/api/v1. It uses first-party app sessions for console users. Cookie-authenticated mutating requests require CSRF protection.
The deployed app also exposes an OpenAPI document at:
The current OpenAPI document is intentionally small. Use it as the
machine-readable starting point, and treat this page as the human index of
implemented resource areas.