Let's Encrypt ACME API

openapi: 3.0.3
info:
  title: Let's Encrypt ACME API
  description: >-
    The ACME (Automatic Certificate Management Environment) protocol API used by
    Let's Encrypt to automate the issuance, renewal, and revocation of TLS
    certificates. Implements RFC 8555.
  version: '1.0'
  contact:
    name: Let's Encrypt
    url: https://letsencrypt.org/docs/
  license:
    name: Mozilla Public License 2.0
    url: https://www.mozilla.org/en-US/MPL/2.0/
servers:
  - url: https://acme-v02.api.letsencrypt.org
    description: Production ACME endpoint
  - url: https://acme-staging-v02.api.letsencrypt.org
    description: Staging ACME endpoint
tags:
  - name: Directory
    description: Discovery document listing ACME resources
  - name: Nonce
    description: Anti-replay nonces for JWS-signed requests
  - name: Account
    description: ACME account creation and management
  - name: Order
    description: Certificate issuance orders
  - name: Authorization
    description: Domain control authorizations
  - name: Challenge
    description: Validation challenges (HTTP-01, DNS-01, TLS-ALPN-01)
  - name: Certificate
    description: Issued certificate retrieval and revocation
paths:
  /directory:
    get:
      tags:
        - Directory
      summary: Get ACME directory
      description: Returns URLs for all ACME resources and server metadata.
      operationId: getDirectory
      responses:
        '200':
          description: Directory object
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Directory'
  /acme/new-nonce:
    head:
      tags:
        - Nonce
      summary: Get a new nonce
      description: Returns a fresh nonce in the Replay-Nonce header for use in JWS requests.
      operationId: newNonce
      responses:
        '200':
          description: Nonce returned in Replay-Nonce header
          headers:
            Replay-Nonce:
              schema:
                type: string
  /acme/new-acct:
    post:
      tags:
        - Account
      summary: Create or look up an account
      description: Creates a new ACME account or returns the URL of an existing account for the given key.
      operationId: newAccount
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '201':
          description: Account created
        '200':
          description: Existing account returned
  /acme/acct/{accountId}:
    post:
      tags:
        - Account
      summary: Update or deactivate account
      operationId: updateAccount
      parameters:
        - name: accountId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '200':
          description: Account updated
  /acme/new-order:
    post:
      tags:
        - Order
      summary: Submit a new certificate order
      operationId: newOrder
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '201':
          description: Order created
  /acme/order/{orderId}:
    post:
      tags:
        - Order
      summary: Get order status
      operationId: getOrder
      parameters:
        - name: orderId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '200':
          description: Order status
  /acme/finalize/{orderId}:
    post:
      tags:
        - Order
      summary: Finalize an order with a CSR
      operationId: finalizeOrder
      parameters:
        - name: orderId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '200':
          description: Order finalized
  /acme/authz/{authzId}:
    post:
      tags:
        - Authorization
      summary: Get authorization status
      operationId: getAuthorization
      parameters:
        - name: authzId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '200':
          description: Authorization status
  /acme/chall/{challengeId}:
    post:
      tags:
        - Challenge
      summary: Respond to a challenge
      operationId: respondChallenge
      parameters:
        - name: challengeId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '200':
          description: Challenge response accepted
  /acme/cert/{certId}:
    post:
      tags:
        - Certificate
      summary: Download issued certificate
      operationId: getCertificate
      parameters:
        - name: certId
          in: path
          required: true
          schema:
            type: string
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '200':
          description: PEM-encoded certificate chain
          content:
            application/pem-certificate-chain:
              schema:
                type: string
  /acme/revoke-cert:
    post:
      tags:
        - Certificate
      summary: Revoke a certificate
      operationId: revokeCertificate
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '200':
          description: Certificate revoked
  /acme/key-change:
    post:
      tags:
        - Account
      summary: Rotate account key
      operationId: keyChange
      requestBody:
        required: true
        content:
          application/jose+json:
            schema:
              $ref: '#/components/schemas/JWS'
      responses:
        '200':
          description: Account key rotated
components:
  schemas:
    Directory:
      type: object
      properties:
        newNonce:
          type: string
          format: uri
        newAccount:
          type: string
          format: uri
        newOrder:
          type: string
          format: uri
        newAuthz:
          type: string
          format: uri
        revokeCert:
          type: string
          format: uri
        keyChange:
          type: string
          format: uri
        meta:
          type: object
          properties:
            termsOfService:
              type: string
            website:
              type: string
            caaIdentities:
              type: array
              items:
                type: string
    JWS:
      type: object
      description: Flattened JSON Web Signature object per RFC 7515
      properties:
        protected:
          type: string
        payload:
          type: string
        signature:
          type: string