refactor(params): ♻️ Simplify ForgeURL logic by removing redundant switch case

Streamlines the ForgeURL method by removing an unnecessary nested switch case on ForgeType, consolidating the logic to rely solely on EntityType. This change reduces complexity and improves code readability without altering functionality.
Merge pull request #499 from gabriel-samfira/better-cli-log-formatting
2025-08-27 16:04:56 +02:00 · 2025-08-27 16:27:33 +03:00 · 2025-08-27 13:21:56 +00:00 · 2025-08-27 12:27:04 +03:00 · 2025-08-27 09:14:45 +00:00 · 2025-08-25 19:35:17 +03:00
3288 changed files with 512069 additions and 226593 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"
--- a/.github/workflows/build-and-push.yml
+++ b/.github/workflows/build-and-push.yml
@ -0,0 +1,61 @@
+name: "Build and push GARM images"
+on:
+  workflow_call:
+    inputs:
+      push_to_project:
+        description: "Project to build images for"
+        required: false
+        type: string
+        default: "ghcr.io/cloudbase"
+      ref:
+        description: "Ref to build"
+        required: false
+        type: string
+        default: "main"
+
+permissions:
+  contents: read
+
+jobs:
+    images:
+      permissions:
+        packages: write
+      name: "Build GARM images"
+      runs-on: ubuntu-latest
+      steps:
+        - name: "Checkout"
+          uses: actions/checkout@v4
+          with:
+            path: src/github.com/cloudbase/garm
+            fetch-depth: 0
+
+        - name: Set up Docker Buildx
+          uses: docker/setup-buildx-action@v2
+
+        - name: Login to GitHub Container Registry
+          uses: docker/login-action@v2
+          with:
+            registry: ghcr.io
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+        - name: Build and push image
+          env:
+            IMAGE_REGISTRY: ${{ inputs.push_to_project }}
+            GH_REF: ${{ inputs.ref }}
+          working-directory: src/github.com/cloudbase/garm
+          run: |
+            if [ "$GH_REF" == "main" ]; then
+              IMAGE_TAG="nightly"
+            else
+              IMAGE_TAG=$(git describe --tags --match='v[0-9]*' --always ${GH_REF})
+            fi
+            docker buildx build \
+              --provenance=false \
+              --platform linux/amd64,linux/arm64 \
+              --label "org.opencontainers.image.source=https://github.com/cloudbase/garm/tree/${GH_REF}" \
+              --label "org.opencontainers.image.description=GARM ${GH_REF}" \
+              --label "org.opencontainers.image.licenses=Apache 2.0" \
+              --build-arg="GARM_REF=${GH_REF}" \
+              -t ${IMAGE_REGISTRY}/garm:"${IMAGE_TAG}" \
+              --push .
--- a/.github/workflows/go-tests.yml
+++ b/.github/workflows/go-tests.yml
@ -4,9 +4,11 @@ on:
  push:
    branches:
      - main
+      - 'release/**'
  pull_request:
    branches:
      - main
+      - 'release/**'

 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }}
@ -17,23 +19,22 @@ permissions: {}
 jobs:
  linters:
    name: Linters
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    timeout-minutes: 10

    steps:
      - name: Install dependencies
        run: |
          sudo apt-get update
-          sudo apt-get install -y libbtrfs-dev build-essential
+          sudo apt-get install -y libbtrfs-dev build-essential apg jq

-      - uses: actions/setup-go@v3
-        with:
-          go-version: 'stable'
      - uses: actions/checkout@v3
-      - uses: golangci/golangci-lint-action@v3
+      - uses: actions/setup-go@v5
        with:
-          skip-cache: true
-          args: --timeout=8m --build-tags testing
+          go-version-file: go.mod
+
+      - name: make lint
+        run: make golangci-lint && GOLANGCI_LINT_EXTRA_ARGS="--timeout=8m --build-tags=testing,integration" make lint
      - name: Verify go vendor, go modules and gofmt
        run: |
          sudo apt-get install -y jq
@ -43,15 +44,39 @@ jobs:
    runs-on: ubuntu-latest
    needs: [linters]
    steps:
+      - name: Install dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libbtrfs-dev build-essential apg jq default-jre
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '>=v24.5.0'
+      
+      - name: Set up openapi-generator-cli
+        run: |
+          mkdir -p $HOME/openapi-generator
+          cd $HOME/openapi-generator
+          npm install @openapitools/openapi-generator-cli
+          echo "$HOME/openapi-generator/node_modules/.bin" >> $GITHUB_PATH
+
      - name: Checkout
        uses: actions/checkout@v3

      - name: Setup Golang
-        uses: actions/setup-go@v3
+        uses: actions/setup-go@v5
        with:
          go-version-file: go.mod

      - run: go version

+      - name: Run go generate
+        run: |
+          GOTOOLCHAIN=go1.24.6 make generate
+
      - name: Run GARM Go Tests
        run: make go-test
+
+      - name: Run web UI tests
+        run: |
+          make webui-test
--- a/.github/workflows/integration-tests.yml
+++ b/.github/workflows/integration-tests.yml
@ -0,0 +1,122 @@
+name: Integration Tests
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  integration-tests:
+    runs-on: ubuntu-noble-garm
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Golang
+        uses: actions/setup-go@v3
+        with:
+          go-version-file: go.mod
+
+      - name: Setup LXD
+        uses: canonical/setup-lxd@main
+        with:
+          channel: latest/stable
+
+      - name: Install dependencies
+        run: |
+          sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
+          sudo apt-get -qq update && sudo apt-get -qq install -y apg coreutils make jq build-essential libsqlite3-dev libsqlite3-0
+
+      - name: Set up tunnel
+        shell: bash
+        run: |
+          mkdir -p /home/runner/.ssh
+          echo "${{ secrets.SSH_PRIVATE_KEY }}" > /home/runner/.ssh/ssh_key
+          sudo chown -R runner:runner /home/runner/.ssh
+          sudo chmod 500 /home/runner/.ssh
+          sudo chmod 400 /home/runner/.ssh/ssh_key
+
+          SUBDOMAIN=$(apg -a 0 -M l -m 12 -n 1)
+          echo "::add-mask::$SUBDOMAIN"
+
+          BASE_URL="${{ secrets.TUNNEL_BASE_URL }}"
+          GARM_BASE_URL="https://$SUBDOMAIN.$BASE_URL"
+          echo "::add-mask::$GARM_BASE_URL"
+
+          echo "GARM_BASE_URL=$GARM_BASE_URL" >> $GITHUB_ENV
+
+          cat <<EOF | sudo tee /etc/systemd/system/garm-tunnel.service
+          [Unit]
+          Description=GARM tunnel
+          After=network.target
+
+          [Service]
+          Type=simple
+          ExecStart=/usr/bin/ssh -q -i /home/runner/.ssh/ssh_key -N -n -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -R $SUBDOMAIN:80:127.0.0.1:9997 $BASE_URL
+          Restart=always
+          User=runner
+          [Install]
+          WantedBy=default.target
+          EOF
+
+          sudo systemctl daemon-reload
+          sudo systemctl enable garm-tunnel
+          sudo systemctl start garm-tunnel
+
+      - name: Generate secrets
+        run: |
+          GARM_PASSWORD=$(apg -n1 -m32)
+          REPO_WEBHOOK_SECRET=$(apg -n1 -m32)
+          ORG_WEBHOOK_SECRET=$(apg -n1 -m32)
+
+          echo "::add-mask::$GARM_PASSWORD"
+          echo "::add-mask::$REPO_WEBHOOK_SECRET"
+          echo "::add-mask::$ORG_WEBHOOK_SECRET"
+
+          echo "GARM_PASSWORD=$GARM_PASSWORD" >> $GITHUB_ENV
+          echo "REPO_WEBHOOK_SECRET=$REPO_WEBHOOK_SECRET" >> $GITHUB_ENV
+          echo "ORG_WEBHOOK_SECRET=$ORG_WEBHOOK_SECRET" >> $GITHUB_ENV
+          echo "GARM_CHECKOUT_DIR=$GITHUB_WORKSPACE" >> $GITHUB_ENV
+
+      - name: Create logs directory
+        if: always()
+        run: sudo mkdir -p /artifacts-logs && sudo chmod 777 /artifacts-logs
+
+      - name: Run integration tests
+        run: |
+          set -o pipefail
+          set -o errexit
+          make integration 2>&1
+        env:
+          ORG_NAME: gsamfira
+          REPO_NAME: garm-testing
+          CREDENTIALS_NAME: test-garm-creds
+          WORKFLOW_FILE_NAME: test.yml
+          GH_TOKEN: ${{ secrets.GH_OAUTH_TOKEN }}
+          LXD_REMOTE_SERVER: ${{ secrets.LXD_REMOTE_SERVER }}
+
+      - name: Show GARM logs
+        if: always()
+        run: |
+          sudo systemctl status garm@runner || true
+          sudo journalctl --no-pager 2>&1 > /artifacts-logs/system.log
+          sudo journalctl -u garm@runner --no-pager 2>&1 > /artifacts-logs/garm.log
+
+      - name: Upload GARM and e2e logs
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: garm-logs
+          path: /artifacts-logs
+
+      - name: Cleanup orphan GARM resources via GitHub API
+        if: always()
+        run: |
+          set -o pipefail
+          set -o errexit
+
+          sudo systemctl stop garm@runner || true
+          go run ./test/integration/gh_cleanup/main.go || true
+        env:
+          ORG_NAME: gsamfira
+          REPO_NAME: garm-testing
+          GH_TOKEN: ${{ secrets.GH_OAUTH_TOKEN }}
--- a/.github/workflows/trigger-manual.yml
+++ b/.github/workflows/trigger-manual.yml
@ -0,0 +1,19 @@
+name: Manual build of GARM images
+on:
+  workflow_dispatch:
+    inputs:
+      push_to_project:
+        description: "Project to build images for"
+        required: true
+        default: "ghcr.io/cloudbase"
+      ref:
+        description: "Ref to build"
+        required: true
+        default: "main"
+
+jobs:
+  call-build-and-push:
+    uses: ./.github/workflows/build-and-push.yml
+    with:
+      push_to_project: ${{ inputs.push_to_project }}
+      ref: ${{ inputs.ref }}
--- a/.github/workflows/trigger-nightly.yml
+++ b/.github/workflows/trigger-nightly.yml
@ -0,0 +1,10 @@
+name: Nightly build of GARM images
+on:
+  schedule:
+    - cron: "0 2 * * *"
+
+jobs:
+  call-build-and-push:
+    uses: ./.github/workflows/build-and-push.yml
+    with:
+      ref: "main"
--- a/.gitignore
+++ b/.gitignore
@ -4,6 +4,7 @@
 *.dll
 *.so
 *.dylib
+*.DS_Store

 # Test binary, built with `go test -c`
 *.test
@ -16,3 +17,11 @@ bin/
 # vendor/
 .vscode
 cmd/temp
+build/
+release/
+node_modules/
+.svelte-kit/
+debug.html
+git_push.sh
+webapp/src/lib/api/generated/docs
+.env
--- a/.golangci.yml
+++ b/.golangci.yml
@ -0,0 +1,44 @@
+# SPDX-License-Identifier: MIT
+linters:
+  disable-all: true
+  fast: false
+  enable:
+    - gci
+    - goconst
+    - gocritic
+    - gocyclo
+    - gofmt
+    - gofumpt
+    - goimports
+    - godox
+    - govet
+    - gosec
+    - gosimple
+    - importas
+    - ineffassign
+    - loggercheck
+    - misspell
+    - nakedret
+    - nilerr
+    - predeclared
+    - promlinter
+    - revive
+    - staticcheck
+    - unconvert
+    - unused
+    - wastedassign
+    - whitespace
+
+linters-settings:
+  gci:
+    sections:
+      - standard
+      - default
+      - prefix(github.com/cloudbase/garm)
+
+  goimports:
+    local-prefixes: github.com/cloudbase/garm
+
+  gosec:
+    excludes:
+    - G115
--- a/.mockery.yaml
+++ b/.mockery.yaml
@ -0,0 +1,27 @@
+with-expecter: true
+dir: "mocks"
+mockname: "{{ .InterfaceName }}"
+outpkg: "mocks"
+filename: "{{ .InterfaceName }}.go"
+# V3 compatibility settings
+resolve-type-alias: false
+disable-version-string: true
+issue-845-fix: true
+packages:
+  # Database store interfaces
+  github.com/cloudbase/garm/database/common:
+    interfaces:
+      Store:
+        config:
+          dir: "{{ .InterfaceDir }}/mocks"
+  # Runner interfaces  
+  github.com/cloudbase/garm/runner:
+    interfaces:
+      PoolManagerController:
+        config:
+          dir: "{{ .InterfaceDir }}/mocks"
+  # Runner common interfaces (generate all interfaces in this package)
+  github.com/cloudbase/garm/runner/common:
+    config:
+      dir: "{{ .InterfaceDir }}/mocks"
+      all: true
--- a/80
+++ b/80
@ -1,11 +1,77 @@
-FROM docker.io/golang:alpine
+FROM docker.io/golang:alpine AS builder
+ARG GARM_REF

-WORKDIR /root
-USER root
+LABEL stage=builder

-RUN apk add musl-dev gcc libtool m4 autoconf g++ make libblkid util-linux-dev git linux-headers mingw-w64-gcc
+RUN apk add --no-cache musl-dev gcc libtool m4 autoconf g++ make libblkid util-linux-dev git linux-headers upx curl jq
+RUN git config --global --add safe.directory /build && git config --global --add advice.detachedHead false
+RUN echo ${GARM_REF}

-ADD ./scripts/build-static.sh /build-static.sh
-RUN chmod +x /build-static.sh
+ADD . /build/garm

-CMD ["/bin/sh"]
+RUN git -C /build/garm checkout ${GARM_REF}
+RUN cd /build/garm \
+    && go build -o /bin/garm \
+      -tags osusergo,netgo,sqlite_omit_load_extension \
+      -ldflags "-linkmode external -extldflags '-static' -s -w -X github.com/cloudbase/garm/util/appdefaults.Version=$(git describe --tags --match='v[0-9]*' --dirty --always)" \
+      /build/garm/cmd/garm && upx /bin/garm
+RUN cd /build/garm/cmd/garm-cli \
+    && go build -o /bin/garm-cli \
+      -tags osusergo,netgo,sqlite_omit_load_extension \
+      -ldflags "-linkmode external -extldflags '-static' -s -w -X github.com/cloudbase/garm/util/appdefaults.Version=$(git describe --tags --match='v[0-9]*' --dirty --always)" \
+      . && upx /bin/garm-cli
+RUN set -ex; \
+    mkdir -p /opt/garm/providers.d; \
+    for repo in \
+      cloudbase/garm-provider-azure \
+      cloudbase/garm-provider-openstack \
+      cloudbase/garm-provider-lxd \
+      cloudbase/garm-provider-incus \
+      cloudbase/garm-provider-aws \
+      cloudbase/garm-provider-gcp \
+      cloudbase/garm-provider-equinix \
+      flatcar/garm-provider-linode \
+      mercedes-benz/garm-provider-k8s; \
+    do \
+        export PROVIDER_NAME="$(basename $repo)"; \
+        export PROVIDER_SUBDIR=""; \
+        if [ "$GARM_REF" == "main" ]; then \
+          export PROVIDER_REF="main"; \
+        else \
+          export PROVIDER_REF="$(curl -s -L https://api.github.com/repos/$repo/releases/latest | jq -r '.tag_name')"; \
+        fi; \
+        git clone --branch "$PROVIDER_REF" "https://github.com/$repo" "/build/$PROVIDER_NAME"; \
+        case $PROVIDER_NAME in \
+        "garm-provider-k8s") \
+            export PROVIDER_SUBDIR="cmd/garm-provider-k8s"; \
+            export PROVIDER_LDFLAGS="-linkmode external -extldflags \"-static\" -s -w"; \
+            ;; \
+        "garm-provider-linode") \
+            export PROVIDER_LDFLAGS="-linkmode external -extldflags \"-static\" -s -w"; \
+            ;; \
+        *) \
+            export PROVIDER_VERSION=$(git -C /build/$PROVIDER_NAME describe --tags --match='v[0-9]*' --dirty --always); \
+            export PROVIDER_LDFLAGS="-linkmode external -extldflags \"-static\" -s -w -X main.Version=$PROVIDER_VERSION"; \
+            ;; \
+        esac; \
+        cd "/build/$PROVIDER_NAME/$PROVIDER_SUBDIR" \
+        && go build -ldflags="$PROVIDER_LDFLAGS" -o /opt/garm/providers.d/$PROVIDER_NAME . \
+        && upx /opt/garm/providers.d/$PROVIDER_NAME; \
+    done
+
+FROM busybox
+
+COPY --from=builder /bin/garm /bin/garm
+COPY --from=builder /bin/garm-cli /bin/garm-cli
+COPY --from=builder /opt/garm/providers.d/garm-provider-openstack /opt/garm/providers.d/garm-provider-openstack
+COPY --from=builder /opt/garm/providers.d/garm-provider-lxd /opt/garm/providers.d/garm-provider-lxd
+COPY --from=builder /opt/garm/providers.d/garm-provider-incus /opt/garm/providers.d/garm-provider-incus
+COPY --from=builder /opt/garm/providers.d/garm-provider-azure /opt/garm/providers.d/garm-provider-azure
+COPY --from=builder /opt/garm/providers.d/garm-provider-aws /opt/garm/providers.d/garm-provider-aws
+COPY --from=builder /opt/garm/providers.d/garm-provider-gcp /opt/garm/providers.d/garm-provider-gcp
+COPY --from=builder /opt/garm/providers.d/garm-provider-equinix /opt/garm/providers.d/garm-provider-equinix
+
+COPY --from=builder /opt/garm/providers.d/garm-provider-k8s /opt/garm/providers.d/garm-provider-k8s
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+ENTRYPOINT ["/bin/garm", "-config", "/etc/garm/config.toml"]
--- a/Dockerfile.build-static
+++ b/Dockerfile.build-static
@ -0,0 +1,17 @@
+FROM docker.io/golang:alpine
+
+WORKDIR /root
+USER root
+
+RUN apk add musl-dev gcc libtool m4 autoconf g++ make libblkid util-linux-dev git linux-headers mingw-w64-gcc
+
+RUN wget http://musl.cc/aarch64-linux-musl-cross.tgz -O /tmp/aarch64-linux-musl-cross.tgz && \
+    tar --strip-components=1 -C /usr/local -xzf /tmp/aarch64-linux-musl-cross.tgz && \
+    rm /tmp/aarch64-linux-musl-cross.tgz
+
+ADD ./scripts/build-static.sh /build-static.sh
+RUN chmod +x /build-static.sh
+
+ADD . /build/garm
+
+CMD ["/bin/sh"]
--- a/136
+++ b/136
@ -1,53 +1,139 @@
-SHELL := bash
+SHELL := /bin/bash
+export SHELLOPTS:=$(if $(SHELLOPTS),$(SHELLOPTS):)pipefail:errexit

+.ONESHELL:
+
+GEN_PASSWORD=$(shell (/usr/bin/apg -n1 -m32))
 IMAGE_TAG = garm-build

-USER_ID=$(shell ((docker --version | grep -q podman) && echo "0" || id -u))
-USER_GROUP=$(shell ((docker --version | grep -q podman) && echo "0" || id -g))
+IMAGE_BUILDER=$(shell (which docker || which podman))
+IS_PODMAN=$(shell (($(IMAGE_BUILDER) --version | grep -q podman) && echo "yes" || echo "no"))
+USER_ID=$(if $(filter yes,$(IS_PODMAN)),0,$(shell id -u))
+USER_GROUP=$(if $(filter yes,$(IS_PODMAN)),0,$(shell id -g))
 ROOTDIR=$(dir $(abspath $(lastword $(MAKEFILE_LIST))))
 GOPATH ?= $(shell go env GOPATH)
 VERSION ?= $(shell git describe --tags --match='v[0-9]*' --dirty --always)
+GARM_REF ?= $(shell git rev-parse --abbrev-ref HEAD)
 GO ?= go
+export GARM_PASSWORD ?= ${GEN_PASSWORD}
+export REPO_WEBHOOK_SECRET = ${GEN_PASSWORD}
+export ORG_WEBHOOK_SECRET = ${GEN_PASSWORD}
+export CREDENTIALS_NAME ?= test-garm-creds
+export WORKFLOW_FILE_NAME ?= test.yml
+export GARM_ADMIN_USERNAME ?= admin
+
+ifeq ($(IS_PODMAN),yes)
+    EXTRA_ARGS := -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt
+endif
+
+
+.PHONY: help
+help: ## Display this help.
+	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)


 default: build

-.PHONY : build-static test install-lint-deps lint go-test fmt fmtcheck verify-vendor verify
-build-static:
-	@echo Building garm
-	docker build --tag $(IMAGE_TAG) .
-	docker run --rm -e USER_ID=$(USER_ID) -e USER_GROUP=$(USER_GROUP) -v $(PWD):/build/garm:z $(IMAGE_TAG) /build-static.sh
-	@echo Binaries are available in $(PWD)/bin
+##@ Build

-build:
+.PHONY : build-static test install-lint-deps lint go-test fmt fmtcheck verify-vendor verify create-release-files release
+build-static: ## Build garm statically
+	@echo Building garm
+	$(IMAGE_BUILDER) build $(EXTRA_ARGS) --tag $(IMAGE_TAG) -f Dockerfile.build-static .
+	mkdir -p build
+	$(IMAGE_BUILDER) run --rm -e USER_ID=$(USER_ID) -e GARM_REF=$(GARM_REF) -e USER_GROUP=$(USER_GROUP) -v $(PWD)/build:/build/output:z $(IMAGE_TAG) /build-static.sh
+	@echo Binaries are available in $(PWD)/build
+
+clean: ## Clean up build artifacts
+	@rm -rf ./bin ./build ./release
+
+.PHONY: build
+build: ## Build garm
 	@echo Building garm ${VERSION}
 	$(shell mkdir -p ./bin)
-	@$(GO) build -ldflags "-s -w -X main.Version=${VERSION}" -tags osusergo,netgo,sqlite_omit_load_extension -o bin/garm ./cmd/garm
-	@$(GO) build -ldflags "-s -w -X github.com/cloudbase/garm/cmd/garm-cli/cmd.Version=${VERSION}" -tags osusergo,netgo,sqlite_omit_load_extension -o bin/garm-cli ./cmd/garm-cli
+	@$(GO) build -ldflags "-s -w -X github.com/cloudbase/garm/util/appdefaults.Version=${VERSION}" -tags osusergo,netgo,sqlite_omit_load_extension -o bin/garm ./cmd/garm
+	@$(GO) build -ldflags "-s -w -X github.com/cloudbase/garm/util/appdefaults.Version=${VERSION}" -tags osusergo,netgo,sqlite_omit_load_extension -o bin/garm-cli ./cmd/garm-cli
 	@echo Binaries are available in $(PWD)/bin

-test: verify go-test
+.PHONY: build-webui
+build-webui:
+	@echo Building GARM web ui
+	./build-webapp.sh
+	rm -rf webapp/assets/_app
+	cp -r webapp/build/* webapp/assets/

-install-lint-deps:
-	@$(GO) install github.com/golangci/golangci-lint/cmd/golangci-lint@latest
+.PHONY: generate
+generate: ## Run go generate after checking required tools are in PATH
+	@echo Checking required tools...
+	@which openapi-generator-cli > /dev/null || (echo "Error: openapi-generator-cli not found in PATH" && exit 1)
+	@echo Running go generate
+	@$(GO) generate ./...

-lint:
-	@golangci-lint run --timeout=8m --build-tags testing
+test: verify go-test ## Run tests

-go-test:
-	@$(GO) test -race -mod=vendor -tags testing -v $(TEST_ARGS) -timeout=15m -parallel=4 -count=1 ./...
+##@ Release
+create-release-files:
+	./scripts/make-release.sh

-fmt:
-	@$(GO) fmt $$(go list ./...)
+release: build-static create-release-files ## Create a release

-fmtcheck:
-	@gofmt -l -s $$(go list ./... | sed 's|github.com/cloudbase/garm/||g') | grep ".*\.go"; if [ "$$?" -eq 0 ]; then echo "gofmt check failed; please run gofmt -w -s"; exit 1;fi
+##@ Lint / Verify
+.PHONY: lint
+lint: golangci-lint $(GOLANGCI_LINT) ## Run linting.
+	$(GOLANGCI_LINT) run -v --build-tags=testing,integration $(GOLANGCI_LINT_EXTRA_ARGS)
+
+.PHONY: lint-fix
+lint-fix: golangci-lint $(GOLANGCI_LINT) ## Lint the codebase and run auto-fixers if supported by the linte
+	GOLANGCI_LINT_EXTRA_ARGS=--fix $(MAKE) lint

 verify-vendor: ## verify if all the go.mod/go.sum files are up-to-date
 	$(eval TMPDIR := $(shell mktemp -d))
-	@cp -R ${ROOTDIR} ${TMPDIR}
+	@cp -R ${ROOTDIR} ${TMPDIR}/.
 	@(cd ${TMPDIR}/garm && ${GO} mod tidy)
 	@diff -r -u -q ${ROOTDIR} ${TMPDIR}/garm >/dev/null 2>&1; if [ "$$?" -ne 0 ];then echo "please run: go mod tidy && go mod vendor"; exit 1; fi
 	@rm -rf ${TMPDIR}

-verify: verify-vendor lint fmtcheck
+verify: verify-vendor lint fmtcheck ## Run all verify-* targets
+
+integration: build ## Run integration tests
+	function cleanup {
+		if [ -e "$$GITHUB_ENV" ];then
+			source $$GITHUB_ENV
+		fi
+		./test/integration/scripts/taredown_garm.sh
+		$(GO) run ./test/integration/gh_cleanup/main.go
+	}
+	trap cleanup EXIT
+	@./test/integration/scripts/setup-garm.sh
+	@$(GO) test -v ./test/integration/. -timeout=30m -tags=integration
+
+##@ Development
+
+go-test: ## Run tests
+	@$(GO) test -race -mod=vendor -tags testing -v $(TEST_ARGS) -timeout=15m -parallel=4 -count=1 ./...
+
+fmt: ## Run go fmt against code.
+	@$(GO) fmt $$(go list ./...)
+
+webui-test:
+	(cd webapp && npm install)
+	(cd webapp && npm run test:run)
+
+##@ Build Dependencies
+
+## Location to install dependencies to
+LOCALBIN ?= $(shell pwd)/bin
+$(LOCALBIN):
+	mkdir -p $(LOCALBIN)
+
+## Tool Binaries
+GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint
+
+## Tool Versions
+GOLANGCI_LINT_VERSION ?= v1.64.8
+
+.PHONY: golangci-lint
+golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary. If wrong version is installed, it will be overwritten.
+$(GOLANGCI_LINT): $(LOCALBIN)
+	test -s $(LOCALBIN)/golangci-lint && $(LOCALBIN)/golangci-lint --version | grep -q $(GOLANGCI_LINT_VERSION) || \
+	GOBIN=$(LOCALBIN) go install github.com/golangci/golangci-lint/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION)
--- a/README.md
+++ b/README.md
@ -1,14 +1,59 @@
-# GitHub Actions Runner Manager (garm)
+
+<p align="center">
+    <img src="doc/images/garm-light.svg#gh-light-mode-only" width="384px" alt="Light mode image" />
+    <img src="doc/images/garm-dark.svg#gh-dark-mode-only" width="384px" alt="Dark mode image" />
+</p>
+
+# GitHub Actions Runner Manager (GARM)

 [![Go Tests](https://github.com/cloudbase/garm/actions/workflows/go-tests.yml/badge.svg)](https://github.com/cloudbase/garm/actions/workflows/go-tests.yml)

-Welcome to garm!
+<!-- TOC -->

-Garm enables you to create and automatically maintain pools of [self-hosted GitHub runners](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners), with autoscaling that can be used inside your github workflow runs.
+- [GitHub Actions Runner Manager GARM](#github-actions-runner-manager-garm)
+    - [About GARM](#about-garm)
+    - [Join us on slack](#join-us-on-slack)
+    - [Installing](#installing)
+        - [Quickstart](#quickstart)
+        - [Installing on Kubernetes](#installing-on-kubernetes)
+    - [Configuring GARM for GHES](#configuring-garm-for-ghes)
+    - [Configuring GARM for Gitea](#configuring-garm-for-gitea)
+    - [Enabling the web UI](#enabling-the-web-ui)
+    - [Using GARM](#using-garm)
+    - [Supported providers](#supported-providers)
+        - [Installing external providers](#installing-external-providers)
+    - [Optimizing your runners](#optimizing-your-runners)
+    - [Write your own provider](#write-your-own-provider)

-The goal of ```garm``` is to be simple to set up, simple to configure and simple to use. It is a single binary that can run on any GNU/Linux machine without any other requirements other than the providers it creates the runners in. It is intended to be easy to deploy in any environment and can create runners in any system you can write a provider for. There is no complicated setup process and no extremely complex concepts to understand. Once set up, it's meant to stay out of your way.
+<!-- /TOC -->

-Garm supports creating pools on either GitHub itself or on your own deployment of [GitHub Enterprise Server](https://docs.github.com/en/enterprise-server@3.5/admin/overview/about-github-enterprise-server). For instructions on how to use ```garm``` with GHE, see the [credentials](/doc/github_credentials.md) section of the documentation.
+## About GARM
+
+Welcome to GARM!
+
+GARM enables you to create and automatically maintain pools of self-hosted runners in both [Github](https://docs.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners) and [Gitea](https://github.com/go-gitea/gitea/) with auto-scaling that can be used inside your workflow runs.
+
+The goal of ```GARM``` is to be simple to set up, simple to configure and simple to use. The server itself is a single binary that can run on any GNU/Linux machine without any other requirements other than the providers you want to enable in your setup. It is intended to be easy to deploy in any environment and can create runners in virtually any system you can write a provider for (if one does not alreay exist). There is no complicated setup process and no extremely complex concepts to understand. Once set up, it's meant to stay out of your way.
+
+Through the use of providers, `GARM` can create runners in a variety of environments using the same `GARM` instance. Whether you want to create runners in your OpenStack cloud, your Azure cloud or your Kubernetes cluster, that is easily achieved by installing the appropriate providers, configuring them in `GARM` and creating pools that use them. You can create zero-runner pools for instances with high costs (large VMs, GPU enabled instances, etc) and have them spin up on demand, or you can create large pools of eagerly created k8s backed runners that can be used for your CI/CD pipelines at a moment's notice. You can mix them up and create pools in any combination of providers or resource allocations you want.
+
+GARM supports two modes of operation:
+
+* Pools
+* Scale sets
+
+Here is a brief architectural diagram of how pools work and how GARM reacts to workflows triggered in GitHub (click the image to see a larger version):
+
+![GARM architecture diagram](/doc/images/garm-light.diagram.svg?raw=true#gh-light-mode-only)
+![GARM architecture diagram](/doc/images/garm-dark.diagram.svg?raw=true#gh-dark-mode-only)
+
+**Scale sets** work differently. While pools (as they are defined in GARM) rely on webhooks to know when a job was started and GARM needs to internally make the right decission in terms of which pool should handle that runner, scale sets have a lot of the scheduling and decission making logic done in GitHub itself.
+
+> [!IMPORTANT]
+> The README and documentation in the `main` branch are relevant to the not yet released code that is present in `main`. Following the documentation from the `main` branch for a stable release of GARM, may lead to errors. To view the documentation for the latest stable release, please switch to the appropriate tag. For information about setting up `v0.1.6`, please refer to the [v0.1.6 tag](https://github.com/cloudbase/garm/tree/v0.1.6).
+
+> [!CAUTION]
+> The `main` branch holds the latest code and is not guaranteed to be stable. If you are looking for a stable release, please check the releases page. If you plan to use the `main` branch, please do so on a new instance. Do not upgrade from a stable release to `main`.

 ## Join us on slack

@ -18,120 +63,68 @@ Whether you're running into issues or just want to drop by and say "hi", feel fr

 ## Installing

-## Build from source
+### Quickstart

-You need to have Go installed, then run:
+Check out the [quickstart](/doc/quickstart.md) document for instructions on how to install ```GARM```. If you'd like to build from source, check out the [building from source](/doc/building_from_source.md) document.

-  ```bash
-  git clone https://github.com/cloudbase/garm
-  cd garm
-  go install ./...
-  ```
+### Installing on Kubernetes

-You should now have both ```garm``` and ```garm-cli``` in your ```$GOPATH/bin``` folder.
+Thanks to the efforts of the amazing folks at [@mercedes-benz](https://github.com/mercedes-benz/), GARM can now be integrated into k8s via their operator. Check out the [GARM operator](https://github.com/mercedes-benz/garm-operator/) for more details.

-If you have docker/podman installed, you can also build statically linked binaries by running:
+## Configuring GARM for GHES

-  ```bash
-  make build-static
-  ```
+GARM supports creating pools and scale sets in either GitHub itself or in your own deployment of [GitHub Enterprise Server](https://docs.github.com/en/enterprise-server@3.10/admin/overview/about-github-enterprise-server). For instructions on how to use ```GARM``` with GHE, see the [credentials](/doc/github_credentials.md) section of the documentation.

-The ```garm``` and ```garm-cli``` binaries will be built and copied to the ```bin/``` folder in your current working directory.
+## Configuring GARM for Gitea

-## Install the service
+GARM now has support for Gitea (>=1.24.0). For information on getting started with Gitea, see the [Gitea quickstart](/doc/gitea.md) document.

-Add a new system user:
+## Enabling the web UI

-  ```bash
-  useradd --shell /usr/bin/false \
-      --system \
-      --groups lxd \
-      --no-create-home garm
-  ```
+GARM now ships with a single page application. To enable it, add the following to your GARM config:

-The ```lxd``` group is only needed if you have a local LXD install and want to connect to the unix socket to use it. If you're connecting to a remote LXD server over TCP, you can skip adding the ```garm``` user to the ```lxd``` group.
+```toml
+[apiserver.webui]
+  enable = true
+```

-Copy the binary to somewhere in the system ```$PATH```:
+Check the [README.md](/webapp/README.md) file for details on the web UI.

-  ```bash
-  sudo cp $(go env GOPATH)/bin/garm /usr/local/bin/garm
-  ```
+## Using GARM

-Or if you built garm using ```make```:
+GARM is designed with simplicity in mind. At least we try to keep it as simple as possible. We're aware that adding a new tool in your workflow can be painful, especially when you already have to deal with so many. The cognitive load for OPS has reached a level where it feels overwhelming at times to even wrap your head around a new tool. As such, we believe that tools should be simple, should take no more than a few hours to understand and set up and if you absolutely need to interact with the tool, it should be as intuitive as possible. Although we try our best to make this happen, we're aware that GARM has some rough edges, especially for new users. If you encounter issues or feel like the setup process was too complicated, please let us know. We're always looking to improve the user experience.

-  ```bash
-  sudo cp ./bin/garm /usr/local/bin/garm
-  ```
+We've written a short introduction into some of the commands that GARM has and some of the concepts involved in setting up GARM, managing runners and how GitHub does some of the things it does.

-Create the config folder:
+[You can find it here](/doc/using_garm.md).

-  ```bash
-  sudo mkdir -p /etc/garm
-  ```
+Please, feel free to [open an issue](https://github.com/cloudbase/garm/issues/new) if you find the documentation lacking and would like more info. Sometimes we forget the challenges that new users face as we're so close to the code and how it works. Any feedback is welcome and we're always looking to improve the documentation.

-Copy the config template:
+## Supported providers

-  ```bash
-  sudo cp ./testdata/config.toml /etc/garm/
-  ```
+GARM uses providers to create runners in a particular IaaS. The providers are external executables that GARM calls into to create runners. Before you can create runners, you'll need to install at least one provider.

-Copy the external provider (optional):
+### Installing external providers

-  ```bash
-  sudo cp -a ./contrib/providers.d /etc/garm/
-  ```
+External providers are binaries that GARM calls into to create runners in a particular IaaS. There are several external providers available:

-Copy the systemd service file:
+* [Akamai/Linode](https://github.com/flatcar/garm-provider-linode) - Experimental
+* [Amazon EC2](https://github.com/cloudbase/garm-provider-aws)
+* [Azure](https://github.com/cloudbase/garm-provider-azure)
+* [Equinix Metal](https://github.com/cloudbase/garm-provider-equinix)
+* [Google Cloud Platform (GCP)](https://github.com/cloudbase/garm-provider-gcp)
+* [Incus](https://github.com/cloudbase/garm-provider-incus)
+* [Kubernetes](https://github.com/mercedes-benz/garm-provider-k8s) - Thanks to the amazing folks at @mercedes-benz for sharing their awesome provider!
+* [LXD](https://github.com/cloudbase/garm-provider-lxd)
+* [OpenStack](https://github.com/cloudbase/garm-provider-openstack)
+* [Oracle Cloud Infrastructure (OCI)](https://github.com/cloudbase/garm-provider-oci)

-  ```bash
-  sudo cp ./contrib/garm.service /etc/systemd/system/
-  ```
+Follow the instructions in the README of each provider to install them. 

-Change permissions on config folder:
+## Optimizing your runners

-  ```bash
-  sudo chown -R garm:garm /etc/garm
-  sudo chmod 750 -R /etc/garm
-  ```
-
-Enable the service:
-
-  ```bash
-  sudo systemctl enable garm
-  ```
-
-Customize the config in ```/etc/garm/config.toml```, and start the service:
-
-  ```bash
-  sudo systemctl start garm
-  ```
-
-## Configuration
-
-The ```garm``` configuration is a simple ```toml```. A sample of the config file can be found in [the testdata folder](/testdata/config.toml).
-
-There are 3 major sections of the config that require your attention:
-
-* [Github credentials section](/doc/github_credentials.md)
-* [Providers section](/doc/providers.md)
-* [The database section](/doc/database.md)
-
-Once you've configured your database, providers and github credentials, you'll need to configure your [webhooks and the callback_url](/doc/webhooks_and_callbacks.md).
-
-At this point, you should be done. Have a look at the [running garm document](/doc/running_garm.md) for usage instructions and available features.
-
-If you would like to use ```garm``` with a different IaaS than the ones already available, have a loot at the [writing an external provider](/doc/external_provider.md) page.
-
-## Security considerations
-
-Garm does not apply any ACLs of any kind to the instances it creates. That task remains in the responsibility of the user. [Here is a guide for creating ACLs in LXD](https://linuxcontainers.org/lxd/docs/master/howto/network_acls/). You can of course use ```iptables``` or ```nftables``` to create any rules you wish. I recommend you create a separate isolated lxd bridge for runners, and secure it using ACLs/iptables/nftables.
-
-You must make sure that the code that runs as part of the workflows is trusted, and if that cannot be done, you must make sure that any malicious code that will be pulled in by the actions and run as part of a workload, is as contained as possible. There is a nice article about [securing your workflow runs here](https://blog.gitguardian.com/github-actions-security-cheat-sheet/).
+If you would like to optimize the startup time of new instance, take a look at the [performance considerations](/doc/performance_considerations.md) page.

 ## Write your own provider

-The providers are interfaces between ```garm``` and a particular IaaS in which we spin up GitHub Runners. These providers can be either **native** or **external**. The **native** providers are written in ```Go```, and must implement [the interface defined here](https://github.com/cloudbase/garm/blob/main/runner/common/provider.go#L22-L39). **External** providers can be written in any language, as they are in the form of an external executable that ```garm``` calls into.
-
-There is currently one **native** provider for [LXD](https://linuxcontainers.org/lxd/) and two **external** providers for [Openstack and Azure](/contrib/providers.d/).
-
-If you want to write your own provider, you can choose to write a native one, or implement an **external** one. The easiest one to write is probably an **external** provider. Please see the [Writing an external provider](/doc/external_provider.md) document for details. Also, feel free to inspect the two available external providers in this repository.
+The providers are interfaces between ```GARM``` and a particular IaaS in which we spin up GitHub Runners. **External** providers can be written in any language, as they are in the form of an external executable that ```GARM``` calls into. Please see the [Writing an external provider](/doc/external_provider.md) document for details. Also, feel free to inspect the two available sample external providers in this repository.
--- a/apiserver/controllers/controllers.go
+++ b/apiserver/controllers/controllers.go
@ -15,26 +15,60 @@
 package controllers

 import (
+	"context"
 	"encoding/json"
+	"errors"
+	"fmt"
 	"io"
-	"log"
+	"log/slog"
 	"net/http"
+	"net/url"
 	"strings"

+	"github.com/gorilla/mux"
+	"github.com/gorilla/websocket"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm-provider-common/util"
 	"github.com/cloudbase/garm/apiserver/params"
 	"github.com/cloudbase/garm/auth"
-	gErrors "github.com/cloudbase/garm/errors"
+	"github.com/cloudbase/garm/config"
 	"github.com/cloudbase/garm/metrics"
 	runnerParams "github.com/cloudbase/garm/params"
-	"github.com/cloudbase/garm/runner"
-	"github.com/cloudbase/garm/util"
+	"github.com/cloudbase/garm/runner" //nolint:typecheck
+	garmUtil "github.com/cloudbase/garm/util"
 	wsWriter "github.com/cloudbase/garm/websocket"
-
-	"github.com/gorilla/websocket"
-	"github.com/pkg/errors"
+	"github.com/cloudbase/garm/workers/websocket/events"
 )

-func NewAPIController(r *runner.Runner, authenticator *auth.Authenticator, hub *wsWriter.Hub) (*APIController, error) {
+func NewAPIController(r *runner.Runner, authenticator *auth.Authenticator, hub *wsWriter.Hub, apiCfg config.APIServer) (*APIController, error) {
+	controllerInfo, err := r.GetControllerInfo(auth.GetAdminContext(context.Background()))
+	if err != nil {
+		return nil, fmt.Errorf("failed to get controller info: %w", err)
+	}
+	var checkOrigin func(r *http.Request) bool
+	if len(apiCfg.CORSOrigins) > 0 {
+		checkOrigin = func(r *http.Request) bool {
+			origin := r.Header["Origin"]
+			if len(origin) == 0 {
+				return true
+			}
+			u, err := url.Parse(origin[0])
+			if err != nil {
+				return false
+			}
+			for _, val := range apiCfg.CORSOrigins {
+				corsVal, err := url.Parse(val)
+				if err != nil {
+					continue
+				}
+				if garmUtil.ASCIIEqualFold(u.Host, corsVal.Host) {
+					return true
+				}
+			}
+			return false
+		}
+	}
 	return &APIController{
 		r:    r,
 		auth: authenticator,
@ -42,37 +76,38 @@ func NewAPIController(r *runner.Runner, authenticator *auth.Authenticator, hub *
 		upgrader: websocket.Upgrader{
 			ReadBufferSize:  1024,
 			WriteBufferSize: 16384,
+			CheckOrigin:     checkOrigin,
 		},
+		controllerID: controllerInfo.ControllerID.String(),
 	}, nil
 }

 type APIController struct {
-	r        *runner.Runner
-	auth     *auth.Authenticator
-	hub      *wsWriter.Hub
-	upgrader websocket.Upgrader
+	r            *runner.Runner
+	auth         *auth.Authenticator
+	hub          *wsWriter.Hub
+	upgrader     websocket.Upgrader
+	controllerID string
 }

-func handleError(w http.ResponseWriter, err error) {
-	w.Header().Add("Content-Type", "application/json")
-	origErr := errors.Cause(err)
+func handleError(ctx context.Context, w http.ResponseWriter, err error) {
+	w.Header().Set("Content-Type", "application/json")
 	apiErr := params.APIErrorResponse{
-		Details: origErr.Error(),
+		Details: err.Error(),
 	}
-
-	switch origErr.(type) {
-	case *gErrors.NotFoundError:
+	switch {
+	case errors.Is(err, gErrors.ErrNotFound):
 		w.WriteHeader(http.StatusNotFound)
 		apiErr.Error = "Not Found"
-	case *gErrors.UnauthorizedError:
+	case errors.Is(err, gErrors.ErrUnauthorized):
 		w.WriteHeader(http.StatusUnauthorized)
 		apiErr.Error = "Not Authorized"
 		// Don't include details on 401 errors.
 		apiErr.Details = ""
-	case *gErrors.BadRequestError:
+	case errors.Is(err, gErrors.ErrBadRequest):
 		w.WriteHeader(http.StatusBadRequest)
 		apiErr.Error = "Bad Request"
-	case *gErrors.DuplicateUserError, *gErrors.ConflictError:
+	case errors.Is(err, gErrors.ErrDuplicateEntity), errors.Is(err, &gErrors.ConflictError{}):
 		w.WriteHeader(http.StatusConflict)
 		apiErr.Error = "Conflict"
 	default:
@ -83,72 +118,122 @@ func handleError(w http.ResponseWriter, err error) {
 	}

 	if err := json.NewEncoder(w).Encode(apiErr); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

-func (a *APIController) webhookMetricLabelValues(valid, reason string) []string {
-	controllerInfo, err := a.r.GetControllerInfo(auth.GetAdminContext())
-	if err != nil {
-		log.Printf("failed to get controller info: %s", err)
-		// If labels are empty, not attempt will be made to record webhook.
-		return []string{}
-	}
-	return []string{
-		valid, reason,
-		controllerInfo.Hostname, controllerInfo.ControllerID.String(),
-	}
-}
-
-func (a *APIController) handleWorkflowJobEvent(w http.ResponseWriter, r *http.Request) {
+func (a *APIController) handleWorkflowJobEvent(ctx context.Context, w http.ResponseWriter, r *http.Request) {
 	defer r.Body.Close()
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
-		handleError(w, gErrors.NewBadRequestError("invalid post body: %s", err))
+		handleError(ctx, w, gErrors.NewBadRequestError("invalid post body: %s", err))
 		return
 	}

 	signature := r.Header.Get("X-Hub-Signature-256")
 	hookType := r.Header.Get("X-Github-Hook-Installation-Target-Type")
+	giteaTargetType := r.Header.Get("X-Gitea-Hook-Installation-Target-Type")

-	var labelValues []string
-	defer func() {
-		if len(labelValues) == 0 {
+	forgeType := runnerParams.GithubEndpointType
+	if giteaTargetType != "" {
+		forgeType = runnerParams.GiteaEndpointType
+		hookType = giteaTargetType
+	}
+
+	if err := a.r.DispatchWorkflowJob(hookType, signature, forgeType, body); err != nil {
+		switch {
+		case errors.Is(err, gErrors.ErrNotFound):
+			metrics.WebhooksReceived.WithLabelValues(
+				"false",         // label: valid
+				"owner_unknown", // label: reason
+			).Inc()
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "got not found error from DispatchWorkflowJob. webhook not meant for us?")
 			return
-		}
-		if err := metrics.RecordWebhookWithLabels(labelValues...); err != nil {
-			log.Printf("failed to record metric: %s", err)
-		}
-	}()
-
-	if err := a.r.DispatchWorkflowJob(hookType, signature, body); err != nil {
-		if errors.Is(err, gErrors.ErrNotFound) {
-			labelValues = a.webhookMetricLabelValues("false", "owner_unknown")
-			log.Printf("got not found error from DispatchWorkflowJob. webhook not meant for us?: %q", err)
-			return
-		} else if strings.Contains(err.Error(), "signature") { // TODO: check error type
-			labelValues = a.webhookMetricLabelValues("false", "signature_invalid")
-		} else {
-			labelValues = a.webhookMetricLabelValues("false", "unknown")
+		case strings.Contains(err.Error(), "signature"):
+			// nolint:golangci-lint,godox TODO: check error type
+			metrics.WebhooksReceived.WithLabelValues(
+				"false",             // label: valid
+				"signature_invalid", // label: reason
+			).Inc()
+		default:
+			metrics.WebhooksReceived.WithLabelValues(
+				"false",   // label: valid
+				"unknown", // label: reason
+			).Inc()
 		}

-		handleError(w, err)
+		handleError(ctx, w, err)
 		return
 	}
-	labelValues = a.webhookMetricLabelValues("true", "")
+	metrics.WebhooksReceived.WithLabelValues(
+		"true", // label: valid
+		"",     // label: reason
+	).Inc()
 }

