Modern Minecraft dedicated servers ship a JSON-RPC 2.0 management API. When you enable it, an external program can read and change the allowlist, bans, operators, players and server settings, update game rules, save the world and stop the server, and it receives live notifications when players join or leave. This explorer lists every method and notification with its parameters, result schema and a ready-to-send payload.
The API is grouped by area. allowlist, bans and ip_bans manage who can connect. operators manages op status, players lists and kicks online players, serversettings reads and writes difficulty, view distance, max players, the MOTD, spawn protection and more, and gamerules reads and updates game rules. The server group covers status, save, stop and system messages.
Most groups follow a pattern: a getter with no parameters returns the current value, and matching set, add, remove and clear methods change it. Open any method above to see its exact parameters, the shape of the result it returns, and a JSON-RPC request you can copy and adapt.
The management server is off by default. You turn it on with a handful of keys in server.properties, then restart the server. These are the keys it reads:
| server.properties key | What it does |
|---|---|
| management-server-enabled | Turns the management API on. Default false. |
| management-server-host | Address the API binds to. Default localhost. |
| management-server-port | Port the API listens on. Default 0, which disables it, so set a real free port. |
| management-server-secret | Bearer token clients must send to authenticate. Use a long random value. |
| management-server-tls-enabled | Serve over wss with TLS instead of plain ws. Default false. |
| management-server-tls-keystore | Path to the keystore file used when TLS is enabled. |
| management-server-tls-keystore-password | Password for that keystore. |
| management-server-allowed-origins | Origins allowed to connect, for browser-based clients. |
| status-heartbeat-interval | Seconds between automatic server status notifications. 0 turns the heartbeat off. |
Anyone who can reach the port and has the secret can control the server, so keep it bound to localhost or behind a firewall, and turn on TLS if it crosses an untrusted network. Without TLS the bearer token travels in plain text.
The API speaks JSON-RPC 2.0 over a WebSocket. Connect to the management port with the subprotocol minecraft-v1 and your secret as a bearer token, then send each call as one JSON text frame.
1. Pick a method above, for example minecraft:server/status to read who is online and the server version.
2. Copy the example request. It is a full envelope with jsonrpc, an id, the method name and any params filled in from the schema.
3. Open the WebSocket using the copyable connect command, swap in your host, port and secret, then paste the frame.
4. The server replies with a result that matches the result schema shown for that method, using the same id you sent. Notifications arrive on their own with no id, so your client should handle both.
It is a JSON-RPC 2.0 interface built into the vanilla dedicated server that lets an external program manage the server while it runs. You can read and edit the allowlist, bans and IP bans, op and de-op players, kick players, change difficulty, view distance, max players, the MOTD and other settings, update game rules, save the world, send system messages and stop the server. The server also pushes notifications such as players joining or leaving. It is off by default and you turn it on in server.properties.
Open server.properties and set management-server-enabled=true, then set management-server-port to a free port (the default of 0 disables it) and optionally management-server-host (defaults to localhost). Set management-server-secret to a strong token: clients must send it as a bearer token to connect. Restart the server. Keep the port bound to localhost or behind a firewall, because anyone who can reach it and has the secret can control the server.
The API is served over a WebSocket on the management port. Open a WebSocket to ws://host:port/ with the subprotocol minecraft-v1, send your secret as an Authorization: Bearer header (or in the Sec-WebSocket-Protocol header), then send each call as a JSON-RPC 2.0 text frame. The explorer above gives you a ready wscat connect command and the exact frame to send for any method.
A callable method is a request you send to the server, like minecraft:players/kick or minecraft:allowlist/add. The server runs it and replies with a result using the same request id. A notification is the opposite direction: the server pushes it to you when something happens, like minecraft:notification/players/joined. Notifications have no id and you do not reply to them. The explorer splits the two into separate tabs.
They solve different problems. RCON runs raw console commands over a simple TCP protocol and returns plain text. The management API is structured: it returns typed JSON objects and pushes live notifications, so it is better suited to dashboards, bots and panels that need real data rather than parsing console output. Many setups run both, but for programmatic management the JSON-RPC API is the cleaner choice.
Only if you turn on TLS. Set management-server-tls-enabled=true and point management-server-tls-keystore and management-server-tls-keystore-password at a keystore to serve the WebSocket over wss instead of ws. Without TLS the bearer token and all traffic travel in plain text, so enable TLS or keep the connection on localhost or a trusted private network.
Working on server config, or browse more Minecraft tools:
