Admin API

GET /api/admin/settings

Only works with Basic Authentication (username and password). See for an explanation.

Required permissions

See note in the for an explanation.

Example Request:

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.   "DEFAULT": {
  6.     "app_mode":"production"
  7.   },
  8.   "analytics": {
  9.     "google_analytics_ua_id":"",
  10.     "reporting_enabled":"false"
  11.   },
  12.   "auth.anonymous":{
  13.     "enabled":"true",
  14.     "org_name":"Main Org.",
  15.     "org_role":"Viewer"
  16.   },
  17.   "auth.basic":{
  18.     "enabled":"false"
  19.   },
  20.   "auth.github":{
  21.     "allow_sign_up":"false",
  22.     "allowed_domains":"",
  23.     "allowed_organizations":"",
  24.     "api_url":"https://api.github.com/user",
  25.     "auth_url":"https://github.com/login/oauth/authorize",
  26.     "client_id":"some_id",
  27.     "client_secret":"************",
  28.     "enabled":"false",
  29.     "scopes":"user:email,read:org",
  30.     "team_ids":"",
  31.     "token_url":"https://github.com/login/oauth/access_token"
  32.   },
  33.   "auth.google":{
  34.     "allow_sign_up":"false","allowed_domains":"",
  35.     "api_url":"https://www.googleapis.com/oauth2/v1/userinfo",
  36.     "auth_url":"https://accounts.google.com/o/oauth2/auth",
  37.     "client_id":"some_client_id",
  38.     "client_secret":"************",
  39.     "enabled":"false",
  40.     "scopes":"https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email",
  41.     "token_url":"https://accounts.google.com/o/oauth2/token"
  42.   },
  43.   "auth.ldap":{
  44.     "config_file":"/etc/grafana/ldap.toml",
  45.     "enabled":"false"
  46.   },
  47.   "auth.proxy":{
  48.     "auto_sign_up":"true",
  49.     "enabled":"false",
  50.     "header_name":"X-WEBAUTH-USER",
  51.     "header_property":"username"
  52.   },
  53.   "dashboards.json":{
  54.     "enabled":"false",
  55.     "path":"/var/lib/grafana/dashboards"
  56.   },
  57.   "database":{
  58.     "host":"127.0.0.1:0000",
  59.     "name":"grafana",
  60.     "password":"************",
  61.     "path":"grafana.db",
  62.     "ssl_mode":"disable",
  63.     "type":"sqlite3",
  64.     "user":"root"
  65.   },
  66.   "emails":{
  67.     "templates_pattern":"emails/*.html, emails/*.txt",
  68.     "welcome_email_on_sign_up":"false",
  69.     "content_types":"text/html"
  70.   },
  71.   "log":{
  72.     "buffer_len":"10000",
  73.     "level":"Info",
  74.     "mode":"file"
  75.   },
  76.   "log.console":{
  77.     "level":""
  78.   },
  79.   "log.file":{
  80.     "daily_rotate":"true",
  81.     "file_name":"",
  82.     "level":"",
  83.     "log_rotate":"true",
  84.     "max_days":"7",
  85.     "max_lines_shift":"28",
  86.     "max_size_shift":""
  87.   },
  88.   "paths":{
  89.     "data":"/tsdb/grafana",
  90.     "logs":"/logs/apps/grafana"},
  91.     "security":{
  92.     "admin_password":"************",
  93.     "admin_user":"admin",
  94.     "cookie_remember_name":"grafana_remember",
  95.     "cookie_username":"grafana_user",
  96.     "disable_gravatar":"false",
  97.     "login_remember_days":"7",
  98.     "secret_key":"************"
  99.   },
  100.   "server":{
  101.     "cert_file":"",
  102.     "cert_key":"",
  103.     "domain":"mygraf.com",
  105.     "enforce_domain":"false",
  106.     "http_addr":"127.0.0.1",
  107.     "http_port":"0000",
  108.     "protocol":"http",
  109.     "root_url":"%(protocol)s://%(domain)s:%(http_port)s/",
  110.     "router_logging":"true",
  111.     "data_proxy_logging":"true",
  112.     "static_root_path":"public"
  113.   },
  114.   "session":{
  115.     "cookie_name":"grafana_sess",
  116.     "cookie_secure":"false",
  117.     "gc_interval_time":"",
  118.     "provider":"file",
  119.     "provider_config":"sessions",
  120.     "session_life_time":"86400"
  121.   },
  122.   "smtp":{
  123.     "cert_file":"",
  124.     "enabled":"false",
  125.     "from_address":"admin@grafana.localhost",
  126.     "from_name":"Grafana",
  127.     "ehlo_identity":"dashboard.example.com",
  128.     "host":"localhost:25",
  129.     "key_file":"",
  130.     "password":"************",
  131.     "skip_verify":"false",
  132.     "user":""
  133.   },
  134.   "users":{
  135.     "allow_org_create":"true",
  136.     "allow_sign_up":"false",
  137.     "auto_assign_org":"true",
  138.     "auto_assign_org_role":"Viewer"
  139.   }
  140. }