-func (a *APIController) CatchAll(w http.ResponseWriter, r *http.Request) {
+func (a *APIController) WebhookHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	controllerID, ok := vars["controllerID"]
+	// If the webhook URL includes a controller ID, we validate that it's meant for us. We still
+	// support bare webhook URLs, which are tipically configured manually by the user.
+	// The controllerID suffixed webhook URL is useful when configuring the webhook for an entity
+	// via garm. We cannot tag a webhook URL on github, so there is no way to determine ownership.
+	// Using a controllerID suffix is a simple way to denote ownership.
+	if ok && controllerID != a.controllerID {
+		slog.InfoContext(ctx, "ignoring webhook meant for foreign controller", "req_controller_id", controllerID)
+		return
+	}
+
 	headers := r.Header.Clone()

 	event := runnerParams.Event(headers.Get("X-Github-Event"))
 	switch event {
 	case runnerParams.WorkflowJobEvent:
-		a.handleWorkflowJobEvent(w, r)
+		a.handleWorkflowJobEvent(ctx, w, r)
+	case runnerParams.PingEvent:
+		// Ignore ping event. We may want to save the ping in the github entity table in the future.
 	default:
-		log.Printf("ignoring unknown event %s", util.SanitizeLogEntry(string(event)))
+		slog.DebugContext(ctx, "ignoring unknown event", "gh_event", util.SanitizeLogEntry(string(event)))
+	}
+}
+
+func (a *APIController) EventsHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	if !auth.IsAdmin(ctx) {
+		w.WriteHeader(http.StatusForbidden)
+		if _, err := w.Write([]byte("events are available to admin users")); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
 		return
 	}
+
+	conn, err := a.upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error upgrading to websockets")
+		return
+	}
+	defer conn.Close()
+
+	wsClient, err := wsWriter.NewClient(ctx, conn)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to create new client")
+		return
+	}
+	defer wsClient.Stop()
+
+	eventHandler, err := events.NewHandler(ctx, wsClient)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to create new event handler")
+		return
+	}
+
+	if err := eventHandler.Start(); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to start event handler")
+		return
+	}
+	<-eventHandler.Done()
 }

 func (a *APIController) WSHandler(writer http.ResponseWriter, req *http.Request) {
@ -156,153 +241,267 @@ func (a *APIController) WSHandler(writer http.ResponseWriter, req *http.Request)
 	if !auth.IsAdmin(ctx) {
 		writer.WriteHeader(http.StatusForbidden)
 		if _, err := writer.Write([]byte("you need admin level access to view logs")); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	if a.hub == nil {
-		handleError(writer, gErrors.NewBadRequestError("log streamer is disabled"))
+		handleError(ctx, writer, gErrors.NewBadRequestError("log streamer is disabled"))
 		return
 	}

 	conn, err := a.upgrader.Upgrade(writer, req, nil)
 	if err != nil {
-		log.Printf("error upgrading to websockets: %v", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error upgrading to websockets")
 		return
 	}
+	defer conn.Close()

-	// TODO (gsamfira): Handle ExpiresAt. Right now, if a client uses
-	// a valid token to authenticate, and keeps the websocket connection
-	// open, it will allow that client to stream logs via websockets
-	// until the connection is broken. We need to forcefully disconnect
-	// the client once the token expires.
-	client, err := wsWriter.NewClient(conn, a.hub)
+	client, err := wsWriter.NewClient(ctx, conn)
 	if err != nil {
-		log.Printf("failed to create new client: %v", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to create new client")
 		return
 	}
 	if err := a.hub.Register(client); err != nil {
-		log.Printf("failed to register new client: %v", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to register new client")
 		return
 	}
-	client.Go()
+	defer a.hub.Unregister(client)
+
+	if err := client.Start(); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to start client")
+		return
+	}
+	<-client.Done()
+	slog.Info("client disconnected", "client_id", client.ID())
 }

 // NotFoundHandler is returned when an invalid URL is acccessed
 func (a *APIController) NotFoundHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
 	apiErr := params.APIErrorResponse{
 		Details: "Resource not found",
 		Error:   "Not found",
 	}
-	w.WriteHeader(http.StatusNotFound)
+
 	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusNotFound)
 	if err := json.NewEncoder(w).Encode(apiErr); err != nil {
-		log.Printf("failet to write response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failet to write response")
 	}
 }

+// swagger:route GET /metrics-token metrics-token GetMetricsToken
+//
+// Returns a JWT token that can be used to access the metrics endpoint.
+//
+//	Responses:
+//	  200: JWTResponse
+//	  401: APIErrorResponse
 func (a *APIController) MetricsTokenHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

 	if !auth.IsAdmin(ctx) {
-		handleError(w, gErrors.ErrUnauthorized)
+		handleError(ctx, w, gErrors.ErrUnauthorized)
 		return
 	}

 	token, err := a.auth.GetJWTMetricsToken(ctx)
 	if err != nil {
-		handleError(w, err)
+		handleError(ctx, w, err)
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
 	err = json.NewEncoder(w).Encode(runnerParams.JWTResponse{Token: token})
 	if err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route POST /auth/login login Login
+//
+// Logs in a user and returns a JWT token.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Login information.
+//	    type: PasswordLoginParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: JWTResponse
+//	  400: APIErrorResponse
+//
 // LoginHandler returns a jwt token
 func (a *APIController) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
 	var loginInfo runnerParams.PasswordLoginParams
 	if err := json.NewDecoder(r.Body).Decode(&loginInfo); err != nil {
-		handleError(w, gErrors.ErrBadRequest)
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	if err := loginInfo.Validate(); err != nil {
-		handleError(w, err)
+		handleError(ctx, w, err)
 		return
 	}

-	ctx := r.Context()
 	ctx, err := a.auth.AuthenticateUser(ctx, loginInfo)
 	if err != nil {
-		handleError(w, err)
+		handleError(ctx, w, err)
 		return
 	}

 	tokenString, err := a.auth.GetJWTToken(ctx)
 	if err != nil {
-		handleError(w, err)
+		handleError(ctx, w, err)
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(runnerParams.JWTResponse{Token: tokenString}); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route POST /first-run first-run FirstRun
+//
+// Initialize the first run of the controller.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Create a new user.
+//	    type: NewUserParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: User
+//	  400: APIErrorResponse
 func (a *APIController) FirstRunHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
 	if a.auth.IsInitialized() {
 		err := gErrors.NewConflictError("already initialized")
-		handleError(w, err)
+		handleError(ctx, w, err)
 		return
 	}

-	ctx := r.Context()
-
 	var newUserParams runnerParams.NewUserParams
 	if err := json.NewDecoder(r.Body).Decode(&newUserParams); err != nil {
-		handleError(w, gErrors.ErrBadRequest)
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	newUser, err := a.auth.InitController(ctx, newUserParams)
 	if err != nil {
-		handleError(w, err)
+		handleError(ctx, w, err)
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(newUser); err != nil {
-		log.Printf("failed to encode response: %q", err)
-	}
-}
-
-func (a *APIController) ListCredentials(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	creds, err := a.r.ListCredentials(ctx)
-	if err != nil {
-		handleError(w, err)
-		return
-	}
-
-	w.Header().Set("Content-Type", "application/json")
-	if err := json.NewEncoder(w).Encode(creds); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /providers providers ListProviders
+//
+// List all providers.
+//
+//	Responses:
+//	  200: Providers
+//	  400: APIErrorResponse
 func (a *APIController) ListProviders(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	providers, err := a.r.ListProviders(ctx)
 	if err != nil {
-		handleError(w, err)
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(providers); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /jobs jobs ListJobs
+//
+// List all jobs.
+//
+//	Responses:
+//	  200: Jobs
+//	  400: APIErrorResponse
+func (a *APIController) ListAllJobs(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	jobs, err := a.r.ListAllJobs(ctx)
+	if err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(jobs); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /controller-info controllerInfo ControllerInfo
+//
+// Get controller info.
+//
+//	Responses:
+//	  200: ControllerInfo
+//	  409: APIErrorResponse
+func (a *APIController) ControllerInfoHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	info, err := a.r.GetControllerInfo(ctx)
+	if err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(info); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route PUT /controller controller UpdateController
+//
+// Update controller.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Parameters used when updating the controller.
+//	    type: UpdateControllerParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ControllerInfo
+//	  400: APIErrorResponse
+func (a *APIController) UpdateControllerHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	var updateParams runnerParams.UpdateControllerParams
+	if err := json.NewDecoder(r.Body).Decode(&updateParams); err != nil {
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if err := updateParams.Validate(); err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	info, err := a.r.UpdateController(ctx, updateParams)
+	if err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(info); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }
--- a/apiserver/controllers/enterprises.go
+++ b/apiserver/controllers/enterprises.go
@ -16,54 +16,106 @@ package controllers

 import (
 	"encoding/json"
-	"log"
+	"log/slog"
 	"net/http"

-	"github.com/cloudbase/garm/apiserver/params"
-	gErrors "github.com/cloudbase/garm/errors"
-	runnerParams "github.com/cloudbase/garm/params"
-
 	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/apiserver/params"
+	runnerParams "github.com/cloudbase/garm/params"
 )

+// swagger:route POST /enterprises enterprises CreateEnterprise
+//
+// Create enterprise with the given parameters.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Parameters used to create the enterprise.
+//	    type: CreateEnterpriseParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Enterprise
+//	  default: APIErrorResponse
 func (a *APIController) CreateEnterpriseHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

 	var enterpriseData runnerParams.CreateEnterpriseParams
 	if err := json.NewDecoder(r.Body).Decode(&enterpriseData); err != nil {
-		handleError(w, gErrors.ErrBadRequest)
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	enterprise, err := a.r.CreateEnterprise(ctx, enterpriseData)
 	if err != nil {
-		log.Printf("error creating enterprise: %+v", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating enterprise")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(enterprise); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /enterprises enterprises ListEnterprises
+//
+// List all enterprises.
+//
+//	Parameters:
+//	  + name: name
+//	    description: Exact enterprise name to filter by
+//	    type: string
+//	    in: query
+//	    required: false
+//
+//	  + name: endpoint
+//	    description: Exact endpoint name to filter by
+//	    type: string
+//	    in: query
+//	    required: false
+//
+//	Responses:
+//	  200: Enterprises
+//	  default: APIErrorResponse
 func (a *APIController) ListEnterprisesHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

-	enterprise, err := a.r.ListEnterprises(ctx)
+	filter := runnerParams.EnterpriseFilter{
+		Name:     r.URL.Query().Get("name"),
+		Endpoint: r.URL.Query().Get("endpoint"),
+	}
+	enterprise, err := a.r.ListEnterprises(ctx, filter)
 	if err != nil {
-		log.Printf("listing enterprise: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing enterprise")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(enterprise); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /enterprises/{enterpriseID} enterprises GetEnterprise
+//
+// Get enterprise by ID.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: The ID of the enterprise to fetch.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Enterprise
+//	  default: APIErrorResponse
 func (a *APIController) GetEnterpriseByIDHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -75,24 +127,37 @@ func (a *APIController) GetEnterpriseByIDHandler(w http.ResponseWriter, r *http.
 			Error:   "Bad Request",
 			Details: "No enterprise ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	enterprise, err := a.r.GetEnterpriseByID(ctx, enterpriseID)
 	if err != nil {
-		log.Printf("fetching enterprise: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "fetching enterprise")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(enterprise); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route DELETE /enterprises/{enterpriseID} enterprises DeleteEnterprise
+//
+// Delete enterprise by ID.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: ID of the enterprise to delete.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
 func (a *APIController) DeleteEnterpriseHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -104,22 +169,40 @@ func (a *APIController) DeleteEnterpriseHandler(w http.ResponseWriter, r *http.R
 			Error:   "Bad Request",
 			Details: "No enterprise ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	if err := a.r.DeleteEnterprise(ctx, enterpriseID); err != nil {
-		log.Printf("removing enterprise: %+v", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing enterprise")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-
 }

+// swagger:route PUT /enterprises/{enterpriseID} enterprises UpdateEnterprise
+//
+// Update enterprise with the given parameters.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: The ID of the enterprise to update.
+//	    type: string
+//	    in: path
+//	    required: true
+//	  + name: Body
+//	    description: Parameters used when updating the enterprise.
+//	    type: UpdateEntityParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Enterprise
+//	  default: APIErrorResponse
 func (a *APIController) UpdateEnterpriseHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -131,30 +214,50 @@ func (a *APIController) UpdateEnterpriseHandler(w http.ResponseWriter, r *http.R
 			Error:   "Bad Request",
 			Details: "No enterprise ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

-	var updatePayload runnerParams.UpdateRepositoryParams
+	var updatePayload runnerParams.UpdateEntityParams
 	if err := json.NewDecoder(r.Body).Decode(&updatePayload); err != nil {
-		handleError(w, gErrors.ErrBadRequest)
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	enterprise, err := a.r.UpdateEnterprise(ctx, enterpriseID, updatePayload)
 	if err != nil {
-		log.Printf("error updating enterprise: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error updating enterprise: %s")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(enterprise); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route POST /enterprises/{enterpriseID}/pools enterprises pools CreateEnterprisePool
+//
+// Create enterprise pool with the parameters given.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: Enterprise ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when creating the enterprise pool.
+//	    type: CreatePoolParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) CreateEnterprisePoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -166,31 +269,101 @@ func (a *APIController) CreateEnterprisePoolHandler(w http.ResponseWriter, r *ht
 			Error:   "Bad Request",
 			Details: "No enterprise ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	var poolData runnerParams.CreatePoolParams
 	if err := json.NewDecoder(r.Body).Decode(&poolData); err != nil {
-		log.Printf("failed to decode: %s", err)
-		handleError(w, gErrors.ErrBadRequest)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	pool, err := a.r.CreateEnterprisePool(ctx, enterpriseID, poolData)
 	if err != nil {
-		log.Printf("error creating enterprise pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating enterprise pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route POST /enterprises/{enterpriseID}/scalesets enterprises scalesets CreateEnterpriseScaleSet
+//
+// Create enterprise pool with the parameters given.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: Enterprise ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when creating the enterprise scale set.
+//	    type: CreateScaleSetParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ScaleSet
+//	  default: APIErrorResponse
+func (a *APIController) CreateEnterpriseScaleSetHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	enterpriseID, ok := vars["enterpriseID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No enterprise ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	var scaleSetData runnerParams.CreateScaleSetParams
+	if err := json.NewDecoder(r.Body).Decode(&scaleSetData); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	scaleSet, err := a.r.CreateEntityScaleSet(ctx, runnerParams.ForgeEntityTypeEnterprise, enterpriseID, scaleSetData)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating enterprise scale set")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(scaleSet); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /enterprises/{enterpriseID}/pools enterprises pools ListEnterprisePools
+//
+// List enterprise pools.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: Enterprise ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Pools
+//	  default: APIErrorResponse
 func (a *APIController) ListEnterprisePoolsHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -201,25 +374,86 @@ func (a *APIController) ListEnterprisePoolsHandler(w http.ResponseWriter, r *htt
 			Error:   "Bad Request",
 			Details: "No enterprise ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	pools, err := a.r.ListEnterprisePools(ctx, enterpriseID)
 	if err != nil {
-		log.Printf("listing pools: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pools")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pools); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
-
 }

+// swagger:route GET /enterprises/{enterpriseID}/scalesets enterprises scalesets ListEnterpriseScaleSets
+//
+// List enterprise scale sets.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: Enterprise ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: ScaleSets
+//	  default: APIErrorResponse
+func (a *APIController) ListEnterpriseScaleSetsHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	enterpriseID, ok := vars["enterpriseID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No enterprise ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	scaleSets, err := a.r.ListEntityScaleSets(ctx, runnerParams.ForgeEntityTypeEnterprise, enterpriseID)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing scale sets")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(scaleSets); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /enterprises/{enterpriseID}/pools/{poolID} enterprises pools GetEnterprisePool
+//
+// Get enterprise pool by ID.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: Enterprise ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: poolID
+//	    description: Pool ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) GetEnterprisePoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -231,24 +465,43 @@ func (a *APIController) GetEnterprisePoolHandler(w http.ResponseWriter, r *http.
 			Error:   "Bad Request",
 			Details: "No enterprise or pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	pool, err := a.r.GetEnterprisePoolByID(ctx, enterpriseID, poolID)
 	if err != nil {
-		log.Printf("listing pools: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pools")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route DELETE /enterprises/{enterpriseID}/pools/{poolID} enterprises pools DeleteEnterprisePool
+//
+// Delete enterprise pool by ID.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: Enterprise ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: poolID
+//	    description: ID of the enterprise pool to delete.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
 func (a *APIController) DeleteEnterprisePoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -261,22 +514,47 @@ func (a *APIController) DeleteEnterprisePoolHandler(w http.ResponseWriter, r *ht
 			Error:   "Bad Request",
 			Details: "No enterprise or pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	if err := a.r.DeleteEnterprisePool(ctx, enterpriseID, poolID); err != nil {
-		log.Printf("removing pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-
 }

