Fly.io Extensions API

openapi: 3.1.0
info:
  title: Fly.io Extensions API
  description: >-
    The Fly.io Extensions API is a provider-facing HTTP interface that enables
    third-party services to integrate with the Fly.io platform as extension
    providers. When a Fly.io user provisions an extension via the flyctl CLI,
    Fly.io forwards the provisioning request to the provider's API with details
    about the requesting organization and user, and the provider responds with
    environment variable configuration that is attached to the target
    application. Providers must also support single sign-on login flows using
    OAuth, daily billing detail endpoints, and webhook delivery for resource
    lifecycle events. Extensions currently available through this program
    include Sentry, Supabase, Tigris object storage, Upstash Redis and Vector,
    and others.
  version: '1.0'
  contact:
    name: Fly.io Extensions Program
    url: https://fly.io/docs/reference/extensions_api/
  termsOfService: https://fly.io/legal/terms-of-service/
externalDocs:
  description: Fly.io Extensions API Documentation
  url: https://fly.io/docs/reference/extensions_api/
servers:
  - url: https://{provider_base_url}
    description: >-
      Provider-hosted API server. Each extension provider hosts their own
      implementation of this API at a URL they register with Fly.io.
    variables:
      provider_base_url:
        default: api.example.com
        description: The base URL registered by the extension provider with Fly.io.
  - url: https://api.fly.io
    description: Fly.io platform server for OAuth and webhook endpoints.
tags:
  - name: Extensions
    description: >-
      Operations for provisioning, retrieving, and updating extension resource
      instances. Fly.io calls these endpoints on the provider's server when
      users interact with extensions via the flyctl CLI.
  - name: OAuth
    description: >-
      Fly.io platform OAuth endpoints used during the single sign-on flow to
      authorize users and exchange tokens.
  - name: SSO
    description: >-
      Single sign-on operations allowing Fly.io users to access provider
      dashboards using their Fly.io credentials via OAuth.
  - name: Webhooks
    description: >-
      Webhook endpoints for bidirectional event delivery between Fly.io and
      extension providers. Both sides sign their webhook payloads using
      HMAC-SHA256 for verification.
security:
  - flySharedSecret: []
paths:
  /extensions:
    post:
      operationId: provisionExtension
      summary: Provision an extension resource
      description: >-
        Called by Fly.io when a user provisions an extension via the flyctl CLI.
        The provider must create the requested resource and respond with its
        unique ID and a config object containing the environment variables to
        inject into the user's Fly App. Provisioning must complete within 5
        seconds; if the resource takes longer to create, the provider should
        respond immediately and use the webhook endpoint to notify Fly.io when
        the resource becomes available.
      tags:
        - Extensions
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ProvisionRequest'
      responses:
        '200':
          description: Extension provisioned successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProvisionResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
  /extensions/{extension_id}:
    get:
      operationId: getExtension
      summary: Get extension resource details
      description: >-
        Called by Fly.io to fetch the current status and usage information for
        a specific extension resource. This endpoint is used for polling when
        an extension is provisioned asynchronously and takes longer than 5
        seconds to become ready.
      tags:
        - Extensions
      parameters:
        - $ref: '#/components/parameters/extensionId'
      responses:
        '200':
          description: Extension resource details.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ExtensionResource'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
    patch:
      operationId: updateExtension
      summary: Update an extension resource
      description: >-
        Called by Fly.io when a user updates the configuration of an extension
        resource, such as changing the region or plan. The provider applies the
        updated configuration and returns the updated resource details.
      tags:
        - Extensions
      parameters:
        - $ref: '#/components/parameters/extensionId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ProvisionRequest'
      responses:
        '200':
          description: Extension updated successfully.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ProvisionResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
    delete:
      operationId: deleteExtension
      summary: Delete an extension resource
      description: >-
        Called by Fly.io when a user removes an extension from their app.
        The provider should clean up all resources associated with this
        extension instance and remove the user's environment variables.
      tags:
        - Extensions
      parameters:
        - $ref: '#/components/parameters/extensionId'
      responses:
        '200':
          description: Extension deleted successfully.
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /extensions/{extension_id}/sso:
    get:
      operationId: initiateSso
      summary: Initiate SSO for an extension
      description: >-
        Called by Fly.io when a user runs a flyctl command to access the
        provider's dashboard (e.g., flyctl ext redis dashboard). The provider
        should verify the request signature and redirect the user to the
        appropriate dashboard page, using information from the Fly.io OAuth
        token to identify the user.
      tags:
        - SSO
      parameters:
        - $ref: '#/components/parameters/extensionId'
      responses:
        '302':
          description: Redirect to the provider's dashboard.
          headers:
            Location:
              description: URL of the provider dashboard for this extension resource.
              schema:
                type: string
                format: uri
        '401':
          $ref: '#/components/responses/Unauthorized'
        '404':
          $ref: '#/components/responses/NotFound'
  /oauth/authorize:
    get:
      operationId: oauthAuthorize
      summary: OAuth authorization endpoint
      description: >-
        Fly.io platform OAuth authorization endpoint. Redirects the user to
        approve the OAuth application and returns an authorization code to the
        specified redirect URI. Used by extension providers during the SSO
        flow to verify Fly.io user identity.
