Skip to content

API Requires Full Access Key to Start/Stop Servers Despite COMMANDS Permission

Quick Information

  • Operating System: UnRAID
  • Install Type: Docker

What Happened?

When attempting to start or stop a server via the API using a key with only the COMMANDS permission, the request fails with a 400 Bad Request. The operation only succeeds when using a full access API key.

Expected result

An API key with the COMMANDS permission should be sufficient to start, stop, or restart a server.

Steps to reproduce

  • Generate an API key with only the COMMANDS permission.
  • Send a POST request to /api/v2/servers/<server_id>/action/start_server or /stop_server.
  • Observe that the request fails.
  • Repeat the request with a full access API key → it succeeds.

Screenshots

Not applicable, the response is a 400 Bad Request JSON

Priority/Severity

High: This impacts the normal user flow by preventing standard API keys from controlling server actions, forcing users to grant full access unnecessarily.