+// swagger:route PUT /enterprises/{enterpriseID}/pools/{poolID} enterprises pools UpdateEnterprisePool
+//
+// Update enterprise pool with the parameters given.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: Enterprise ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: poolID
+//	    description: ID of the enterprise pool to update.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when updating the enterprise pool.
+//	    type: UpdatePoolParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) UpdateEnterprisePoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -289,27 +567,27 @@ func (a *APIController) UpdateEnterprisePoolHandler(w http.ResponseWriter, r *ht
 			Error:   "Bad Request",
 			Details: "No enterprise or pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	var poolData runnerParams.UpdatePoolParams
 	if err := json.NewDecoder(r.Body).Decode(&poolData); err != nil {
-		log.Printf("failed to decode: %s", err)
-		handleError(w, gErrors.ErrBadRequest)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	pool, err := a.r.UpdateEnterprisePool(ctx, enterpriseID, poolID, poolData)
 	if err != nil {
-		log.Printf("error creating enterprise pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating enterprise pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }
--- a/apiserver/controllers/gitea_credentials.go
+++ b/apiserver/controllers/gitea_credentials.go
@ -0,0 +1,241 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package controllers
+
+import (
+	"encoding/json"
+	"log/slog"
+	"math"
+	"net/http"
+	"strconv"
+
+	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/params"
+)
+
+// swagger:route GET /gitea/credentials credentials ListGiteaCredentials
+//
+// List all credentials.
+//
+//	Responses:
+//	  200: Credentials
+//	  400: APIErrorResponse
+func (a *APIController) ListGiteaCredentials(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	creds, err := a.r.ListGiteaCredentials(ctx)
+	if err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(creds); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route POST /gitea/credentials credentials CreateGiteaCredentials
+//
+// Create a Gitea credential.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Parameters used when creating a Gitea credential.
+//	    type: CreateGiteaCredentialsParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeCredentials
+//	  400: APIErrorResponse
+func (a *APIController) CreateGiteaCredential(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	var params params.CreateGiteaCredentialsParams
+	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	cred, err := a.r.CreateGiteaCredentials(ctx, params)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to create Gitea credential")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(cred); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /gitea/credentials/{id} credentials GetGiteaCredentials
+//
+// Get a Gitea credential.
+//
+//	Parameters:
+//	  + name: id
+//	    description: ID of the Gitea credential.
+//	    type: integer
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeCredentials
+//	  400: APIErrorResponse
+func (a *APIController) GetGiteaCredential(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	idParam, ok := vars["id"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing id in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idParam, 10, 64)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if id > math.MaxUint {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "id is too large")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	cred, err := a.r.GetGiteaCredentials(ctx, uint(id))
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to get Gitea credential")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(cred); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route DELETE /gitea/credentials/{id} credentials DeleteGiteaCredentials
+//
+// Delete a Gitea credential.
+//
+//	Parameters:
+//	  + name: id
+//	    description: ID of the Gitea credential.
+//	    type: integer
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
+func (a *APIController) DeleteGiteaCredential(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	idParam, ok := vars["id"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing id in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idParam, 10, 64)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if id > math.MaxUint {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "id is too large")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if err := a.r.DeleteGiteaCredentials(ctx, uint(id)); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to delete Gitea credential")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// swagger:route PUT /gitea/credentials/{id} credentials UpdateGiteaCredentials
+//
+// Update a Gitea credential.
+//
+//	Parameters:
+//	  + name: id
+//	    description: ID of the Gitea credential.
+//	    type: integer
+//	    in: path
+//	    required: true
+//	  + name: Body
+//	    description: Parameters used when updating a Gitea credential.
+//	    type: UpdateGiteaCredentialsParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeCredentials
+//	  400: APIErrorResponse
+func (a *APIController) UpdateGiteaCredential(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	idParam, ok := vars["id"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing id in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idParam, 10, 64)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if id > math.MaxUint {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "id is too large")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	var params params.UpdateGiteaCredentialsParams
+	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	cred, err := a.r.UpdateGiteaCredentials(ctx, uint(id), params)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to update Gitea credential")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(cred); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
--- a/apiserver/controllers/gitea_endpoints.go
+++ b/apiserver/controllers/gitea_endpoints.go
@ -0,0 +1,199 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package controllers
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+
+	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/params"
+)
+
+// swagger:route POST /gitea/endpoints endpoints CreateGiteaEndpoint
+//
+// Create a Gitea Endpoint.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Parameters used when creating a Gitea endpoint.
+//	    type: CreateGiteaEndpointParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeEndpoint
+//	  default: APIErrorResponse
+func (a *APIController) CreateGiteaEndpoint(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	var params params.CreateGiteaEndpointParams
+	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	endpoint, err := a.r.CreateGiteaEndpoint(ctx, params)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to create Gitea endpoint")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(endpoint); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /gitea/endpoints endpoints ListGiteaEndpoints
+//
+// List all Gitea Endpoints.
+//
+//	Responses:
+//	  200: ForgeEndpoints
+//	  default: APIErrorResponse
+func (a *APIController) ListGiteaEndpoints(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	endpoints, err := a.r.ListGiteaEndpoints(ctx)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to list Gitea endpoints")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(endpoints); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /gitea/endpoints/{name} endpoints GetGiteaEndpoint
+//
+// Get a Gitea Endpoint.
+//
+//	Parameters:
+//	  + name: name
+//	    description: The name of the Gitea endpoint.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeEndpoint
+//	  default: APIErrorResponse
+func (a *APIController) GetGiteaEndpoint(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	name, ok := vars["name"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing name in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+	endpoint, err := a.r.GetGiteaEndpoint(ctx, name)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to get Gitea endpoint")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(endpoint); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route DELETE /gitea/endpoints/{name} endpoints DeleteGiteaEndpoint
+//
+// Delete a Gitea Endpoint.
+//
+//	Parameters:
+//	  + name: name
+//	    description: The name of the Gitea endpoint.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
+func (a *APIController) DeleteGiteaEndpoint(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	name, ok := vars["name"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing name in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+	if err := a.r.DeleteGiteaEndpoint(ctx, name); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to delete Gitea endpoint")
+		handleError(ctx, w, err)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// swagger:route PUT /gitea/endpoints/{name} endpoints UpdateGiteaEndpoint
+//
+// Update a Gitea Endpoint.
+//
+//	Parameters:
+//	  + name: name
+//	    description: The name of the Gitea endpoint.
+//	    type: string
+//	    in: path
+//	    required: true
+//	  + name: Body
+//	    description: Parameters used when updating a Gitea endpoint.
+//	    type: UpdateGiteaEndpointParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeEndpoint
+//	  default: APIErrorResponse
+func (a *APIController) UpdateGiteaEndpoint(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	name, ok := vars["name"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing name in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	var params params.UpdateGiteaEndpointParams
+	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	endpoint, err := a.r.UpdateGiteaEndpoint(ctx, name, params)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to update GitHub endpoint")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(endpoint); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
--- a/apiserver/controllers/github_credentials.go
+++ b/apiserver/controllers/github_credentials.go
@ -0,0 +1,242 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package controllers
+
+import (
+	"encoding/json"
+	"log/slog"
+	"math"
+	"net/http"
+	"strconv"
+
+	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/params"
+)
+
+// swagger:route GET /credentials credentials ListCredentials
+// swagger:route GET /github/credentials credentials ListCredentials
+//
+// List all credentials.
+//
+//	Responses:
+//	  200: Credentials
+//	  400: APIErrorResponse
+func (a *APIController) ListCredentials(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	creds, err := a.r.ListCredentials(ctx)
+	if err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(creds); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route POST /github/credentials credentials CreateCredentials
+//
+// Create a GitHub credential.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Parameters used when creating a GitHub credential.
+//	    type: CreateGithubCredentialsParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeCredentials
+//	  400: APIErrorResponse
+func (a *APIController) CreateGithubCredential(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	var params params.CreateGithubCredentialsParams
+	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	cred, err := a.r.CreateGithubCredentials(ctx, params)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to create GitHub credential")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(cred); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /github/credentials/{id} credentials GetCredentials
+//
+// Get a GitHub credential.
+//
+//	Parameters:
+//	  + name: id
+//	    description: ID of the GitHub credential.
+//	    type: integer
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeCredentials
+//	  400: APIErrorResponse
+func (a *APIController) GetGithubCredential(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	idParam, ok := vars["id"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing id in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idParam, 10, 64)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if id > math.MaxUint {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "id is too large")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	cred, err := a.r.GetGithubCredentials(ctx, uint(id))
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to get GitHub credential")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(cred); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route DELETE /github/credentials/{id} credentials DeleteCredentials
+//
+// Delete a GitHub credential.
+//
+//	Parameters:
+//	  + name: id
+//	    description: ID of the GitHub credential.
+//	    type: integer
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
+func (a *APIController) DeleteGithubCredential(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	idParam, ok := vars["id"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing id in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idParam, 10, 64)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if id > math.MaxUint {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "id is too large")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if err := a.r.DeleteGithubCredentials(ctx, uint(id)); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to delete GitHub credential")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// swagger:route PUT /github/credentials/{id} credentials UpdateCredentials
+//
+// Update a GitHub credential.
+//
+//	Parameters:
+//	  + name: id
+//	    description: ID of the GitHub credential.
+//	    type: integer
+//	    in: path
+//	    required: true
+//	  + name: Body
+//	    description: Parameters used when updating a GitHub credential.
+//	    type: UpdateGithubCredentialsParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeCredentials
+//	  400: APIErrorResponse
+func (a *APIController) UpdateGithubCredential(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	idParam, ok := vars["id"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing id in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idParam, 10, 64)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if id > math.MaxUint {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "id is too large")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	var params params.UpdateGithubCredentialsParams
+	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	cred, err := a.r.UpdateGithubCredentials(ctx, uint(id), params)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to update GitHub credential")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(cred); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
--- a/apiserver/controllers/github_endpoints.go
+++ b/apiserver/controllers/github_endpoints.go
@ -0,0 +1,199 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package controllers
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+
+	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/params"
+)
+
+// swagger:route POST /github/endpoints endpoints CreateGithubEndpoint
+//
+// Create a GitHub Endpoint.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Parameters used when creating a GitHub endpoint.
+//	    type: CreateGithubEndpointParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeEndpoint
+//	  default: APIErrorResponse
+func (a *APIController) CreateGithubEndpoint(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	var params params.CreateGithubEndpointParams
+	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	endpoint, err := a.r.CreateGithubEndpoint(ctx, params)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to create GitHub endpoint")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(endpoint); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /github/endpoints endpoints ListGithubEndpoints
+//
+// List all GitHub Endpoints.
+//
+//	Responses:
+//	  200: ForgeEndpoints
+//	  default: APIErrorResponse
+func (a *APIController) ListGithubEndpoints(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	endpoints, err := a.r.ListGithubEndpoints(ctx)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to list GitHub endpoints")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(endpoints); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /github/endpoints/{name} endpoints GetGithubEndpoint
+//
+// Get a GitHub Endpoint.
+//
+//	Parameters:
+//	  + name: name
+//	    description: The name of the GitHub endpoint.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeEndpoint
+//	  default: APIErrorResponse
+func (a *APIController) GetGithubEndpoint(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	name, ok := vars["name"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing name in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+	endpoint, err := a.r.GetGithubEndpoint(ctx, name)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to get GitHub endpoint")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(endpoint); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route DELETE /github/endpoints/{name} endpoints DeleteGithubEndpoint
+//
+// Delete a GitHub Endpoint.
+//
+//	Parameters:
+//	  + name: name
+//	    description: The name of the GitHub endpoint.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
+func (a *APIController) DeleteGithubEndpoint(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	name, ok := vars["name"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing name in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+	if err := a.r.DeleteGithubEndpoint(ctx, name); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to delete GitHub endpoint")
+		handleError(ctx, w, err)
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// swagger:route PUT /github/endpoints/{name} endpoints UpdateGithubEndpoint
+//
+// Update a GitHub Endpoint.
+//
+//	Parameters:
+//	  + name: name
+//	    description: The name of the GitHub endpoint.
+//	    type: string
+//	    in: path
+//	    required: true
+//	  + name: Body
+//	    description: Parameters used when updating a GitHub endpoint.
+//	    type: UpdateGithubEndpointParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ForgeEndpoint
+//	  default: APIErrorResponse
+func (a *APIController) UpdateGithubEndpoint(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	name, ok := vars["name"]
+	if !ok {
+		slog.ErrorContext(ctx, "missing name in request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	var params params.UpdateGithubEndpointParams
+	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode request")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	endpoint, err := a.r.UpdateGithubEndpoint(ctx, name, params)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to update GitHub endpoint")
+		handleError(ctx, w, err)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(endpoint); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
--- a/apiserver/controllers/instances.go
+++ b/apiserver/controllers/instances.go
@ -16,16 +16,31 @@ package controllers

 import (
 	"encoding/json"
-	"log"
+	"log/slog"
 	"net/http"
-
-	"github.com/cloudbase/garm/apiserver/params"
-	gErrors "github.com/cloudbase/garm/errors"
-	runnerParams "github.com/cloudbase/garm/params"
+	"strconv"

 	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/apiserver/params"
+	runnerParams "github.com/cloudbase/garm/params"
 )

+// swagger:route GET /pools/{poolID}/instances instances ListPoolInstances
+//
+// List runner instances in a pool.
+//
+//	Parameters:
+//	  + name: poolID
+//	    description: Runner pool ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Instances
+//	  default: APIErrorResponse
 func (a *APIController) ListPoolInstancesHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -36,24 +51,86 @@ func (a *APIController) ListPoolInstancesHandler(w http.ResponseWriter, r *http.
 			Error:   "Bad Request",
 			Details: "No pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	instances, err := a.r.ListPoolInstances(ctx, poolID)
 	if err != nil {
-		log.Printf("listing pool instances: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pool instances")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(instances); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /scalesets/{scalesetID}/instances instances ListScaleSetInstances
+//
+// List runner instances in a scale set.
+//
+//	Parameters:
+//	  + name: scalesetID
+//	    description: Runner scale set ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Instances
+//	  default: APIErrorResponse
+func (a *APIController) ListScaleSetInstancesHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	scalesetID, ok := vars["scalesetID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No pool ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+	id, err := strconv.ParseUint(scalesetID, 10, 32)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	instances, err := a.r.ListScaleSetInstances(ctx, uint(id))
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pool instances")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(instances); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /instances/{instanceName} instances GetInstance
+//
+// Get runner instance by name.
+//
+//	Parameters:
+//	  + name: instanceName
+//	    description: Runner instance name.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Instance
+//	  default: APIErrorResponse
 func (a *APIController) GetInstanceHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -64,24 +141,50 @@ func (a *APIController) GetInstanceHandler(w http.ResponseWriter, r *http.Reques
 			Error:   "Bad Request",
 			Details: "No runner name specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	instance, err := a.r.GetInstance(ctx, instanceName)
 	if err != nil {
-		log.Printf("listing instances: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing instances")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(instance); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route DELETE /instances/{instanceName} instances DeleteInstance
+//
+// Delete runner instance by name.
+//
+//	Parameters:
+//	  + name: instanceName
+//	    description: Runner instance name.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: forceRemove
+//	    description: If true GARM will ignore any provider error when removing the runner and will continue to remove the runner from github and the GARM database.
+//	    type: boolean
+//	    in: query
+//	    required: false
+//
+//	  + name: bypassGHUnauthorized
+//	    description: If true GARM will ignore unauthorized errors returned by GitHub when removing a runner. This is useful if you want to clean up runners and your credentials have expired.
+//	    type: boolean
+//	    in: query
+//	    required: false
+//
+// Responses:
+//
+//	default: APIErrorResponse
 func (a *APIController) DeleteInstanceHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -92,14 +195,16 @@ func (a *APIController) DeleteInstanceHandler(w http.ResponseWriter, r *http.Req
 			Error:   "Bad Request",
 			Details: "No instance name specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

