6.2 KiB
6.2 KiB
God Mode API - Documentation
🔐 Overview
The God Mode API provides unrestricted access to the Spark Platform's database and Directus system. It bypasses all authentication and permission checks.
Security: Access requires X-God-Token header with secret token.
🔑 Your Secure Token
GOD_MODE_TOKEN=jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA
⚠️ CRITICAL:
- This token is for YOU and your AI assistant ONLY
- NEVER commit to git (already in
.gitignore) - NEVER share publicly
- Store in Coolify environment variables
🚀 Setup in Coolify
- Go to Coolify → Your Spark Project
- Click "Directus" service
- Go to "Environment Variables"
- Click "Add Variable":
- Name:
GOD_MODE_TOKEN - Value:
jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA
- Name:
- Save and redeploy
📡 API Endpoints
Base URL
https://spark.jumpstartscaling.com/god
All endpoints require header:
X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA
1. Check God Mode Status
curl -X GET https://spark.jumpstartscaling.com/god/status \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA"
Response:
{
"success": true,
"god_mode": true,
"database": {
"tables": 39,
"collections": 39,
"permissions": 156
},
"timestamp": "2025-12-14T11:05:00.000Z"
}
2. Initialize Database
# Read SQL file
SQL_CONTENT=$(cat complete_schema.sql)
# Execute
curl -X POST https://spark.jumpstartscaling.com/god/setup/database \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA" \
-H "Content-Type: application/json" \
-d "{\"sql\": $(jq -Rs . < complete_schema.sql)}"
Response:
{
"success": true,
"tables_created": 39,
"tables": [
"sites",
"pages",
"posts",
"avatar_intelligence",
...
]
}
3. Grant All Permissions
curl -X POST https://spark.jumpstartscaling.com/god/permissions/grant-all \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA"
Response:
{
"success": true,
"permissions_granted": 156,
"collections": 39
}
4. Execute Raw SQL
curl -X POST https://spark.jumpstartscaling.com/god/sql/execute \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA" \
-H "Content-Type: application/json" \
-d '{
"sql": "SELECT * FROM sites ORDER BY date_created DESC LIMIT 5;"
}'
Response:
{
"success": true,
"rows": [
{
"id": "abc123",
"name": "My Site",
"domain": "example.com"
}
],
"rowCount": 1
}
5. Get All Collections (Including System)
curl -X GET https://spark.jumpstartscaling.com/god/collections/all \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA"
Response:
{
"success": true,
"count": 75,
"data": [
{
"collection": "directus_users",
"icon": "people",
...
},
{
"collection": "sites",
"icon": "dns",
...
}
]
}
6. Make User Admin
curl -X POST https://spark.jumpstartscaling.com/god/user/make-admin \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com"
}'
Response:
{
"success": true,
"user": {
"id": "user123",
"email": "user@example.com",
"role": "admin-role-id"
}
}
🛡️ Auto-Permissions Hook
The platform includes an auto-permissions hook that runs on Directus startup:
What it does:
- Automatically grants all permissions to Administrator policy
- Runs after Directus initialization
- Checks for existing permissions first
- Creates 4 permissions per collection (create, read, update, delete)
No manual action needed!
🎯 Use Cases
Fresh Deployment Setup
# 1. Check status
curl -X GET .../god/status -H "X-God-Token: ..."
# 2. Initialize database
curl -X POST .../god/setup/database -H "X-God-Token: ..." -d @schema.json
# 3. Grant permissions
curl -X POST .../god/permissions/grant-all -H "X-God-Token: ..."
# Done! ✅
Fix Permission Issues
curl -X POST .../god/permissions/grant-all -H "X-God-Token: ..."
Query Database Directly
curl -X POST .../god/sql/execute \
-H "X-God-Token: ..." \
-d '{"sql": "SELECT COUNT(*) FROM generated_articles WHERE status = '\''published'\'';"}''
⚠️ Security Notes
What God Mode Can Do:
- ✅ Execute any SQL query
- ✅ Modify any Directus collection
- ✅ Grant/revoke permissions
- ✅ Access system collections
- ✅ Bypass all authentication
- ✅ Create/delete tables
Security Measures:
- ✅ 128-character random token
- ✅ Token not in git repository
- ✅ Only in Coolify environment variables
- ✅ Logs all access attempts
- ✅ Requires exact token match
If Token is Compromised:
- Generate new token:
node -e "const crypto = require('crypto'); console.log(crypto.randomBytes(64).toString('base64url'));" - Update in Coolify environment variables
- Redeploy Directus service
📝 File Structure
directus-extensions/
├── endpoints/
│ └── god/
│ ├── index.js # God Mode API implementation
│ └── package.json # Extension metadata
└── hooks/
└── auto-permissions/
├── index.js # Auto-grant permissions on startup
└── package.json # Hook metadata
✅ Verification
After deployment:
# Test god mode access
curl -X GET https://spark.jumpstartscaling.com/god/status \
-H "X-God-Token: jmQXoeyxWoBsB7eHzG7FmnH90f22JtaYBxXHoorhfZ-v4tT3VNEr9vvmwHqYHCDoWXHSU4DeZXApCP-Gha-YdA"
# Should return success: true
God Mode is your backdoor into everything. Use responsibly! 🔥