Admin API

    GET /api/admin/settings

    Only works with Basic Authentication (username and password). See for an explanation.

    Required permissions

    See note in the introduction for an explanation.

    Example Request:

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {
    5.   "DEFAULT": {
    6.     "app_mode":"production"
    7.   },
    8.   "analytics": {
    9.     "google_analytics_ua_id":"",
    10.     "reporting_enabled":"false"
    11.   },
    12.   "auth.anonymous":{
    13.     "enabled":"true",
    14.     "org_name":"Main Org.",
    15.     "org_role":"Viewer"
    16.   },
    17.   "auth.basic":{
    18.     "enabled":"false"
    19.   },
    20.   "auth.github":{
    21.     "allow_sign_up":"false",
    22.     "allowed_domains":"",
    23.     "allowed_organizations":"",
    24.     "api_url":"https://api.github.com/user",
    25.     "auth_url":"https://github.com/login/oauth/authorize",
    26.     "client_id":"some_id",
    27.     "client_secret":"************",
    28.     "enabled":"false",
    29.     "scopes":"user:email,read:org",
    30.     "team_ids":"",
    31.     "token_url":"https://github.com/login/oauth/access_token"
    32.   },
    33.   "auth.google":{
    34.     "allow_sign_up":"false","allowed_domains":"",
    35.     "api_url":"https://www.googleapis.com/oauth2/v1/userinfo",
    36.     "auth_url":"https://accounts.google.com/o/oauth2/auth",
    37.     "client_id":"some_client_id",
    38.     "client_secret":"************",
    39.     "enabled":"false",
    40.     "scopes":"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
    41.     "token_url":"https://accounts.google.com/o/oauth2/token"
    42.   },
    43.   "auth.ldap":{
    44.     "config_file":"/etc/grafana/ldap.toml",
    45.     "enabled":"false"
    46.   },
    47.   "auth.proxy":{
    48.     "auto_sign_up":"true",
    49.     "enabled":"false",
    50.     "header_name":"X-WEBAUTH-USER",
    51.     "header_property":"username"
    52.   },
    53.   "dashboards.json":{
    54.     "enabled":"false",
    55.     "path":"/var/lib/grafana/dashboards"
    56.   },
    57.   "database":{
    58.     "host":"127.0.0.1:0000",
    59.     "name":"grafana",
    60.     "password":"************",
    61.     "path":"grafana.db",
    62.     "ssl_mode":"disable",
    63.     "type":"sqlite3",
    64.     "user":"root"
    65.   },
    66.   "emails":{
    67.     "templates_pattern":"emails/*.html, emails/*.txt",
    68.     "welcome_email_on_sign_up":"false",
    69.     "content_types":"text/html"
    70.   },
    71.   "log":{
    72.     "buffer_len":"10000",
    73.     "level":"Info",
    74.     "mode":"file"
    75.   },
    76.   "log.console":{
    77.     "level":""
    78.   },
    79.   "log.file":{
    80.     "daily_rotate":"true",
    81.     "file_name":"",
    82.     "level":"",
    83.     "log_rotate":"true",
    84.     "max_days":"7",
    85.     "max_lines":"1000000",
    86.     "max_lines_shift":"28",
    87.     "max_size_shift":""
    88.   },
    89.   "paths":{
    90.     "data":"/tsdb/grafana",
    91.     "logs":"/logs/apps/grafana"},
    92.     "security":{
    93.     "admin_password":"************",
    94.     "admin_user":"admin",
    95.     "cookie_remember_name":"grafana_remember",
    96.     "cookie_username":"grafana_user",
    97.     "disable_gravatar":"false",
    98.     "login_remember_days":"7",
    99.     "secret_key":"************"
    100.   },
    101.   "server":{
    102.     "cert_file":"",
    103.     "cert_key":"",
    104.     "enable_gzip":"false",
    105.     "enforce_domain":"false",
    106.     "http_addr":"127.0.0.1",
    107.     "http_port":"0000",
    108.     "protocol":"http",
    109.     "root_url":"%(protocol)s://%(domain)s:%(http_port)s/",
    110.     "router_logging":"true",
    111.     "data_proxy_logging":"true",
    112.     "static_root_path":"public"
    113.   },
    114.   "session":{
    115.     "cookie_name":"grafana_sess",
    116.     "cookie_secure":"false",
    117.     "gc_interval_time":"",
    118.     "provider":"file",
    119.     "provider_config":"sessions",
    120.     "session_life_time":"86400"
    122.   "smtp":{
    123.     "cert_file":"",
    124.     "enabled":"false",
    125.     "from_address":"admin@grafana.localhost",
    126.     "from_name":"Grafana",
    127.     "ehlo_identity":"dashboard.example.com",
    128.     "host":"localhost:25",
    129.     "key_file":"",
    130.     "password":"************",
    131.     "skip_verify":"false",
    132.     "user":""
    133.   },
    134.   "users":{
    135.     "allow_org_create":"true",
    136.     "allow_sign_up":"false",
    137.     "auto_assign_org":"true",
    138.     "auto_assign_org_role":"Viewer"
    139.   }
    140. }

    Update settings

    PUT /api/admin/settings

    Updates / removes and reloads database settings. You must provide either updates, removals or both.

