API

Everything the UI does goes through a small HTTP API, built for shell scripts and AI agents. No accounts, no OAuth, no API keys to provision — a site's URL and its edit password are the whole credential.

Authentication

Every authenticated request identifies the site by its edit id (in the URL path) and proves ownership with the edit password — sent as an X-Edit-Password header, or via HTTP Basic auth. That's it: no accounts, no OAuth.

The examples below use https://app.sitebin.io as the host (swap in your own base domain if you self-host) and assume $EDIT_ID and $PW hold a site's edit id and edit password.

Create a site

POST multipart form data. Repeat the files field freely; create folders by putting a path in the part's filename.

curl -F "files=@index.html" -F "files=@app.js;filename=js/app.js" \
     https://app.sitebin.io/api/sites

Create a viewer site with settings

Settings can be supplied at creation time as ordinary form fields — here the mode, a view password, an expiry, WebDAV, and a custom domain.

curl -F "mode=viewer" -F "view_password=sesame" \
     -F "expires_at=2026-12-31T23:59:59Z" -F "webdav=true" \
     -F "domain=docs.client.com" \
     -F "files=@report.pdf" \
     https://app.sitebin.io/api/sites

Upload a zip

A zip field is unpacked server-side into the new site.

curl -F "zip=@site.zip" https://app.sitebin.io/api/sites

Read site settings

A GET on the site returns its settings, file list, and usage.

curl -H "X-Edit-Password: $PW" https://app.sitebin.io/api/sites/$EDIT_ID

Update settings

PUT a JSON object with any subset of settings; "expires_at": null clears the expiry.

curl -X PUT -H "X-Edit-Password: $PW" -H "Content-Type: application/json" \
     -d '{"mode":"viewer","entry_file":"report.pdf","webdav_enabled":true}' \
     https://app.sitebin.io/api/sites/$EDIT_ID

Manage files

Add files

curl -X POST -H "X-Edit-Password: $PW" -F "files=@new.html;filename=new.html" \
     https://app.sitebin.io/api/sites/$EDIT_ID/files

Replace all files

?replace=true swaps out the site's entire content — here with a zip, in one request.

curl -X POST -H "X-Edit-Password: $PW" -F "zip=@all.zip" \
     "https://app.sitebin.io/api/sites/$EDIT_ID/files?replace=true"

Delete a file

curl -X DELETE -H "X-Edit-Password: $PW" \
     https://app.sitebin.io/api/sites/$EDIT_ID/files/js/app.js

Custom domains

Custom domains are an Enterprise feature — in the community edition these endpoints return 403.

Add a domain

curl -X POST -H "X-Edit-Password: $PW" -H "Content-Type: application/json" \
     -d '{"domain":"docs.client.com"}' \
     https://app.sitebin.io/api/sites/$EDIT_ID/domains

Remove a domain

curl -X DELETE -H "X-Edit-Password: $PW" \
     https://app.sitebin.io/api/sites/$EDIT_ID/domains/docs.client.com

Read one file's content

Returns the raw content of a single file — this is what the in-browser editor uses.

curl -H "X-Edit-Password: $PW" https://app.sitebin.io/api/sites/$EDIT_ID/content/index.html

Download the site as a zip

curl -H "X-Edit-Password: $PW" -o site.zip https://app.sitebin.io/api/sites/$EDIT_ID/download

Delete the site

curl -X DELETE -H "X-Edit-Password: $PW" https://app.sitebin.io/api/sites/$EDIT_ID

Report abuse

Public endpoint, no auth required.

curl -X POST -H "Content-Type: application/json" \
     -d '{"target":"https://abc.app.sitebin.io","reason":"phishing"}' \
     https://app.sitebin.io/api/report

Rate limits

Anonymous site creation is rate limited per IP, and password attempts (edit, view, and WebDAV auth) are rate limited per IP and per site. Self-hosted instances can tune both limits at startup.