Update settings

PUT /api/admin/settings

Note: Available in Grafana Enterprise v8.0+.

Updates / removes and reloads database settings. You must provide either updates, removals or both.

This endpoint only supports changes to auth.saml configuration.

Required permissions

See note in the introduction for an explanation.

ActionScope
settings:writesettings:*
settings:auth.saml:
settings:auth.saml:enabled (property level)

Example request:

  1. PUT /api/admin/settings
  2. Accept: application/json
  3. Content-Type: application/json
  4. Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
  6. {
  7.   "updates": {
  8.     "auth.saml": {
  9.       "enabled": "true"
  10.     }
  11.   },
  12.   "removals": {
  13.     "auth.saml": ["single_logout"]
  14.   },
  15. }

Example response:

  1. HTTP/1.1 200 OK
  2. Content-Type: application/json
  3. Content-Length: 32
  5. {
  6.   "message":"Settings updated"
  7. }

Status codes:

  • 200 - OK
  • 400 - Bad Request
  • 401 - Unauthorized
  • 403 - Forbidden
  • 500 - Internal Server Error

Grafana Stats

GET /api/admin/stats

Only works with Basic Authentication (username and password). See introduction for an explanation.

Required permissions

See note in the introduction for an explanation.

ActionScope
server.stats:readn/a

Example Request:

  1. GET /api/admin/stats
  2. Accept: application/json
  3. Content-Type: application/json

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.   "users":2,
  6.   "orgs":1,
  7.   "dashboards":4,
  8.   "snapshots":2,
  9.   "tags":6,
  10.   "datasources":1,
  11.   "playlists":1,
  12.   "stars":2,
  13.   "alerts":2,
  14.   "activeUsers":1
  15. }

Global Users

POST /api/admin/users

Create new user. Only works with Basic Authentication (username and password). See introduction for an explanation.

Required permissions

See note in the introduction for an explanation.

Example Request:

  1. POST /api/admin/users HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  5. {
  6.   "name":"User",
  7.   "email":"user@graf.com",
  8.   "password":"userpassword",
  9.   "OrgId": 1
  10. }

Note that OrgId is an optional parameter that can be used to assign a new user to a different organization when is set to true.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {"id":5,"message":"User created"}

Only works with Basic Authentication (username and password). See for an explanation. Change password for a specific user.

Required permissions

See note in the for an explanation.

ActionScope
users.password:updateglobal:users:*

Example Request:

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {"message": "User password updated"}

Permissions

PUT /api/admin/users/:id/permissions

Only works with Basic Authentication (username and password). See for an explanation.

Required permissions

See note in the for an explanation.

ActionScope
users.permissions:updateglobal:users:*

Example Request:

  2. Accept: application/json
  3. Content-Type: application/json
  5. {"isGrafanaAdmin": true}

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {"message": "User permissions updated"}

Delete global User

DELETE /api/admin/users/:id

Only works with Basic Authentication (username and password). See for an explanation.

Required permissions

See note in the for an explanation.