      tags:
        - OAuth
      servers:
        - url: https://api.fly.io
          description: Fly.io platform OAuth server.
      security: []
      parameters:
        - name: client_id
          in: query
          description: OAuth client ID issued to the extension provider by Fly.io.
          required: true
          schema:
            type: string
        - name: response_type
          in: query
          description: OAuth response type. Must be code for the authorization code flow.
          required: true
          schema:
            type: string
            enum: [code]
        - name: redirect_uri
          in: query
          description: Provider callback URL to redirect the user to after authorization.
          required: true
          schema:
            type: string
            format: uri
        - name: scope
          in: query
          description: Space-separated list of requested OAuth scopes.
          required: false
          schema:
            type: string
      responses:
        '302':
          description: Redirect to provider redirect_uri with authorization code.
  /oauth/token:
    post:
      operationId: oauthToken
      summary: Exchange authorization code for access token
      description: >-
        Fly.io platform OAuth token endpoint. Exchanges an authorization code
        obtained from the authorize endpoint for an access token that can be
        used to retrieve user and organization information via the token info
        endpoint.
      tags:
        - OAuth
      servers:
        - url: https://api.fly.io
          description: Fly.io platform OAuth server.
      security: []
      requestBody:
        required: true
        content:
          application/x-www-form-urlencoded:
            schema:
              type: object
              required:
                - grant_type
                - code
                - redirect_uri
                - client_id
                - client_secret
              properties:
                grant_type:
                  type: string
                  enum: [authorization_code]
                  description: OAuth grant type. Must be authorization_code.
                code:
                  type: string
                  description: The authorization code received from the authorize endpoint.
                redirect_uri:
                  type: string
                  description: The same redirect URI used in the authorization request.
                client_id:
                  type: string
                  description: OAuth client ID issued to the provider.
                client_secret:
                  type: string
                  description: OAuth client secret issued to the provider.
      responses:
        '200':
          description: Access token response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/OAuthTokenResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
  /oauth/token/info:
    get:
      operationId: getTokenInfo
      summary: Get OAuth token information
      description: >-
        Fly.io platform token introspection endpoint. Returns the user and
        organization details associated with a valid Fly.io OAuth access token.
        Providers use this endpoint to identify which Fly.io user and
        organization initiated an SSO session.
      tags:
        - OAuth
      servers:
        - url: https://api.fly.io
          description: Fly.io platform OAuth server.
      security:
        - oauthBearerAuth: []
      responses:
        '200':
          description: Token information including user and organization details.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TokenInfo'
        '401':
          $ref: '#/components/responses/Unauthorized'
  /api/hooks/extensions/{provider_name}:
    post:
      operationId: sendExtensionWebhook
      summary: Send a webhook to Fly.io
      description: >-
        Called by extension providers to notify Fly.io of resource lifecycle
        changes. Use this endpoint to report when asynchronously provisioned
        resources become ready, when resources are updated, or when they are
        deleted. Requests must be signed with the HMAC-SHA256 webhook signing
        secret provided by Fly.io.
      tags:
        - Webhooks
      servers:
        - url: https://api.fly.io
          description: Fly.io platform webhook receiver.
      security:
        - webhookHmac: []
      parameters:
        - name: provider_name
          in: path
          description: The slug identifier of the extension provider registered with Fly.io.
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ExtensionWebhookPayload'
      responses:
        '200':
          description: Webhook received and processed.
        '401':
          $ref: '#/components/responses/Unauthorized'
  /extensions/events:
    post:
      operationId: receiveExtensionEvent
      summary: Receive a machine event webhook from Fly.io
      description: >-
        Fly.io sends CloudEvents-format webhook payloads to this provider
        endpoint when Machine or account events occur that are relevant to
        an extension. Providers should verify the HMAC-SHA256 signature using
        the webhook signing secret provided by Fly.io and process the event
        accordingly.
      tags:
        - Webhooks
      security:
        - webhookHmac: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CloudEventPayload'
      responses:
        '200':
          description: Event received and processed.
        '401':
          $ref: '#/components/responses/Unauthorized'
components:
  securitySchemes:
    flySharedSecret:
      type: http
      scheme: bearer
      description: >-
        Shared secret provided by Fly.io to the extension provider. Fly.io
        includes this secret in an Authorization Bearer header on all requests
        to the provider's API for verification.
    oauthBearerAuth:
      type: http
      scheme: bearer
      description: Fly.io OAuth access token obtained from the token exchange endpoint.
    webhookHmac:
      type: apiKey
      in: header
      name: X-Fly-Signature
      description: >-
        HMAC-SHA256 signature of the raw request body, computed using the
        webhook signing secret. Recipients must verify this signature before
        processing the payload.
  parameters:
    extensionId:
      name: extension_id
      in: path
      description: The unique identifier of the extension resource, as returned by the provider.
      required: true
      schema:
        type: string
  responses:
    BadRequest:
      description: Invalid request parameters or body.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    Unauthorized:
      description: Missing or invalid authentication credentials.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
    NotFound:
      description: The requested extension resource was not found.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorResponse'
  schemas:
    ErrorResponse:
      type: object
      description: A standard error response.
      properties:
        error:
          type: string
          description: Human-readable error message.
        status:
          type: integer
          description: HTTP status code.
