enable it. API & MCP then appears in your sidebar's Dashboard section. Open it, switch to the REST Tokens tab, and click Create token.
Developer Mode is a per-browser preference — enabling it on your laptop doesn't affect your staff or other devices. You only need to enable it once per browser.
Name the Token
Give the token a descriptive name (for example, CI deploy bot). The name is shown next to every audit row the token produces, so future-you will thank present-you for being specific.
Confirm Capability Inheritance
The token inherits your capabilities at the moment it is created. If you later lose a capability, the token loses it too. If you later gain a capability, the token does not gain it — you would mint a new token to pick up the new scope.
Copy the Plaintext
The plaintext is shown once. Copy it into your secret store immediately. If you lose it, revoke the token and mint a new one; there is no recovery flow.
For the rest of this quickstart, export the plaintext into your shell so the snippets stay copy-pasteable:
export ARK_TOKEN="arkpat_YOURPLAINTEXTHERE" export GUILD_ID="100000000000000000" export TOKEN_ID="01HXXXXXXXXXXXXXXXXXXXXXXX"
Step 2 — Read Data (list_strikes)
Read endpoints are the safest place to start. List the ten most recent strikes for the guild:
curl -s -H "Authorization: Bearer $ARK_TOKEN" \ "https://api.arkanis.gg/api/public/v1/guilds/$GUILD_ID/strikes?limit=10"
The response is a paginated envelope: { data: [...strikes], next_cursor: "..." | null }. Each item carries the strike id, the target user, the severity, the issuing actor, and the timestamp. If the guild has no strikes yet, data is an empty array — not an error.
Step 3 — Reversible Write (claim_ticket)
Reversible writes also skip the re-auth window. Claiming a ticket is the canonical example — it can be unclaimed with one more call, so the guard is not needed.
curl -s -X POST -H "Authorization: Bearer $ARK_TOKEN" \ "https://api.arkanis.gg/api/public/v1/guilds/$GUILD_ID/tickets/<TICKET_ID>/claim"
A successful claim returns the updated ticket with claimed_by set to your Discord id (the token's issuer) and claimed_at set to the current time. If the ticket was already claimed by someone else, the response is 409 with code: "ALREADY_CLAIMED".
Step 4 — Destructive Write Without Re-Auth
Destructive writes (strikes, bans, long mutes, mass purges, RCON commands) require two extra things: a deterministic sentinel value in the _confirmation field, and an open re-auth window for the token. Try the call first without the window to see the gate fire.
curl -s -X POST -H "Authorization: Bearer $ARK_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"user_id": "583912000000000000",
"player_name": "PlayerName",
"in_game_id": "76561198000000001",
"reason": "spam",
"category": "rule-violation",
"severity": "minor",
"_confirmation": "ADD STRIKE TO USER 583912000000000000 IN GUILD 100000000000000000 SEVERITY MINOR"
}' \
"https://api.arkanis.gg/api/public/v1/guilds/$GUILD_ID/strikes"The response is a 403 with the error envelope:
{
"code": "RE_AUTH_REQUIRED",
"message": "An approved re-auth window is required for destructive actions.",
"details": {
"reauth_url": "https://arkanis.gg/dashboard/<GUILD_ID>/settings/api-mcp#approve"
}
}_confirmation value is a deterministic uppercase phrase built from the request fields. For a strike, the template is exactly ADD STRIKE TO USER {user_id} IN GUILD {guildId} SEVERITY {MINOR|MAJOR}. Build the string from your data — do not paste a literal — and match the canonical case exactly. See Destructive Actions for the full sentinel template table.Step 5 — Open a Re-Auth Window
The re-auth window unlocks destructive writes for a token for a bounded period of fifteen minutes. Opening one from the API is meant for fully scripted workflows; interactive users can also click Approve window on the dashboard.
curl -s -X POST -H "Authorization: Bearer $ARK_TOKEN" \ "https://api.arkanis.gg/api/api-tokens/$TOKEN_ID/reauth-window"
A successful open returns the window descriptor:
{
"open": true,
"window": {
"window_id": "01HYYYYYYYYYYYYYYYYYYYYYY",
"expires_at": "2026-05-12T20:15:00.000Z"
}
}You can poll the same path with GET to check whether a window is currently open without creating a new one. The response is { "open": false } if nothing is active.
DELETE /api/api-tokens/$TOKEN_ID/reauth-window if you finish before the timer expires.Step 6 — Retry the Destructive Write
Re-run the same strike request from Step 4. With an open window, the call now succeeds:
curl -s -X POST -H "Authorization: Bearer $ARK_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"user_id": "583912000000000000",
"player_name": "PlayerName",
"in_game_id": "76561198000000001",
"reason": "spam",
"category": "rule-violation",
"severity": "minor",
"_confirmation": "ADD STRIKE TO USER 583912000000000000 IN GUILD 100000000000000000 SEVERITY MINOR"
}' \
"https://api.arkanis.gg/api/public/v1/guilds/$GUILD_ID/strikes"The response is 201 Created with the new strike summary: strike_id, user_id, severity, issued_by, and issued_at. The audit log records the action with actor_source=token and the token name from Step 1, so the row is traceable to this exact integration.
What's Next
You have walked the full token lifecycle. A few useful follow-ups:
- Destructive Actions lists every destructive endpoint and the exact sentinel template each one expects.
- Rate Limits and Errors covers the per-token and per-IP limits, plus every error code your client should handle.
- Authentication explains capability inheritance, rotation, and revocation in depth.
- MCP Quickstart is the equivalent walkthrough for Claude Desktop and Claude Code through the MCP server.