Manage the researcher allowlist for a site

HackGATE supports two access modes for each site. In open mode any authenticated researcher can connect. In restricted mode only email addresses on the allowlist can connect. Use the endpoints below to read and update the allowlist, and to toggle between the two modes. All four endpoints require a Bearer token in the Authorization header.

List researchers
Add researcher
Remove researcher
Toggle access mode

GET /api/sites/getHackers/

Returns all researchers currently on the allowlist for a site.

Request

GET https://api-admin.hackgate.io/api/sites/getHackers/{id}

Headers

Authorization

string

required

Bearer token. Example: Bearer <token>

Path parameters

string

required

The UUID of the site.

Response

Returns an array of allowlist entries.

[]

object[]

Hide Allowlist entry fields

string

required

Unique identifier for this allowlist entry. Use this value when removing the researcher.

string

required

Email address of the researcher.

siteId

string

required

UUID of the site this entry belongs to.

Example

curl https://api-admin.hackgate.io/api/sites/getHackers/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H "Authorization: Bearer <token>"

[
  {
    "id": "entry-uuid-1",
    "email": "alice@example.com",
    "siteId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  },
  {
    "id": "entry-uuid-2",
    "email": "bob@example.com",
    "siteId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }
]

POST /api/sites/addHacker

Adds a researcher’s email to the allowlist. Returns the full updated allowlist.

Request

POST https://api-admin.hackgate.io/api/sites/addHacker

Headers

Authorization

string

required

Bearer token. Example: Bearer <token>

Content-Type

string

required

Must be application/json.

Body

siteId

string

required

The UUID of the site to add the researcher to.

string

required

The researcher’s email address. Returns 400 if this email is already on the allowlist.

Response

Returns the complete updated allowlist after the addition.

[]

object[]

Hide Allowlist entry fields

string

required

Unique identifier for this allowlist entry.

string

required

Email address of the researcher.

siteId

string

required

UUID of the site.

Example

curl -X POST https://api-admin.hackgate.io/api/sites/addHacker \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"siteId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "email": "alice@example.com"}'

[
  {
    "id": "entry-uuid-1",
    "email": "alice@example.com",
    "siteId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }
]

POST /api/sites/removeHacker

Removes a researcher from the allowlist. Use the id returned by getHackers to identify the entry.

Request

POST https://api-admin.hackgate.io/api/sites/removeHacker

Headers

Authorization

string

required

Bearer token. Example: Bearer <token>

Content-Type

string

required

Must be application/json.

Body

string

required

The UUID of the allowlist entry to remove. Returned as id in the getHackers response.

siteId

string

required

The UUID of the site.

string

required

The email address of the researcher being removed.

Response

Returns 200 on success. No body is returned.

Example

curl -X POST https://api-admin.hackgate.io/api/sites/removeHacker \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "id": "entry-uuid-1",
    "siteId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "email": "alice@example.com"
  }'

{}

POST /api/sites/allowedHackerType

Switches a site between open access and restricted (allowlist-only) access.Set allowedHackerType to true to enforce the allowlist. Set it to false to allow any authenticated researcher to connect.

Request

POST https://api-admin.hackgate.io/api/sites/allowedHackerType

Headers

Authorization

string

required

Bearer token. Example: Bearer <token>

Content-Type

string

required

Must be application/json.

Body

string

required

The UUID of the site to update.

allowedHackerType

boolean

required

true to restrict access to the allowlist only. false to allow any authenticated researcher.

Response

Returns 200 on success. No body is returned.

Example

# Enable allowlist-only access
curl -X POST https://api-admin.hackgate.io/api/sites/allowedHackerType \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890", "allowedHackerType": true}'

{}

Switching to allowlist-only mode takes effect immediately. Researchers not on the list are blocked at the proxy from that point forward.

GET /api/sites/disable/{id} — deactivate a site

GET and POST /api/sites/blocklist — block rules

curl https://api-admin.hackgate.io/api/sites/getHackers/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H "Authorization: Bearer <token>"

​GET /api/sites/getHackers/

​Request

​Headers

​Path parameters

​Response

​Example

​POST /api/sites/addHacker

​Request

​Headers

​Body

​Response

​Example

​POST /api/sites/removeHacker

​Request

​Headers

​Body

​Response

​Example

​POST /api/sites/allowedHackerType

​Request

​Headers

​Body

​Response

​Example

GET /api/sites/getHackers/

Request

Headers

Path parameters

Response

Example

POST /api/sites/addHacker

Request

Headers

Body

Response

Example

POST /api/sites/removeHacker

Request

Headers

Body

Response

Example

POST /api/sites/allowedHackerType

Request

Headers

Body

Response

Example