API

Table of Contents

• CSRF Protection
• GET /api/csrf-token
• GET /api/apps
• POST /api/apps
• POST /api/apps/close
• DELETE /api/apps/{index}
• GET /api/browse
• GET /api/clients/list
• POST /api/clients/unpair
• POST /api/clients/unpair-all
• POST /api/clients/update
• GET /api/config
• GET /api/configLocale
• POST /api/config
• GET /api/covers/{index}
• POST /api/covers/upload
• GET /api/logs
• POST /api/password
• POST /api/pin
• POST /api/reset-display-device-persistence
• POST /api/restart
• GET /api/vigembus/status
• POST /api/vigembus/install

Sunshine has a RESTful API which can be used to interact with the service.

Unless otherwise specified, authentication is required for all API calls. You can authenticate using basic authentication with the admin username and password.

CSRF Protection

State-changing API endpoints (POST, DELETE) are protected against Cross-Site Request Forgery (CSRF) attacks.

For Web Browsers:

• Requests from same-origin (configured via csrf_allowed_origins) are automatically allowed
• Cross-origin requests require a CSRF token

For Non-Browser Applications:

• Non-browser clients (e.g. curl, scripts, custom apps) are exempt from CSRF protection
• CSRF attacks require a browser to silently attach credentials to a cross-origin request — this threat does not apply to non-browser clients that explicitly provide credentials with every request
• Requests with no Origin or Referer header (as is typical for non-browser clients) are automatically allowed without a CSRF token

Example (browser-equivalent cross-origin request):

# Get CSRF token
curl -u user:pass https://localhost:47990/api/csrf-token
 
# Use token in request
curl -u user:pass -H "X-CSRF-Token: your_token_here" \
  -X POST https://localhost:47990/api/restart

GET /api/csrf-token

Get a CSRF token for the authenticated user.

Parameters

response	The HTTP response object.
request	The HTTP request object.

GET /api/apps

Get the list of available applications.

Parameters

response	The HTTP response object.
request	The HTTP request object.

POST /api/apps

Save an application. To save a new application, the index must be -1. To update an existing application, you must provide the current index of the application.

Parameters

response

The HTTP response object.

request

The HTTP request object. The body for the post request should be JSON serialized in the following format: { "name": "Application Name", "output": "Log Output Path", "cmd": "Command to run the application", "index": -1, "exclude-global-prep-cmd": false, "elevated": false, "auto-detach": true, "wait-all": true, "exit-timeout": 5, "prep-cmd": [ { "do": "Command to prepare", "undo": "Command to undo preparation", "elevated": false } ], "detached": [ "Detached command" ], "image-path": "Full path to the application image. Must be a png file." }

POST /api/apps/close

Close the currently running application.

Parameters

response	The HTTP response object.
request	The HTTP request object.

DELETE /api/apps/{index}

Delete an application.

Parameters

response	The HTTP response object.
request	The HTTP request object.

GET /api/browse

Browse the server filesystem.

Parameters

response	The HTTP response object.
request	The HTTP request object.

Note

On Windows, an empty or root path returns the list of available drive letters.

On non-Windows, an empty path defaults to the filesystem root ("/").

GET /api/clients/list

Get the list of paired clients.

Parameters

response	The HTTP response object.
request	The HTTP request object.

POST /api/clients/unpair

Unpair a client.

Parameters

response	The HTTP response object.
request	The HTTP request object. The body for the POST request should be JSON serialized in the following format: { "uuid": "<uuid>" }

POST /api/clients/unpair-all

Unpair all clients.

Parameters

response	The HTTP response object.
request	The HTTP request object.

POST /api/clients/update

Enable or disable a client.

Parameters

response	The HTTP response object.
request	The HTTP request object. The body for the POST request should be JSON serialized in the following format: { "uuid": "<uuid>", "enabled": true }

GET /api/config

Get the configuration settings.

Parameters

response	The HTTP response object.
request	The HTTP request object.

GET /api/configLocale

Get the locale setting. This endpoint does not require authentication.

Parameters

response	The HTTP response object.
request	The HTTP request object.

POST /api/config

Save the configuration settings.

Parameters

response	The HTTP response object.
request	The HTTP request object. The body for the POST request should be JSON serialized in the following format: { "key": "value" }

Attention

It is recommended to ONLY save the config settings that differ from the default behavior.

GET /api/covers/{index}

Get an application's image.

Parameters

response	The HTTP response object.
request	The HTTP request object.

Note

The index in the url path is the application index.

POST /api/covers/upload

Upload a cover image.

Parameters

response	The HTTP response object.
request	The HTTP request object. The body for the post request should be JSON serialized in the following format: { "key": "igdb_<game_id>", "url": "https://images.igdb.com/igdb/image/upload/t_cover_big_2x/<slug>.png" }

GET /api/logs

Get the logs from the log file.

Parameters

response	The HTTP response object.
request	The HTTP request object.

POST /api/password

Update existing credentials.

Parameters

response	The HTTP response object.
request	The HTTP request object. The body for the post request should be JSON serialized in the following format: { "currentUsername": "Current Username", "currentPassword": "Current Password", "newUsername": "New Username", "newPassword": "New Password", "confirmNewPassword": "Confirm New Password" }

POST /api/pin

Send a pin code to the host. The pin is generated from the Moonlight client during the pairing process.

Parameters

response	The HTTP response object.
request	The HTTP request object. The body for the post request should be JSON serialized in the following format: { "pin": "<pin>", "name": "Friendly Client Name" }

POST /api/reset-display-device-persistence

Reset the display device persistence.

Parameters

response	The HTTP response object.
request	The HTTP request object.

POST /api/restart

Restart Sunshine.

Parameters

response	The HTTP response object.
request	The HTTP request object.

GET /api/vigembus/status

Get ViGEmBus driver version and installation status.

Parameters

response	The HTTP response object.
request	The HTTP request object.

POST /api/vigembus/install

Install ViGEmBus driver with elevated permissions.

Parameters

response	The HTTP response object.
request	The HTTP request object.

Previous	Next
Performance Tuning	Troubleshooting