    ProvisionRequest:
      type: object
      description: >-
        Request body sent by Fly.io to the provider when provisioning or
        updating an extension resource.
      required:
        - name
        - id
        - organization_id
        - organization_name
        - user_email
        - user_id
        - user_role
      properties:
        name:
          type: string
          description: The name the user specified for this extension resource.
        id:
          type: string
          description: Fly.io-generated unique identifier for this extension instance.
        organization_id:
          type: string
          description: The Fly.io organization ID of the user provisioning the extension.
        organization_name:
          type: string
          description: The display name of the Fly.io organization.
        user_email:
          type: string
          format: email
          description: >-
            An obfuscated email alias for the provisioning user. This is a
            routing address that Fly.io manages, not the user's real email.
        user_id:
          type: string
          description: The Fly.io user ID of the provisioning user.
        user_role:
          type: string
          description: The user's role within the organization (e.g., admin, member).
        primary_region:
          type: string
          description: The preferred deployment region for latency-sensitive resources.
          example: iad
        read_regions:
          type: array
          description: Additional regions where read replicas should be provisioned.
          items:
            type: string
        ip_address:
          type: string
          description: >-
            A Fly.io private IP address allocated for Flycast routing, enabling
            the extension to receive traffic over the Fly.io private network.
    ProvisionResponse:
      type: object
      description: >-
        Response body returned by the provider after successfully provisioning
        or updating an extension resource.
      required:
        - id
        - config
      properties:
        id:
          type: string
          description: The provider's unique identifier for this extension resource.
        name:
          type: string
          description: Human-readable name for the provisioned resource.
        config:
          type: object
          description: >-
            Environment variables to inject into the user's Fly App. Keys are
            variable names and values are the corresponding secrets or
            connection strings.
          additionalProperties:
            type: string
        fly_app_name:
          type: string
          description: >-
            If the provider runs a Fly App to serve this extension, specify its
            name here to enable Flycast routing from the customer's private
            network.
    ExtensionResource:
      type: object
      description: Full details about a provisioned extension resource.
      properties:
        id:
          type: string
          description: Unique identifier for this extension resource.
        name:
          type: string
          description: Human-readable name for the resource.
        status:
          type: string
          description: Current status of the resource (e.g., pending, ready, error).
          enum: [pending, ready, error]
        config:
          type: object
          description: Current environment variable configuration for the resource.
          additionalProperties:
            type: string
    OAuthTokenResponse:
      type: object
      description: OAuth access token response from the Fly.io token endpoint.
      properties:
        access_token:
          type: string
          description: The OAuth access token to use for authenticated API calls.
        token_type:
          type: string
          description: Token type, always Bearer.
        expires_in:
          type: integer
          description: Token validity duration in seconds.
        scope:
          type: string
          description: Space-separated list of granted OAuth scopes.
    TokenInfo:
      type: object
      description: User and organization information for a Fly.io OAuth token.
      properties:
        user_id:
          type: string
          description: The Fly.io user ID associated with this token.
        email:
          type: string
          description: The obfuscated email alias of the authenticated user.
        organization_id:
          type: string
          description: The Fly.io organization ID the user is acting within.
        organization_name:
          type: string
          description: The display name of the organization.
        role:
          type: string
          description: The user's role within the organization.
    ExtensionWebhookPayload:
      type: object
      description: >-
        Payload sent by extension providers to notify Fly.io of resource
        lifecycle changes.
      required:
        - action
        - resource_id
      properties:
        action:
          type: string
          description: The lifecycle action that occurred.
          enum: [resource.created, resource.updated, resource.deleted]
        resource_id:
          type: string
          description: The provider's ID of the resource this event relates to.
        config:
          type: object
          description: >-
            Updated environment variable configuration, if applicable. Include
            when responding to async provisioning completion.
          additionalProperties:
            type: string
    CloudEventPayload:
      type: object
      description: >-
        A CloudEvents-format payload sent by Fly.io to the extension provider
        for machine and account lifecycle events.
      required:
        - specversion
        - type
        - source
        - id
      properties:
        specversion:
          type: string
          description: CloudEvents specification version.
          example: '1.0'
        type:
          type: string
          description: Event type identifier (e.g., io.fly.machine.started).
        source:
          type: string
          description: URI identifying the Fly.io system that generated the event.
        id:
          type: string
          description: Unique identifier for this event instance.
        time:
          type: string
          format: date-time
          description: Timestamp when the event occurred.
        datacontenttype:
          type: string
          description: Content type of the event data.
          example: application/json
        data:
          type: object
          description: Event-specific payload data.
          additionalProperties: true