Example Request:

  1. DELETE /api/admin/users/2 HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {"message": "User deleted"}

Pause all alerts

POST /api/admin/pause-all-alerts

Only works with Basic Authentication (username and password). See for an explanation.

Example Request:

  1. POST /api/admin/pause-all-alerts HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  5. {
  6.   "paused": true
  7. }

JSON Body schema:

  • paused – If true then all alerts are to be paused, false unpauses all alerts.

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.   "state":   "Paused",
  6.   "message": "alert paused",
  7.   "alertsAffected": 1
  8. }

GET /api/admin/users/:id/auth-tokens

Return a list of all auth tokens (devices) that the user currently have logged in from.

Only works with Basic Authentication (username and password). See for an explanation.

Required permissions

See note in the for an explanation.

ActionScope
users.authtoken:listglobal:users:*

Example Request:

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. [
  5.   {
  6.     "id": 361,
  7.     "isActive": false,
  8.     "clientIp": "127.0.0.1",
  9.     "browser": "Chrome",
  10.     "browserVersion": "72.0",
  11.     "os": "Linux",
  12.     "osVersion": "",
  13.     "device": "Other",
  14.     "createdAt": "2019-03-05T21:22:54+01:00",
  15.     "seenAt": "2019-03-06T19:41:06+01:00"
  16.   },
  17.   {
  18.     "id": 364,
  19.     "isActive": false,
  20.     "clientIp": "127.0.0.1",
  21.     "browser": "Mobile Safari",
  22.     "browserVersion": "11.0",
  23.     "os": "iOS",
  24.     "osVersion": "11.0",
  25.     "device": "iPhone",
  26.     "createdAt": "2019-03-06T19:41:19+01:00",
  27.     "seenAt": "2019-03-06T19:41:21+01:00"
  28.   }
  29. ]

Revoke auth token for User

Revokes the given auth token (device) for the user. User of issued auth token (device) will no longer be logged in and will be required to authenticate again upon next activity.

Only works with Basic Authentication (username and password). See for an explanation.

Required permissions

See note in the for an explanation.

ActionScope
users.authtoken:updateglobal:users:*

Example Request:

  1. POST /api/admin/users/1/revoke-auth-token HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json
  5. {
  6.   "authTokenId": 364
  7. }

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.   "message": "User auth token revoked"
  6. }

Logout User

POST /api/admin/users/:id/logout

Logout user revokes all auth tokens (devices) for the user. User of issued auth tokens (devices) will no longer be logged in and will be required to authenticate again upon next activity.

Only works with Basic Authentication (username and password). See for an explanation.

Required permissions

See note in the for an explanation.

Example Request:

  1. POST /api/admin/users/1/logout HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.   "message": "User auth token revoked"
  6. }

Reload provisioning configurations

POST /api/admin/provisioning/dashboards/reload

POST /api/admin/provisioning/datasources/reload

POST /api/admin/provisioning/plugins/reload

POST /api/admin/provisioning/notifications/reload

POST /api/admin/provisioning/accesscontrol/reload

Reloads the provisioning config files for specified type and provision entities again. It won’t return until the new provisioned entities are already stored in the database. In case of dashboards, it will stop polling for changes in dashboard files and then restart it with new configurations after returning.

Only works with Basic Authentication (username and password). See for an explanation.

Required permissions

See note in the for an explanation.

ActionScopeProvision entity
provisioning:reloadprovisioners:accesscontrolaccesscontrol
provisioning:reloadprovisioners:dashboardsdashboards
provisioning:reloadprovisioners:datasourcesdatasources
provisioning:reloadprovisioners:pluginsplugins
provisioning:reloadprovisioners:notificationsnotifications

Example Request:

  1. POST /api/admin/provisioning/dashboards/reload HTTP/1.1
  2. Accept: application/json
  3. Content-Type: application/json

Example Response:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {
  5.   "message": "Dashboards config reloaded"
  6. }

POST /api/admin/ldap/reload

Reloads the LDAP configuration.

Only works with Basic Authentication (username and password). See for an explanation.

Example Request:

  1. HTTP/1.1 200
  2. Content-Type: application/json
  4. {