    This endpoint only supports changes to auth.saml configuration.

    Required permissions

    See note in the introduction for an explanation.

    ActionScope
    settings:writesettings:*
    settings:auth.saml:
    settings:auth.saml:enabled (property level)

    Example request:

    1. PUT /api/admin/settings
    2. Accept: application/json
    3. Content-Type: application/json
    4. Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
    6. {
    7.   "updates": {
    8.     "auth.saml": {
    9.       "enabled": "true"
    10.     }
    11.   },
    12.   "removals": {
    13.     "auth.saml": ["single_logout"]
    14.   },
    15. }

    Example response:

    1. HTTP/1.1 200 OK
    2. Content-Type: application/json
    3. Content-Length: 32
    5. {
    6.   "message":"Settings updated"
    7. }

    Status codes:

    • 200 - OK
    • 400 - Bad Request
    • 401 - Unauthorized
    • 403 - Forbidden
    • 500 - Internal Server Error

    Grafana Stats

    GET /api/admin/stats

    Only works with Basic Authentication (username and password). See introduction for an explanation.

    Required permissions

    See note in the for an explanation.

    ActionScope
    server.stats:readn/a

    Example Request:

    1. GET /api/admin/stats
    2. Accept: application/json
    3. Content-Type: application/json

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {
    5.   "users":2,
    6.   "orgs":1,
    7.   "dashboards":4,
    8.   "snapshots":2,
    9.   "tags":6,
    10.   "datasources":1,
    11.   "playlists":1,
    12.   "stars":2,
    13.   "alerts":2,
    14.   "activeUsers":1
    15. }

    Grafana Usage Report preview

    GET /api/admin/usage-report-preview

    Preview usage report to be sent to vendor.

    Only works with Basic Authentication (username and password). See for an explanation.

    Example Request:

    1. GET /api/admin/usage-report-preview
    2. Accept: application/json
    3. Content-Type: application/json

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {
    5.     "version": "8_4_0",
    6.     "metrics": {
    7.         "stats.active_admins.count": 1,
    8.         "stats.active_editors.count": 1,
    9.         "stats.active_sessions.count": 0,
    10.         "stats.active_users.count": 2,
    11.         "stats.active_viewers.count": 0,
    12.         "stats.admins.count": 1,
    13.         "stats.alert_rules.count": 0,
    14.         "stats.alerting.ds.other.count": 0,
    15.         "stats.alerts.count": 5,
    16.         "stats.annotations.count": 6,
    17.         "stats.api_keys.count": 1
    18.   }
    19. }

    Global Users

    POST /api/admin/users

    Create new user. Only works with Basic Authentication (username and password). See for an explanation.

    Required permissions

    See note in the introduction for an explanation.

    Example Request:

    1. POST /api/admin/users HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json
    5. {
    6.   "name":"User",
    7.   "email":"user@graf.com",
    8.   "login":"user",
    9.   "password":"userpassword",
    10.   "OrgId": 1
    11. }

    Note that OrgId is an optional parameter that can be used to assign a new user to a different organization when is set to true.

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {"id":5,"message":"User created"}

    Password for User

    PUT /api/admin/users/:id/password

    Only works with Basic Authentication (username and password). See for an explanation. Change password for a specific user.

    See note in the introduction for an explanation.

    ActionScope
    users.password:writeglobal.users:*

    Example Request:

    1. PUT /api/admin/users/2/password HTTP/1.1
    2. Accept: application/json
    4. {"password":"userpassword"}

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {"message": "User password updated"}

    PUT /api/admin/users/:id/permissions

    Only works with Basic Authentication (username and password). See introduction for an explanation.

    Required permissions

    See note in the for an explanation.

    ActionScope
    users.permissions:writeglobal.users:*

    Example Request:

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {"message": "User permissions updated"}

    Delete global User

    DELETE /api/admin/users/:id

    Only works with Basic Authentication (username and password). See for an explanation.

    Required permissions

    See note in the introduction for an explanation.

    Example Request:

    1. DELETE /api/admin/users/2 HTTP/1.1
    3. Content-Type: application/json

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {"message": "User deleted"}

    Pause all alerts

    POST /api/admin/pause-all-alerts

    Only works with Basic Authentication (username and password). See introduction for an explanation.

    Example Request:

    1. POST /api/admin/pause-all-alerts HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json
    5. {
    6.   "paused": true
    7. }

    JSON Body schema:

    • paused – If true then all alerts are to be paused, false unpauses all alerts.

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {
    5.   "state":   "Paused",
    6.   "message": "alert paused",
    7.   "alertsAffected": 1
    8. }

    Auth tokens for User

    GET /api/admin/users/:id/auth-tokens

    Return a list of all auth tokens (devices) that the user currently have logged in from.

