API reference

This reference covers the upload and automation API — the developer-facing part of the management API you use to publish from CI. The base URL is:

https://api.autoappstore.com/portal/api

Note

This is the only API surface documented for developers. The in-vehicle distribution layer that serves apps to cars is internal to the platform and is not part of this API.

Authentication

Automation endpoints authenticate with a CI token (a long-lived bearer token you create in the portal and store as a CI secret):

Authorization: Bearer <CI_UPLOAD_TOKEN>

Interactive portal endpoints use a session cookie instead; the endpoints below are the ones intended for automation.

Upload a new revision

POST /uploads/ci
Content-Type: multipart/form-data
Authorization: Bearer <CI_UPLOAD_TOKEN>

Part	Type	Description
apk	file	The production-signed release APK

Response 201:

{
  "version": {
    "id": "b1c2…",
    "app_id": "a0f1…",
    "version_code": 2,
    "version_name": "1.1.0",
    "status": "draft"
  },
  "validation_run": { "id": "v9d8…", "status": "running" }
}

Common errors: 401 (missing/invalid token), 409 (versionCode not incremented), 422 (unsigned or malformed APK).

Read validation results

GET /versions/{id}/validation
Authorization: Bearer <CI_UPLOAD_TOKEN>

Response 200:

{
  "runs": [
    {
      "id": "v9d8…",
      "status": "failed",
      "findings": [
        { "code": "unsigned_apk", "severity": "blocking", "message": "APK is not signed with a production certificate." }
      ]
    }
  ]
}

Read a version (status + live state)

GET /versions/{id}
Authorization: Bearer <CI_UPLOAD_TOKEN>

Response 200:

{
  "id": "b1c2…",
  "version_code": 2,
  "version_name": "1.1.0",
  "status": "live",
  "open_issue_count": 1
}

status is one of draft, in_review, approved, live, rejected. When a version is live with open_issue_count > 0, it is live with open issues (see Release model).

Read release status (where a version is live)

GET /versions/{id}/release
Authorization: Bearer <CI_UPLOAD_TOKEN>

Response 200:

{
  "live": true,
  "targets": {
    "countries": ["DE", "AT"],
    "vehicle_contexts": ["…"]
  }
}

This is read-only for developers: you can see where a version is live, but the store team controls the release itself (see Release model).

List your CI tokens

GET /ci-tokens          # list (no secret values)
POST /ci-tokens         # create → returns the raw token once
DELETE /ci-tokens/{id}  # revoke

Create tokens in the portal UI for convenience; the API endpoints exist for teams that manage tokens programmatically. A created token’s raw value is returned only once — store it immediately.