-	if err := a.r.ForceDeleteRunner(ctx, instanceName); err != nil {
-		log.Printf("removing runner: %s", err)
-		handleError(w, err)
+	forceRemove, _ := strconv.ParseBool(r.URL.Query().Get("forceRemove"))
+	bypassGHUnauthorized, _ := strconv.ParseBool(r.URL.Query().Get("bypassGHUnauthorized"))
+	if err := a.r.DeleteRunner(ctx, instanceName, forceRemove, bypassGHUnauthorized); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing runner")
+		handleError(ctx, w, err)
 		return
 	}

@ -107,6 +212,20 @@ func (a *APIController) DeleteInstanceHandler(w http.ResponseWriter, r *http.Req
 	w.WriteHeader(http.StatusOK)
 }

+// swagger:route GET /repositories/{repoID}/instances repositories instances ListRepoInstances
+//
+// List repository instances.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Instances
+//	  default: APIErrorResponse
 func (a *APIController) ListRepoInstancesHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -117,24 +236,38 @@ func (a *APIController) ListRepoInstancesHandler(w http.ResponseWriter, r *http.
 			Error:   "Bad Request",
 			Details: "No repo ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	instances, err := a.r.ListRepoInstances(ctx, repoID)
 	if err != nil {
-		log.Printf("listing pools: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pools")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(instances); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /organizations/{orgID}/instances organizations instances ListOrgInstances
+//
+// List organization instances.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Instances
+//	  default: APIErrorResponse
 func (a *APIController) ListOrgInstancesHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -145,24 +278,38 @@ func (a *APIController) ListOrgInstancesHandler(w http.ResponseWriter, r *http.R
 			Error:   "Bad Request",
 			Details: "No org ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	instances, err := a.r.ListOrgInstances(ctx, orgID)
 	if err != nil {
-		log.Printf("listing instances: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing instances")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(instances); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /enterprises/{enterpriseID}/instances enterprises instances ListEnterpriseInstances
+//
+// List enterprise instances.
+//
+//	Parameters:
+//	  + name: enterpriseID
+//	    description: Enterprise ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Instances
+//	  default: APIErrorResponse
 func (a *APIController) ListEnterpriseInstancesHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -173,37 +320,44 @@ func (a *APIController) ListEnterpriseInstancesHandler(w http.ResponseWriter, r
 			Error:   "Bad Request",
 			Details: "No enterprise ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	instances, err := a.r.ListEnterpriseInstances(ctx, enterpriseID)
 	if err != nil {
-		log.Printf("listing instances: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing instances")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(instances); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /instances instances ListInstances
+//
+// Get all runners' instances.
+//
+//	Responses:
+//	  200: Instances
+//	  default: APIErrorResponse
 func (a *APIController) ListAllInstancesHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

 	instances, err := a.r.ListAllInstances(ctx)
 	if err != nil {
-		log.Printf("listing instances: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing instances")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(instances); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

@ -212,14 +366,14 @@ func (a *APIController) InstanceStatusMessageHandler(w http.ResponseWriter, r *h

 	var updateMessage runnerParams.InstanceUpdateMessage
 	if err := json.NewDecoder(r.Body).Decode(&updateMessage); err != nil {
-		log.Printf("failed to decode: %s", err)
-		handleError(w, gErrors.ErrBadRequest)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	if err := a.r.AddInstanceStatusMessage(ctx, updateMessage); err != nil {
-		log.Printf("error saving status message: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error saving status message")
+		handleError(ctx, w, err)
 		return
 	}

@ -227,18 +381,22 @@ func (a *APIController) InstanceStatusMessageHandler(w http.ResponseWriter, r *h
 	w.WriteHeader(http.StatusOK)
 }

-func (a *APIController) InstanceGithubRegistrationTokenHandler(w http.ResponseWriter, r *http.Request) {
+func (a *APIController) InstanceSystemInfoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

-	token, err := a.r.GetInstanceGithubRegistrationToken(ctx)
-	if err != nil {
-		handleError(w, err)
+	var updateMessage runnerParams.UpdateSystemInfoParams
+	if err := json.NewDecoder(r.Body).Decode(&updateMessage); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if err := a.r.UpdateSystemInfo(ctx, updateMessage); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error saving status message")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-	if _, err := w.Write([]byte(token)); err != nil {
-		log.Printf("failed to encode response: %q", err)
-	}
 }
--- a/apiserver/controllers/metadata.go
+++ b/apiserver/controllers/metadata.go
@ -0,0 +1,125 @@
+// Copyright 2023 Cloudbase Solutions SRL
+//
+//    Licensed under the Apache License, Version 2.0 (the "License"); you may
+//    not use this file except in compliance with the License. You may obtain
+//    a copy of the License at
+//
+//         http://www.apache.org/licenses/LICENSE-2.0
+//
+//    Unless required by applicable law or agreed to in writing, software
+//    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//    License for the specific language governing permissions and limitations
+//    under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+
+	"github.com/gorilla/mux"
+
+	"github.com/cloudbase/garm/apiserver/params"
+)
+
+func (a *APIController) InstanceGithubRegistrationTokenHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	token, err := a.r.GetInstanceGithubRegistrationToken(ctx)
+	if err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	if _, err := w.Write([]byte(token)); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+func (a *APIController) JITCredentialsFileHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	fileName, ok := vars["fileName"]
+	if !ok {
+		w.WriteHeader(http.StatusNotFound)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Not Found",
+			Details: "Not Found",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	dotFileName := fmt.Sprintf(".%s", fileName)
+
+	data, err := a.r.GetJITConfigFile(ctx, dotFileName)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "getting JIT config file")
+		handleError(ctx, w, err)
+		return
+	}
+
+	// Note the leading dot in the filename
+	name := fmt.Sprintf("attachment; filename=%s", dotFileName)
+	w.Header().Set("Content-Disposition", name)
+	w.Header().Set("Content-Type", "octet-stream")
+	w.Header().Set("Content-Length", fmt.Sprintf("%d", len(data)))
+	w.WriteHeader(http.StatusOK)
+	if _, err := w.Write(data); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+func (a *APIController) SystemdServiceNameHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	serviceName, err := a.r.GetRunnerServiceName(ctx)
+	if err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/plain")
+	w.WriteHeader(http.StatusOK)
+	if _, err := w.Write([]byte(serviceName)); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+func (a *APIController) SystemdUnitFileHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	runAsUser := r.URL.Query().Get("runAsUser")
+
+	data, err := a.r.GenerateSystemdUnitFile(ctx, runAsUser)
+	if err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/plain")
+	w.WriteHeader(http.StatusOK)
+	if _, err := w.Write(data); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+func (a *APIController) RootCertificateBundleHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	bundle, err := a.r.GetRootCertificateBundle(ctx)
+	if err != nil {
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(bundle); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
--- a/apiserver/controllers/organizations.go
+++ b/apiserver/controllers/organizations.go
@ -16,54 +16,107 @@ package controllers

 import (
 	"encoding/json"
-	"log"
+	"log/slog"
 	"net/http"
-
-	"github.com/cloudbase/garm/apiserver/params"
-	gErrors "github.com/cloudbase/garm/errors"
-	runnerParams "github.com/cloudbase/garm/params"
+	"strconv"

 	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/apiserver/params"
+	runnerParams "github.com/cloudbase/garm/params"
 )

+// swagger:route POST /organizations organizations CreateOrg
+//
+// Create organization with the parameters given.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Parameters used when creating the organization.
+//	    type: CreateOrgParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Organization
+//	  default: APIErrorResponse
 func (a *APIController) CreateOrgHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

-	var repoData runnerParams.CreateOrgParams
-	if err := json.NewDecoder(r.Body).Decode(&repoData); err != nil {
-		handleError(w, gErrors.ErrBadRequest)
+	var orgData runnerParams.CreateOrgParams
+	if err := json.NewDecoder(r.Body).Decode(&orgData); err != nil {
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

-	repo, err := a.r.CreateOrganization(ctx, repoData)
+	org, err := a.r.CreateOrganization(ctx, orgData)
 	if err != nil {
-		log.Printf("error creating repository: %+v", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating organization")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
-	if err := json.NewEncoder(w).Encode(repo); err != nil {
-		log.Printf("failed to encode response: %q", err)
+	if err := json.NewEncoder(w).Encode(org); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /organizations organizations ListOrgs
+//
+// List organizations.
+//
+//	Parameters:
+//	  + name: name
+//	    description: Exact organization name to filter by
+//	    type: string
+//	    in: query
+//	    required: false
+//
+//	  + name: endpoint
+//	    description: Exact endpoint name to filter by
+//	    type: string
+//	    in: query
+//	    required: false
+//
+//	Responses:
+//	  200: Organizations
+//	  default: APIErrorResponse
 func (a *APIController) ListOrgsHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

-	orgs, err := a.r.ListOrganizations(ctx)
+	filter := runnerParams.OrganizationFilter{
+		Name:     r.URL.Query().Get("name"),
+		Endpoint: r.URL.Query().Get("endpoint"),
+	}
+	orgs, err := a.r.ListOrganizations(ctx, filter)
 	if err != nil {
-		log.Printf("listing orgs: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing orgs")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(orgs); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /organizations/{orgID} organizations GetOrg
+//
+// Get organization by ID.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: ID of the organization to fetch.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Organization
+//	  default: APIErrorResponse
 func (a *APIController) GetOrgByIDHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -75,24 +128,43 @@ func (a *APIController) GetOrgByIDHandler(w http.ResponseWriter, r *http.Request
 			Error:   "Bad Request",
 			Details: "No org ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	org, err := a.r.GetOrganizationByID(ctx, orgID)
 	if err != nil {
-		log.Printf("fetching org: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "fetching org")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(org); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route DELETE /organizations/{orgID} organizations DeleteOrg
+//
+// Delete organization by ID.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: ID of the organization to delete.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: keepWebhook
+//	    description: If true and a webhook is installed for this organization, it will not be removed.
+//	    type: boolean
+//	    in: query
+//	    required: false
+//
+//	Responses:
+//	  default: APIErrorResponse
 func (a *APIController) DeleteOrgHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -104,22 +176,43 @@ func (a *APIController) DeleteOrgHandler(w http.ResponseWriter, r *http.Request)
 			Error:   "Bad Request",
 			Details: "No org ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

-	if err := a.r.DeleteOrganization(ctx, orgID); err != nil {
-		log.Printf("removing org: %+v", err)
-		handleError(w, err)
+	keepWebhook, _ := strconv.ParseBool(r.URL.Query().Get("keepWebhook"))
+
+	if err := a.r.DeleteOrganization(ctx, orgID, keepWebhook); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing org")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-
 }

+// swagger:route PUT /organizations/{orgID} organizations UpdateOrg
+//
+// Update organization with the parameters given.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: ID of the organization to update.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when updating the organization.
+//	    type: UpdateEntityParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Organization
+//	  default: APIErrorResponse
 func (a *APIController) UpdateOrgHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -131,30 +224,50 @@ func (a *APIController) UpdateOrgHandler(w http.ResponseWriter, r *http.Request)
 			Error:   "Bad Request",
 			Details: "No org ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

-	var updatePayload runnerParams.UpdateRepositoryParams
+	var updatePayload runnerParams.UpdateEntityParams
 	if err := json.NewDecoder(r.Body).Decode(&updatePayload); err != nil {
-		handleError(w, gErrors.ErrBadRequest)
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	org, err := a.r.UpdateOrganization(ctx, orgID, updatePayload)
 	if err != nil {
-		log.Printf("error updating organization: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error updating organization")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(org); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route POST /organizations/{orgID}/pools organizations pools CreateOrgPool
+//
+// Create organization pool with the parameters given.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when creating the organization pool.
+//	    type: CreatePoolParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) CreateOrgPoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -166,31 +279,101 @@ func (a *APIController) CreateOrgPoolHandler(w http.ResponseWriter, r *http.Requ
 			Error:   "Bad Request",
 			Details: "No org ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	var poolData runnerParams.CreatePoolParams
 	if err := json.NewDecoder(r.Body).Decode(&poolData); err != nil {
-		log.Printf("failed to decode: %s", err)
-		handleError(w, gErrors.ErrBadRequest)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	pool, err := a.r.CreateOrgPool(ctx, orgID, poolData)
 	if err != nil {
-		log.Printf("error creating organization pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating organization pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route POST /organizations/{orgID}/scalesets organizations scalesets CreateOrgScaleSet
+//
+// Create organization scale set with the parameters given.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when creating the organization scale set.
+//	    type: CreateScaleSetParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ScaleSet
+//	  default: APIErrorResponse
+func (a *APIController) CreateOrgScaleSetHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	orgID, ok := vars["orgID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No org ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	var scalesetData runnerParams.CreateScaleSetParams
+	if err := json.NewDecoder(r.Body).Decode(&scalesetData); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	scaleSet, err := a.r.CreateEntityScaleSet(ctx, runnerParams.ForgeEntityTypeOrganization, orgID, scalesetData)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating organization scale set")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(scaleSet); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /organizations/{orgID}/pools organizations pools ListOrgPools
+//
+// List organization pools.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Pools
+//	  default: APIErrorResponse
 func (a *APIController) ListOrgPoolsHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -201,53 +384,134 @@ func (a *APIController) ListOrgPoolsHandler(w http.ResponseWriter, r *http.Reque
 			Error:   "Bad Request",
 			Details: "No org ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	pools, err := a.r.ListOrgPools(ctx, orgID)
 	if err != nil {
-		log.Printf("listing pools: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pools")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pools); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /organizations/{orgID}/scalesets organizations scalesets ListOrgScaleSets
+//
+// List organization scale sets.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: ScaleSets
+//	  default: APIErrorResponse
+func (a *APIController) ListOrgScaleSetsHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	orgID, ok := vars["orgID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No org ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	scaleSets, err := a.r.ListEntityScaleSets(ctx, runnerParams.ForgeEntityTypeOrganization, orgID)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing scale sets")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(scaleSets); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /organizations/{orgID}/pools/{poolID} organizations pools GetOrgPool
+//
+// Get organization pool by ID.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: poolID
+//	    description: Pool ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) GetOrgPoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
-	orgID, repoOk := vars["orgID"]
+	orgID, orgOk := vars["orgID"]
 	poolID, poolOk := vars["poolID"]
-	if !repoOk || !poolOk {
+	if !orgOk || !poolOk {
 		w.WriteHeader(http.StatusBadRequest)
 		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
 			Error:   "Bad Request",
 			Details: "No org or pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	pool, err := a.r.GetOrgPoolByID(ctx, orgID, poolID)
 	if err != nil {
-		log.Printf("listing pools: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pools")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route DELETE /organizations/{orgID}/pools/{poolID} organizations pools DeleteOrgPool
+//
+// Delete organization pool by ID.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: poolID
+//	    description: ID of the organization pool to delete.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
 func (a *APIController) DeleteOrgPoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -260,22 +524,47 @@ func (a *APIController) DeleteOrgPoolHandler(w http.ResponseWriter, r *http.Requ
 			Error:   "Bad Request",
 			Details: "No org or pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	if err := a.r.DeleteOrgPool(ctx, orgID, poolID); err != nil {
-		log.Printf("removing pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-
 }