    Only works with Basic Authentication (username and password). See introduction for an explanation.

    Required permissions

    See note in the for an explanation.

    ActionScope
    users.authtoken:readglobal.users:*

    Example Request:

    1. GET /api/admin/users/1/auth-tokens HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. [
    5.   {
    6.     "id": 361,
    7.     "isActive": false,
    8.     "clientIp": "127.0.0.1",
    9.     "browser": "Chrome",
    10.     "browserVersion": "72.0",
    11.     "os": "Linux",
    12.     "osVersion": "",
    13.     "device": "Other",
    14.     "createdAt": "2019-03-05T21:22:54+01:00",
    15.     "seenAt": "2019-03-06T19:41:06+01:00"
    16.   },
    17.   {
    18.     "id": 364,
    19.     "isActive": false,
    20.     "clientIp": "127.0.0.1",
    21.     "browser": "Mobile Safari",
    22.     "browserVersion": "11.0",
    23.     "os": "iOS",
    24.     "osVersion": "11.0",
    25.     "device": "iPhone",
    26.     "createdAt": "2019-03-06T19:41:19+01:00",
    27.     "seenAt": "2019-03-06T19:41:21+01:00"
    28.   }
    29. ]

    Revoke auth token for User

    POST /api/admin/users/:id/revoke-auth-token

    Revokes the given auth token (device) for the user. User of issued auth token (device) will no longer be logged in and will be required to authenticate again upon next activity.

    Only works with Basic Authentication (username and password). See for an explanation.

    Required permissions

    See note in the introduction for an explanation.

    ActionScope
    users.authtoken:writeglobal.users:*

    Example Request:

    1. POST /api/admin/users/1/revoke-auth-token HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json
    5. {
    6.   "authTokenId": 364
    7. }

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {
    5.   "message": "User auth token revoked"
    6. }

    Logout User

    POST /api/admin/users/:id/logout

    Only works with Basic Authentication (username and password). See introduction for an explanation.

    Required permissions

    See note in the for an explanation.

    Example Request:

    1. POST /api/admin/users/1/logout HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {
    5.   "message": "User auth token revoked"
    6. }

    POST /api/admin/provisioning/dashboards/reload

    POST /api/admin/provisioning/datasources/reload

    POST /api/admin/provisioning/plugins/reload

    POST /api/admin/provisioning/notifications/reload

    POST /api/admin/provisioning/access-control/reload

    POST /api/admin/provisioning/alerting/reload

    Reloads the provisioning config files for specified type and provision entities again. It won’t return until the new provisioned entities are already stored in the database. In case of dashboards, it will stop polling for changes in dashboard files and then restart it with new configurations after returning.

    Only works with Basic Authentication (username and password). See for an explanation.

    Required permissions

    See note in the introduction for an explanation.

    ActionScopeProvision entity
    provisioning:reloadprovisioners:accesscontrolaccesscontrol
    provisioning:reloadprovisioners:dashboardsdashboards
    provisioning:reloadprovisioners:datasourcesdatasources
    provisioning:reloadprovisioners:pluginsplugins
    provisioning:reloadprovisioners:notificationsnotifications
    provisioning:reloadprovisioners:alertingalerting

    Example Request:

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {
    5.   "message": "Dashboards config reloaded"
    6. }

    Reload LDAP configuration

    POST /api/admin/ldap/reload

    Reloads the LDAP configuration.

    Only works with Basic Authentication (username and password). See introduction for an explanation.

    Example Request:

    1. POST /api/admin/ldap/reload HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json

    Example Response:

    1. HTTP/1.1 200
    2. Content-Type: application/json
    4. {
    5.   "message": "LDAP config reloaded"
    6. }

    Rotate data encryption keys

    POST /api/admin/encryption/rotate-data-keys

    Rotates data encryption keys.

    Example Request:

    1. POST /api/admin/encryption/rotate-data-keys HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json

    Example Response:

    1. HTTP/1.1 204
    2. Content-Type: application/json

    Re-encrypt data encryption keys

    POST /api/admin/encryption/reencrypt-data-keys

    Re-encrypts data encryption keys.

    Example Request:

    1. POST /api/admin/encryption/reencrypt-data-keys HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json

    Example Response:

    1. HTTP/1.1 204
    2. Content-Type: application/json

    Re-encrypt secrets

    POST /api/admin/encryption/reencrypt-secrets

    Re-encrypts secrets.

    Example Request:

    1. POST /api/admin/encryption/reencrypt-secrets HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json

    Example Response:

    1. HTTP/1.1 204
    2. Content-Type: application/json

    Roll back secrets

    POST /api/admin/encryption/rollback-secrets

    Rolls back secrets.

    1. POST /api/admin/encryption/rollback-secrets HTTP/1.1
    2. Accept: application/json
    3. Content-Type: application/json

    Example Response: