Files
hermes-skills/skills/devops/disaster-recovery-audit/references/netcup-scp-api.md
T

3.5 KiB

Netcup SCP REST API Access

Authentication

The netcup SCP API at servercontrolpanel.de uses Keycloak OIDC — NOT API key headers. The CCP API key from customercontrolpanel.de Master Data does not work with the SCP REST API directly.

Get a token

TOKEN=$(curl -s "https://www.servercontrolpanel.de/realms/scp/protocol/openid-connect/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password&client_id=scp&username=${NETCUP_CUSTOMER}&password=${NETCUP_PASSWORD}&scope=openid" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token')")
Parameter Value Source
Token endpoint https://www.servercontrolpanel.de/realms/scp/protocol/openid-connect/token From keycloak.js in SCP UI
Client ID scp From keycloak.js
Grant type password Resource owner password grant
Username CCP customer number (numeric, e.g. 389212) From CCP Master Data
Password CCP account password User-provided
Scope openid Required for ID token
Token lifetime 300 seconds (5 min) From token response expires_in
Refresh 1800 seconds (30 min) From token response refresh_expires_in

API base URL

The SCP has three API paths:

Path Purpose Status
https://www.servercontrolpanel.de/scp-core/api/v1/ Server management CRUD Works (returns JSON)
https://www.servercontrolpanel.de/scp-agent/api/v1/ Agent/service operations ⚠️ Returns 403 Forbidden
https://www.servercontrolpanel.de/scp-ui/api/v1/ UI data endpoints Returns HTML login page, not JSON

Always use scp-core for server operations.

Available endpoints

List servers

curl -s "https://www.servercontrolpanel.de/scp-core/api/v1/servers" \
  -H "Authorization: Bearer ${TOKEN}"

Returns: [{"id": 890903, "name": "v2202607377162478911", "template": {"name": "RS 2000 G12"}}]

Single server details

curl -s "https://www.servercontrolpanel.de/scp-core/api/v1/servers/890903" \
  -H "Authorization: Bearer ${TOKEN}"

Returns: IP addresses, hostname, architecture, template name, disk available space, RAM.

Templates / Images (provisioning)

curl -s "https://www.servercontrolpanel.de/scp-core/api/v1/templates" \
  -H "Authorization: Bearer ${TOKEN}"

Note: May return {"code": "error.notfound", "message": "Resource not found"} for non-reseller accounts. This is a known limitation — provisioning via API may require reseller status with netcup.

Credentials

Stored in /root/.hermes/.env:

NETCUP_CUSTOMER=389212
NETCUP_PASSWORD=<CCP password>
NETCUP_KEY=<API key from Master Data page>
NETCUP_API_KEY=<same as NETCUP_KEY>

The API key from the Master Data page is NOT used by the REST API. The password grant flows use the customer number + CCP password directly. The API key exists for legacy SOAP/JSON-RPC endpoints.

Known limitations

  • Token expires every 5 minutes — need to re-authenticate or implement refresh flow for long-running operations
  • Provisioning may be restricted/templates and /images return 404 for non-reseller accounts
  • This is the SCP (Server Control Panel), not CCP — the CCP (customercontrolpanel.de) has a separate API surface for billing/invoicing
  • Discovered Jul 8 2026 — after multiple failed attempts with API key auth that returned 404/401, the working auth flow was found by inspecting keycloak.js in the SCP UI JavaScript bundle