+// swagger:route PUT /organizations/{orgID}/pools/{poolID} organizations pools UpdateOrgPool
+//
+// Update organization pool with the parameters given.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: poolID
+//	    description: ID of the organization pool to update.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when updating the organization pool.
+//	    type: UpdatePoolParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) UpdateOrgPoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -288,27 +577,166 @@ func (a *APIController) UpdateOrgPoolHandler(w http.ResponseWriter, r *http.Requ
 			Error:   "Bad Request",
 			Details: "No org or pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	var poolData runnerParams.UpdatePoolParams
 	if err := json.NewDecoder(r.Body).Decode(&poolData); err != nil {
-		log.Printf("failed to decode: %s", err)
-		handleError(w, gErrors.ErrBadRequest)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	pool, err := a.r.UpdateOrgPool(ctx, orgID, poolID, poolData)
 	if err != nil {
-		log.Printf("error creating organization pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating organization pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route POST /organizations/{orgID}/webhook organizations hooks InstallOrgWebhook
+//
+// Install the GARM webhook for an organization. The secret configured on the organization will
+// be used to validate the requests.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when creating the organization webhook.
+//	    type: InstallWebhookParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: HookInfo
+//	  default: APIErrorResponse
+func (a *APIController) InstallOrgWebhookHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	orgID, orgOk := vars["orgID"]
+	if !orgOk {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No org ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	var hookParam runnerParams.InstallWebhookParams
+	if err := json.NewDecoder(r.Body).Decode(&hookParam); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	info, err := a.r.InstallOrgWebhook(ctx, orgID, hookParam)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "installing webhook")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(info); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route DELETE /organizations/{orgID}/webhook organizations hooks UninstallOrgWebhook
+//
+// Uninstall organization webhook.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
+func (a *APIController) UninstallOrgWebhookHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	orgID, orgOk := vars["orgID"]
+	if !orgOk {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No org ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	if err := a.r.UninstallOrgWebhook(ctx, orgID); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing webhook")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+}
+
+// swagger:route GET /organizations/{orgID}/webhook organizations hooks GetOrgWebhookInfo
+//
+// Get information about the GARM installed webhook on an organization.
+//
+//	Parameters:
+//	  + name: orgID
+//	    description: Organization ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: HookInfo
+//	  default: APIErrorResponse
+func (a *APIController) GetOrgWebhookInfoHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	orgID, orgOk := vars["orgID"]
+	if !orgOk {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No org ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	info, err := a.r.GetOrgWebhookInfo(ctx, orgID)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "getting webhook info")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(info); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }
--- a/apiserver/controllers/pools.go
+++ b/apiserver/controllers/pools.go
@ -16,33 +16,53 @@ package controllers

 import (
 	"encoding/json"
-	"log"
+	"log/slog"
 	"net/http"

-	"github.com/cloudbase/garm/apiserver/params"
-	gErrors "github.com/cloudbase/garm/errors"
-	runnerParams "github.com/cloudbase/garm/params"
-
 	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/apiserver/params"
+	runnerParams "github.com/cloudbase/garm/params"
 )

+// swagger:route GET /pools pools ListPools
+//
+// List all pools.
+//
+//	Responses:
+//	  200: Pools
+//	  default: APIErrorResponse
 func (a *APIController) ListAllPoolsHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

 	pools, err := a.r.ListAllPools(ctx)
-
 	if err != nil {
-		log.Printf("listing pools: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pools")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pools); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /pools/{poolID} pools GetPool
+//
+// Get pool by ID.
+//
+//	Parameters:
+//	  + name: poolID
+//	    description: ID of the pool to fetch.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) GetPoolByIDHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -54,15 +74,15 @@ func (a *APIController) GetPoolByIDHandler(w http.ResponseWriter, r *http.Reques
 			Error:   "Bad Request",
 			Details: "No pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	pool, err := a.r.GetPoolByID(ctx, poolID)
 	if err != nil {
-		log.Printf("fetching pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "fetching pool")
+		handleError(ctx, w, err)
 		return
 	}

@ -70,10 +90,23 @@ func (a *APIController) GetPoolByIDHandler(w http.ResponseWriter, r *http.Reques

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route DELETE /pools/{poolID} pools DeletePool
+//
+// Delete pool by ID.
+//
+//	Parameters:
+//	  + name: poolID
+//	    description: ID of the pool to delete.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
 func (a *APIController) DeletePoolByIDHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -85,14 +118,14 @@ func (a *APIController) DeletePoolByIDHandler(w http.ResponseWriter, r *http.Req
 			Error:   "Bad Request",
 			Details: "No pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	if err := a.r.DeletePoolByID(ctx, poolID); err != nil {
-		log.Printf("removing pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing pool")
+		handleError(ctx, w, err)
 		return
 	}

@ -100,6 +133,26 @@ func (a *APIController) DeletePoolByIDHandler(w http.ResponseWriter, r *http.Req
 	w.WriteHeader(http.StatusOK)
 }

+// swagger:route PUT /pools/{poolID} pools UpdatePool
+//
+// Update pool by ID.
+//
+//	Parameters:
+//	  + name: poolID
+//	    description: ID of the pool to update.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters to update the pool with.
+//	    type: UpdatePoolParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) UpdatePoolByIDHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -111,27 +164,27 @@ func (a *APIController) UpdatePoolByIDHandler(w http.ResponseWriter, r *http.Req
 			Error:   "Bad Request",
 			Details: "No pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	var poolData runnerParams.UpdatePoolParams
 	if err := json.NewDecoder(r.Body).Decode(&poolData); err != nil {
-		log.Printf("failed to decode: %s", err)
-		handleError(w, gErrors.ErrBadRequest)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	pool, err := a.r.UpdatePoolByID(ctx, poolID, poolData)
 	if err != nil {
-		log.Printf("fetching pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "fetching pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }
--- a/apiserver/controllers/repositories.go
+++ b/apiserver/controllers/repositories.go
@ -16,54 +16,114 @@ package controllers

 import (
 	"encoding/json"
-	"log"
+	"log/slog"
 	"net/http"
-
-	"github.com/cloudbase/garm/apiserver/params"
-	gErrors "github.com/cloudbase/garm/errors"
-	runnerParams "github.com/cloudbase/garm/params"
+	"strconv"

 	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/apiserver/params"
+	runnerParams "github.com/cloudbase/garm/params"
 )

+// swagger:route POST /repositories repositories CreateRepo
+//
+// Create repository with the parameters given.
+//
+//	Parameters:
+//	  + name: Body
+//	    description: Parameters used when creating the repository.
+//	    type: CreateRepoParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Repository
+//	  default: APIErrorResponse
 func (a *APIController) CreateRepoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

 	var repoData runnerParams.CreateRepoParams
 	if err := json.NewDecoder(r.Body).Decode(&repoData); err != nil {
-		handleError(w, gErrors.ErrBadRequest)
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	repo, err := a.r.CreateRepository(ctx, repoData)
 	if err != nil {
-		log.Printf("error creating repository: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating repository")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(repo); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /repositories repositories ListRepos
+//
+// List repositories.
+//
+//	Parameters:
+//	  + name: owner
+//	    description: Exact owner name to filter by
+//	    type: string
+//	    in: query
+//	    required: false
+//
+//	  + name: name
+//	    description: Exact repository name to filter by
+//	    type: string
+//	    in: query
+//	    required: false
+//
+//	  + name: endpoint
+//	    description: Exact endpoint name to filter by
+//	    type: string
+//	    in: query
+//	    required: false
+//
+//	Responses:
+//	  200: Repositories
+//	  default: APIErrorResponse
 func (a *APIController) ListReposHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

-	repos, err := a.r.ListRepositories(ctx)
+	filter := runnerParams.RepositoryFilter{
+		Name:     r.URL.Query().Get("name"),
+		Owner:    r.URL.Query().Get("owner"),
+		Endpoint: r.URL.Query().Get("endpoint"),
+	}
+	repos, err := a.r.ListRepositories(ctx, filter)
 	if err != nil {
-		log.Printf("listing repos: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing repositories")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(repos); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /repositories/{repoID} repositories GetRepo
+//
+// Get repository by ID.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: ID of the repository to fetch.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Repository
+//	  default: APIErrorResponse
 func (a *APIController) GetRepoByIDHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -75,24 +135,43 @@ func (a *APIController) GetRepoByIDHandler(w http.ResponseWriter, r *http.Reques
 			Error:   "Bad Request",
 			Details: "No repo ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	repo, err := a.r.GetRepositoryByID(ctx, repoID)
 	if err != nil {
-		log.Printf("fetching repo: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "fetching repository")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(repo); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route DELETE /repositories/{repoID} repositories DeleteRepo
+//
+// Delete repository by ID.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: ID of the repository to delete.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: keepWebhook
+//	    description: If true and a webhook is installed for this repo, it will not be removed.
+//	    type: boolean
+//	    in: query
+//	    required: false
+//
+//	Responses:
+//	  default: APIErrorResponse
 func (a *APIController) DeleteRepoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -104,22 +183,42 @@ func (a *APIController) DeleteRepoHandler(w http.ResponseWriter, r *http.Request
 			Error:   "Bad Request",
 			Details: "No repo ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

-	if err := a.r.DeleteRepository(ctx, repoID); err != nil {
-		log.Printf("fetching repo: %s", err)
-		handleError(w, err)
+	keepWebhook, _ := strconv.ParseBool(r.URL.Query().Get("keepWebhook"))
+	if err := a.r.DeleteRepository(ctx, repoID, keepWebhook); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "fetching repository")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-
 }

+// swagger:route PUT /repositories/{repoID} repositories UpdateRepo
+//
+// Update repository with the parameters given.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: ID of the repository to update.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when updating the repository.
+//	    type: UpdateEntityParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Repository
+//	  default: APIErrorResponse
 func (a *APIController) UpdateRepoHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -131,30 +230,50 @@ func (a *APIController) UpdateRepoHandler(w http.ResponseWriter, r *http.Request
 			Error:   "Bad Request",
 			Details: "No repo ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

-	var updatePayload runnerParams.UpdateRepositoryParams
+	var updatePayload runnerParams.UpdateEntityParams
 	if err := json.NewDecoder(r.Body).Decode(&updatePayload); err != nil {
-		handleError(w, gErrors.ErrBadRequest)
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	repo, err := a.r.UpdateRepository(ctx, repoID, updatePayload)
 	if err != nil {
-		log.Printf("error updating repository: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error updating repository")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(repo); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route POST /repositories/{repoID}/pools repositories pools CreateRepoPool
+//
+// Create repository pool with the parameters given.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when creating the repository pool.
+//	    type: CreatePoolParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) CreateRepoPoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -166,31 +285,101 @@ func (a *APIController) CreateRepoPoolHandler(w http.ResponseWriter, r *http.Req
 			Error:   "Bad Request",
 			Details: "No repo ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	var poolData runnerParams.CreatePoolParams
 	if err := json.NewDecoder(r.Body).Decode(&poolData); err != nil {
-		log.Printf("failed to decode: %s", err)
-		handleError(w, gErrors.ErrBadRequest)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	pool, err := a.r.CreateRepoPool(ctx, repoID, poolData)
 	if err != nil {
-		log.Printf("error creating repository pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating repository pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route POST /repositories/{repoID}/scalesets repositories scalesets CreateRepoScaleSet
+//
+// Create repository scale set with the parameters given.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when creating the repository scale set.
+//	    type: CreateScaleSetParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ScaleSet
+//	  default: APIErrorResponse
+func (a *APIController) CreateRepoScaleSetHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	repoID, ok := vars["repoID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No repo ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	var scaleSetData runnerParams.CreateScaleSetParams
+	if err := json.NewDecoder(r.Body).Decode(&scaleSetData); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	scaleSet, err := a.r.CreateEntityScaleSet(ctx, runnerParams.ForgeEntityTypeRepository, repoID, scaleSetData)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating repository scale set")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(scaleSet); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /repositories/{repoID}/pools repositories pools ListRepoPools
+//
+// List repository pools.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Pools
+//	  default: APIErrorResponse
 func (a *APIController) ListRepoPoolsHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -201,24 +390,86 @@ func (a *APIController) ListRepoPoolsHandler(w http.ResponseWriter, r *http.Requ
 			Error:   "Bad Request",
 			Details: "No repo ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	pools, err := a.r.ListRepoPools(ctx, repoID)
 	if err != nil {
-		log.Printf("listing pools: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pools")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pools); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route GET /repositories/{repoID}/scalesets repositories scalesets ListRepoScaleSets
+//
+// List repository scale sets.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: ScaleSets
+//	  default: APIErrorResponse
+func (a *APIController) ListRepoScaleSetsHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	vars := mux.Vars(r)
+	repoID, ok := vars["repoID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No repo ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	scaleSets, err := a.r.ListEntityScaleSets(ctx, runnerParams.ForgeEntityTypeRepository, repoID)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing scale sets")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(scaleSets); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /repositories/{repoID}/pools/{poolID} repositories pools GetRepoPool
+//
+// Get repository pool by ID.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: poolID
+//	    description: Pool ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) GetRepoPoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	vars := mux.Vars(r)
@ -230,24 +481,43 @@ func (a *APIController) GetRepoPoolHandler(w http.ResponseWriter, r *http.Reques
 			Error:   "Bad Request",
 			Details: "No repo or pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	pool, err := a.r.GetRepoPoolByID(ctx, repoID, poolID)
 	if err != nil {
-		log.Printf("listing pools: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing pools")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+// swagger:route DELETE /repositories/{repoID}/pools/{poolID} repositories pools DeleteRepoPool
+//
+// Delete repository pool by ID.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: poolID
+//	    description: ID of the repository pool to delete.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
 func (a *APIController) DeleteRepoPoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -260,22 +530,47 @@ func (a *APIController) DeleteRepoPoolHandler(w http.ResponseWriter, r *http.Req
 			Error:   "Bad Request",
 			Details: "No repo or pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	if err := a.r.DeleteRepoPool(ctx, repoID, poolID); err != nil {
-		log.Printf("removing pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(http.StatusOK)
-
 }

+// swagger:route PUT /repositories/{repoID}/pools/{poolID} repositories pools UpdateRepoPool
+//
+// Update repository pool with the parameters given.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: poolID
+//	    description: ID of the repository pool to update.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when updating the repository pool.
+//	    type: UpdatePoolParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: Pool
+//	  default: APIErrorResponse
 func (a *APIController) UpdateRepoPoolHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

@ -288,27 +583,166 @@ func (a *APIController) UpdateRepoPoolHandler(w http.ResponseWriter, r *http.Req
 			Error:   "Bad Request",
 			Details: "No repo or pool ID specified",
 		}); err != nil {
-			log.Printf("failed to encode response: %q", err)
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 		}
 		return
 	}

 	var poolData runnerParams.UpdatePoolParams
 	if err := json.NewDecoder(r.Body).Decode(&poolData); err != nil {
-		log.Printf("failed to decode: %s", err)
-		handleError(w, gErrors.ErrBadRequest)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
 		return
 	}

 	pool, err := a.r.UpdateRepoPool(ctx, repoID, poolID, poolData)
 	if err != nil {
-		log.Printf("error creating repository pool: %s", err)
-		handleError(w, err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "error creating repository pool")
+		handleError(ctx, w, err)
 		return
 	}

