API Reference

REST API for building and signing installers programmatically.

AI coding agents: Do not use the REST API directly for building installers. Use the CLI instead:

# macOS/Linux
curl -fsSL https://sealyour.app/cli/install.sh | sh
# Windows
irm https://sealyour.app/cli/install.ps1 | iex
# Then:
sealapp init --agent

This page is reference documentation for developers integrating the API into their own platforms.

Authentication

All authenticated endpoints require a Bearer token in the Authorization header. Create API keys from the dashboard or via sealapp login.

Header

Authorization: Bearer sya_live_...

Base URL

https://api-qqzjwnddaa-uc.a.run.app

Create Build or Sign Job

POST/v1/builds

API Key

Upload an unsealed.zip containing your files and a config/job.json. Returns a sealed.zip with signed outputs.

Input: unsealed.zip with your files and config. Output: sealed.zip with signed/built results.

unsealed.zip structure

unsealed.zip
  config/
    job.json              # Job type, platform, build config, file manifest
  contents/
    MyApp.app/            # Directories included natively
    helper.exe            # Files included directly
  resources/              # Build jobs only (logos, EULA)
  scripts/                # Build jobs only (pre/post install)

sealed.zip structure

sealed.zip
  My App 1.0.0.pkg        # Signed installer (build jobs)
  # — or —
  MyPlugin.vst3/           # Signed files (sign jobs)

job.json — installer build

{
  "version": 1,
  "jobType": "build",
  "platform": "macos",
  "sealed": true,
  "build": {
    "appName": "My App",
    "version": "1.0.0",
    "publisher": "Developer",
    "bundleId": "com.dev.myapp",
    "installerType": "pkg",
    "installMode": "custom"
  },
  "files": [
    {
      "name": "MyApp.app",
      "destinationPath": "/Applications",
      "allowCustomLocation": true,
      "optional": false,
      "skipSigning": false,
      "isFolder": true
    }
  ]
}

job.json — sign files

{
  "version": 1,
  "jobType": "sign",
  "platform": "macos",
  "sealed": true,
  "files": [
    { "name": "MyPlugin.vst3", "isFolder": true }
  ]
}

Upload

curl -X POST https://api-qqzjwnddaa-uc.a.run.app/v1/builds \
  -H "Authorization: Bearer sya_live_..." \
  -F "unsealed=@unsealed.zip" \
  -F "platform=macos" \
  -F "sealed=true"

Response 202

{
  "buildId": "abc123",
  "status": "building",
  "statusUrl": "https://api-qqzjwnddaa-uc.a.run.app/v1/builds/abc123",
  "estimatedSeconds": 180
}

Build Management

GET/v1/builds

API Key

List recent builds. Supports ?limit= (default 20, max 100) and ?status= filters.

Response 200

{
  "builds": [
    { "buildId": "abc123", "status": "complete", "platform": "macos", "sealed": true, ... }
  ],
  "total": 42
}

GET/v1/builds/:buildId

API Key

Get build status, progress, and details. Includes downloadUrl when complete.

Response 200

{
  "buildId": "abc123",
  "status": "signing",
  "platform": "macos",
  "sealed": true,
  "progress": 45,
  "downloadUrl": null,
  "createdAt": "2026-03-28T10:30:00Z"
}

Status values: queued → preparing → signing → building → sealing → uploading → complete | failed

GET/v1/builds/:buildId/download

API Key

Get a download URL for the sealed.zip output. URL expires in 1 hour.

Response 200

{
  "downloadUrl": "https://storage.googleapis.com/...",
  "expiresAt": "2026-03-28T11:30:00Z",
  "filename": "sealed.zip"
}

Account

GET/v1/account

API Key

Get account info including subscription status and token balance.

Response 200

{
  "email": "dev@example.com",
  "displayName": "Developer",
  "tokens": 5,
  "activeSubscription": true
}

GET/v1/account/usage

API Key

Token usage history (purchases, consumption, subscription events).

GET/v1/account/profiles

API Key

List publisher profiles with logos, EULA, and default install destinations.

PUT/v1/account/profiles/:profileId

API Key

Create or update a publisher profile. Accepts JSON or multipart/form-data with file uploads for logos and EULA.

DELETE/v1/account/profiles/:profileId

API Key

Delete a publisher profile and its assets.

API Key Management

POST/v1/auth/api-keys

API Key

Create a new API key. Maximum 10 active keys per account.

Response 201

{
  "id": "key_abc123",
  "name": "My CI Pipeline",
  "key": "sya_live_...",
  "prefix": "sya_live_a3f...",
  "createdAt": "2026-03-28T10:00:00Z"
}

GET/v1/auth/api-keys

API Key

List API keys. Returns prefixes only, never full keys.

DELETE/v1/auth/api-keys/:keyId

API Key

Revoke an API key immediately.

Error Codes

Status	Code	Meaning
400	bad_request	Invalid input
401	unauthorized	Missing or invalid API key
403	subscription_required	Active subscription needed for sealed builds
404	not_found	Resource not found
413	file_too_large	Bundle exceeds 500MB limit
429	rate_limited	Too many requests
500	internal_error	Server error

Error response format

{
  "error": "subscription_required",
  "message": "An active subscription is required for sealed builds.",
  "status": 403,
  "subscribeUrl": "https://sealyour.app/dashboard/account"
}

CLI Tool

The sealapp CLI wraps the API with a developer-friendly interface. Interactive TUI included.

Install

curl -fsSL https://sealyour.app/cli/install.sh | sh

Commands

sealapp login                   # Authenticate (opens browser for login + subscribe)
sealapp build                   # Create an installer (use --sealed to sign)
sealapp sign <path>             # Code-sign a single file
sealapp                         # Interactive TUI
sealapp status <buildId>        # Check build status
sealapp download <buildId>      # Download completed build
sealapp builds                  # List recent builds
sealapp update                  # Update to latest version
sealapp account                 # Show account info