 	w.Header().Set("Content-Type", "application/json")
 	if err := json.NewEncoder(w).Encode(pool); err != nil {
-		log.Printf("failed to encode response: %q", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route POST /repositories/{repoID}/webhook repositories hooks InstallRepoWebhook
+//
+// Install the GARM webhook for an organization. The secret configured on the organization will
+// be used to validate the requests.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters used when creating the repository webhook.
+//	    type: InstallWebhookParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: HookInfo
+//	  default: APIErrorResponse
+func (a *APIController) InstallRepoWebhookHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	repoID, orgOk := vars["repoID"]
+	if !orgOk {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No repository ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	var hookParam runnerParams.InstallWebhookParams
+	if err := json.NewDecoder(r.Body).Decode(&hookParam); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	info, err := a.r.InstallRepoWebhook(ctx, repoID, hookParam)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "installing webhook")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(info); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route DELETE /repositories/{repoID}/webhook repositories hooks UninstallRepoWebhook
+//
+// Uninstall organization webhook.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
+func (a *APIController) UninstallRepoWebhookHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	repoID, orgOk := vars["repoID"]
+	if !orgOk {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No repository ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	if err := a.r.UninstallRepoWebhook(ctx, repoID); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing webhook")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+}
+
+// swagger:route GET /repositories/{repoID}/webhook repositories hooks GetRepoWebhookInfo
+//
+// Get information about the GARM installed webhook on a repository.
+//
+//	Parameters:
+//	  + name: repoID
+//	    description: Repository ID.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: HookInfo
+//	  default: APIErrorResponse
+func (a *APIController) GetRepoWebhookInfoHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	repoID, orgOk := vars["repoID"]
+	if !orgOk {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No repository ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	info, err := a.r.GetRepoWebhookInfo(ctx, repoID)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "getting webhook info")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(info); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }
--- a/apiserver/controllers/scalesets.go
+++ b/apiserver/controllers/scalesets.go
@ -0,0 +1,211 @@
+// Copyright 2022 Cloudbase Solutions SRL
+//
+//    Licensed under the Apache License, Version 2.0 (the "License"); you may
+//    not use this file except in compliance with the License. You may obtain
+//    a copy of the License at
+//
+//         http://www.apache.org/licenses/LICENSE-2.0
+//
+//    Unless required by applicable law or agreed to in writing, software
+//    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//    License for the specific language governing permissions and limitations
+//    under the License.
+
+package controllers
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"github.com/gorilla/mux"
+
+	gErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm/apiserver/params"
+	runnerParams "github.com/cloudbase/garm/params"
+)
+
+// swagger:route GET /scalesets scalesets ListScalesets
+//
+// List all scalesets.
+//
+//	Responses:
+//	  200: ScaleSets
+//	  default: APIErrorResponse
+func (a *APIController) ListAllScaleSetsHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	scalesets, err := a.r.ListAllScaleSets(ctx)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "listing scale sets")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(scalesets); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route GET /scalesets/{scalesetID} scalesets GetScaleSet
+//
+// Get scale set by ID.
+//
+//	Parameters:
+//	  + name: scalesetID
+//	    description: ID of the scale set to fetch.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  200: ScaleSet
+//	  default: APIErrorResponse
+func (a *APIController) GetScaleSetByIDHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	scaleSetID, ok := vars["scalesetID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No scale set ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+	id, err := strconv.ParseUint(scaleSetID, 10, 32)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	scaleSet, err := a.r.GetScaleSetByID(ctx, uint(id))
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "fetching scale set")
+		handleError(ctx, w, err)
+		return
+	}
+
+	scaleSet.RunnerBootstrapTimeout = scaleSet.RunnerTimeout()
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(scaleSet); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
+
+// swagger:route DELETE /scalesets/{scalesetID} scalesets DeleteScaleSet
+//
+// Delete scale set by ID.
+//
+//	Parameters:
+//	  + name: scalesetID
+//	    description: ID of the scale set to delete.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	Responses:
+//	  default: APIErrorResponse
+func (a *APIController) DeleteScaleSetByIDHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	scalesetID, ok := vars["scalesetID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No scale set ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	id, err := strconv.ParseUint(scalesetID, 10, 32)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	if err := a.r.DeleteScaleSetByID(ctx, uint(id)); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "removing scale set")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+}
+
+// swagger:route PUT /scalesets/{scalesetID} scalesets UpdateScaleSet
+//
+// Update scale set by ID.
+//
+//	Parameters:
+//	  + name: scalesetID
+//	    description: ID of the scale set to update.
+//	    type: string
+//	    in: path
+//	    required: true
+//
+//	  + name: Body
+//	    description: Parameters to update the scale set with.
+//	    type: UpdateScaleSetParams
+//	    in: body
+//	    required: true
+//
+//	Responses:
+//	  200: ScaleSet
+//	  default: APIErrorResponse
+func (a *APIController) UpdateScaleSetByIDHandler(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+
+	vars := mux.Vars(r)
+	scalesetID, ok := vars["scalesetID"]
+	if !ok {
+		w.WriteHeader(http.StatusBadRequest)
+		if err := json.NewEncoder(w).Encode(params.APIErrorResponse{
+			Error:   "Bad Request",
+			Details: "No scale set ID specified",
+		}); err != nil {
+			slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+		}
+		return
+	}
+
+	id, err := strconv.ParseUint(scalesetID, 10, 32)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to parse id")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	var scaleSetData runnerParams.UpdateScaleSetParams
+	if err := json.NewDecoder(r.Body).Decode(&scaleSetData); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to decode")
+		handleError(ctx, w, gErrors.ErrBadRequest)
+		return
+	}
+
+	scaleSet, err := a.r.UpdateScaleSetByID(ctx, uint(id), scaleSetData)
+	if err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "updating scale set")
+		handleError(ctx, w, err)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	if err := json.NewEncoder(w).Encode(scaleSet); err != nil {
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+	}
+}
--- a/apiserver/params/params.go
+++ b/apiserver/params/params.go
@ -14,6 +14,7 @@

 package params

+// swagger:model APIErrorResponse
 // APIErrorResponse holds information about an error, returned by the API
 type APIErrorResponse struct {
 	Error   string `json:"error"`
@ -36,4 +37,9 @@ var (
 		Error:   "init_required",
 		Details: "Missing superuser",
 	}
+	// URLsRequired is returned if the controller does not have the required URLs
+	URLsRequired = APIErrorResponse{
+		Error:   "urls_required",
+		Details: "Missing required URLs. Make sure you update the metadata and callback URLs",
+	}
 )
--- a/apiserver/routers/routers.go
+++ b/apiserver/routers/routers.go
@ -12,18 +12,53 @@
 //    License for the specific language governing permissions and limitations
 //    under the License.

+// Package routers Garm API.
+//
+// The Garm API generated using go-swagger.
+//
+//	BasePath: /api/v1
+//	Version: 1.0.0
+//	License: Apache 2.0 https://www.apache.org/licenses/LICENSE-2.0
+//
+//	Consumes:
+//	- application/json
+//
+//	Produces:
+//	- application/json
+//
+//	Security:
+//	- Bearer:
+//
+//	SecurityDefinitions:
+//	  Bearer:
+//	    type: apiKey
+//	    name: Authorization
+//	    in: header
+//	    description: >-
+//	      The token with the `Bearer: ` prefix, e.g. "Bearer abcde12345".
+//
+// swagger:meta
 package routers

-import (
-	"io"
-	"net/http"
+//go:generate go run github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0 generate spec --input=../swagger-models.yaml --output=../swagger.yaml --include="routers|controllers"
+//go:generate go run github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0 validate ../swagger.yaml
+//go:generate rm -rf ../../client
+//go:generate go run github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0 generate client --target=../../ --spec=../swagger.yaml

+import (
+	_ "expvar" // Register the expvar handlers
+	"log/slog"
+	"net/http"
+	_ "net/http/pprof" //nolint:golangci-lint,gosec // Register the pprof handlers
+
+	"github.com/felixge/httpsnoop"
 	"github.com/gorilla/mux"
 	"github.com/prometheus/client_golang/prometheus/promhttp"

 	"github.com/cloudbase/garm/apiserver/controllers"
 	"github.com/cloudbase/garm/auth"
-	"github.com/cloudbase/garm/util"
+	"github.com/cloudbase/garm/config"
+	spaAssets "github.com/cloudbase/garm/webapp/assets"
 )

 func WithMetricsRouter(parentRouter *mux.Router, disableAuth bool, metricsMiddlerware auth.Middleware) *mux.Router {
@ -40,15 +75,67 @@ func WithMetricsRouter(parentRouter *mux.Router, disableAuth bool, metricsMiddle
 	return parentRouter
 }

-func NewAPIRouter(han *controllers.APIController, logWriter io.Writer, authMiddleware, initMiddleware, instanceMiddleware auth.Middleware) *mux.Router {
+func WithDebugServer(parentRouter *mux.Router) *mux.Router {
+	if parentRouter == nil {
+		return nil
+	}
+
+	parentRouter.PathPrefix("/debug/pprof/").Handler(http.DefaultServeMux)
+	return parentRouter
+}
+
+func WithWebUI(parentRouter *mux.Router, apiConfig config.APIServer) *mux.Router {
+	if parentRouter == nil {
+		return nil
+	}
+
+	if apiConfig.WebUI.EnableWebUI {
+		slog.Info("WebUI is enabled, adding webapp routes")
+		webappPath := apiConfig.WebUI.GetWebappPath()
+		slog.Info("Using webapp path", "path", webappPath)
+		// Accessing / should redirect to the UI
+		parentRouter.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+			http.Redirect(w, r, webappPath, http.StatusMovedPermanently) // 301
+		})
+		// Serve the SPA with dynamic path
+		parentRouter.PathPrefix(webappPath).HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			spaAssets.ServeSPAWithPath(w, r, webappPath)
+		}).Methods("GET")
+	} else {
+		slog.Info("WebUI is disabled, skipping webapp routes")
+	}
+
+	return parentRouter
+}
+
+func requestLogger(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// gathers metrics from the upstream handlers
+		metrics := httpsnoop.CaptureMetrics(h, w, r)
+
+		slog.Info(
+			"access_log",
+			slog.String("method", r.Method),
+			slog.String("uri", r.URL.RequestURI()),
+			slog.String("user_agent", r.Header.Get("User-Agent")),
+			slog.String("ip", r.RemoteAddr),
+			slog.Int("code", metrics.Code),
+			slog.Int64("bytes", metrics.Written),
+			slog.Duration("request_time", metrics.Duration),
+		)
+	})
+}
+
+func NewAPIRouter(han *controllers.APIController, authMiddleware, initMiddleware, urlsRequiredMiddleware, instanceMiddleware auth.Middleware, manageWebhooks bool) *mux.Router {
 	router := mux.NewRouter()
-	logMiddleware := util.NewLoggingMiddleware(logWriter)
-	router.Use(logMiddleware)
+	router.Use(requestLogger)

 	// Handles github webhooks
 	webhookRouter := router.PathPrefix("/webhooks").Subrouter()
-	webhookRouter.PathPrefix("/").Handler(http.HandlerFunc(han.CatchAll))
-	webhookRouter.PathPrefix("").Handler(http.HandlerFunc(han.CatchAll))
+	webhookRouter.Handle("/", http.HandlerFunc(han.WebhookHandler))
+	webhookRouter.Handle("", http.HandlerFunc(han.WebhookHandler))
+	webhookRouter.Handle("/{controllerID}/", http.HandlerFunc(han.WebhookHandler))
+	webhookRouter.Handle("/{controllerID}", http.HandlerFunc(han.WebhookHandler))

 	// Handles API calls
 	apiSubRouter := router.PathPrefix("/api/v1").Subrouter()
@ -56,30 +143,84 @@ func NewAPIRouter(han *controllers.APIController, logWriter io.Writer, authMiddl
 	// FirstRunHandler
 	firstRunRouter := apiSubRouter.PathPrefix("/first-run").Subrouter()
 	firstRunRouter.Handle("/", http.HandlerFunc(han.FirstRunHandler)).Methods("POST", "OPTIONS")
+	firstRunRouter.Handle("", http.HandlerFunc(han.FirstRunHandler)).Methods("POST", "OPTIONS")

 	// Instance URLs
 	callbackRouter := apiSubRouter.PathPrefix("/callbacks").Subrouter()
 	callbackRouter.Handle("/status/", http.HandlerFunc(han.InstanceStatusMessageHandler)).Methods("POST", "OPTIONS")
 	callbackRouter.Handle("/status", http.HandlerFunc(han.InstanceStatusMessageHandler)).Methods("POST", "OPTIONS")
+	callbackRouter.Handle("/system-info/", http.HandlerFunc(han.InstanceSystemInfoHandler)).Methods("POST", "OPTIONS")
+	callbackRouter.Handle("/system-info", http.HandlerFunc(han.InstanceSystemInfoHandler)).Methods("POST", "OPTIONS")
 	callbackRouter.Use(instanceMiddleware.Middleware)

+	///////////////////
+	// Metadata URLs //
+	///////////////////
 	metadataRouter := apiSubRouter.PathPrefix("/metadata").Subrouter()
+	metadataRouter.Use(instanceMiddleware.Middleware)
+
+	// Registration token
 	metadataRouter.Handle("/runner-registration-token/", http.HandlerFunc(han.InstanceGithubRegistrationTokenHandler)).Methods("GET", "OPTIONS")
 	metadataRouter.Handle("/runner-registration-token", http.HandlerFunc(han.InstanceGithubRegistrationTokenHandler)).Methods("GET", "OPTIONS")
-	metadataRouter.Use(instanceMiddleware.Middleware)
+	// JIT credential files
+	metadataRouter.Handle("/credentials/{fileName}/", http.HandlerFunc(han.JITCredentialsFileHandler)).Methods("GET", "OPTIONS")
+	metadataRouter.Handle("/credentials/{fileName}", http.HandlerFunc(han.JITCredentialsFileHandler)).Methods("GET", "OPTIONS")
+	// Systemd files
+	metadataRouter.Handle("/system/service-name/", http.HandlerFunc(han.SystemdServiceNameHandler)).Methods("GET", "OPTIONS")
+	metadataRouter.Handle("/system/service-name", http.HandlerFunc(han.SystemdServiceNameHandler)).Methods("GET", "OPTIONS")
+	metadataRouter.Handle("/systemd/unit-file/", http.HandlerFunc(han.SystemdUnitFileHandler)).Methods("GET", "OPTIONS")
+	metadataRouter.Handle("/systemd/unit-file", http.HandlerFunc(han.SystemdUnitFileHandler)).Methods("GET", "OPTIONS")
+	metadataRouter.Handle("/system/cert-bundle/", http.HandlerFunc(han.RootCertificateBundleHandler)).Methods("GET", "OPTIONS")
+	metadataRouter.Handle("/system/cert-bundle", http.HandlerFunc(han.RootCertificateBundleHandler)).Methods("GET", "OPTIONS")
+
 	// Login
 	authRouter := apiSubRouter.PathPrefix("/auth").Subrouter()
 	authRouter.Handle("/{login:login\\/?}", http.HandlerFunc(han.LoginHandler)).Methods("POST", "OPTIONS")
 	authRouter.Use(initMiddleware.Middleware)

+	//////////////////////////
+	// Controller endpoints //
+	//////////////////////////
+	controllerRouter := apiSubRouter.PathPrefix("/controller").Subrouter()
+	// The controller endpoints allow us to get information about the controller and update the URL endpoints.
+	// This endpoint must not be guarded by the urlsRequiredMiddleware as that would prevent the user from
+	// updating the URLs.
+	controllerRouter.Use(initMiddleware.Middleware)
+	controllerRouter.Use(authMiddleware.Middleware)
+	controllerRouter.Use(auth.AdminRequiredMiddleware)
+	// Get controller info
+	controllerRouter.Handle("/", http.HandlerFunc(han.ControllerInfoHandler)).Methods("GET", "OPTIONS")
+	controllerRouter.Handle("", http.HandlerFunc(han.ControllerInfoHandler)).Methods("GET", "OPTIONS")
+	// Update controller
+	controllerRouter.Handle("/", http.HandlerFunc(han.UpdateControllerHandler)).Methods("PUT", "OPTIONS")
+	controllerRouter.Handle("", http.HandlerFunc(han.UpdateControllerHandler)).Methods("PUT", "OPTIONS")
+
+	////////////////////////////////////
+	// API router for everything else //
+	////////////////////////////////////
 	apiRouter := apiSubRouter.PathPrefix("").Subrouter()
 	apiRouter.Use(initMiddleware.Middleware)
+	// all endpoints except the controller endpoint should return an error
+	// if the required metadata, callback and webhook URLs are not set.
+	apiRouter.Use(urlsRequiredMiddleware.Middleware)
 	apiRouter.Use(authMiddleware.Middleware)
+	apiRouter.Use(auth.AdminRequiredMiddleware)
+
+	// Legacy controller path
+	apiRouter.Handle("/controller-info/", http.HandlerFunc(han.ControllerInfoHandler)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/controller-info", http.HandlerFunc(han.ControllerInfoHandler)).Methods("GET", "OPTIONS")

 	// Metrics Token
 	apiRouter.Handle("/metrics-token/", http.HandlerFunc(han.MetricsTokenHandler)).Methods("GET", "OPTIONS")
 	apiRouter.Handle("/metrics-token", http.HandlerFunc(han.MetricsTokenHandler)).Methods("GET", "OPTIONS")

+	//////////
+	// Jobs //
+	//////////
+	// List all jobs
+	apiRouter.Handle("/jobs/", http.HandlerFunc(han.ListAllJobs)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/jobs", http.HandlerFunc(han.ListAllJobs)).Methods("GET", "OPTIONS")
+
 	///////////
 	// Pools //
 	///////////
@ -99,6 +240,25 @@ func NewAPIRouter(han *controllers.APIController, logWriter io.Writer, authMiddl
 	apiRouter.Handle("/pools/{poolID}/instances/", http.HandlerFunc(han.ListPoolInstancesHandler)).Methods("GET", "OPTIONS")
 	apiRouter.Handle("/pools/{poolID}/instances", http.HandlerFunc(han.ListPoolInstancesHandler)).Methods("GET", "OPTIONS")

+	////////////////
+	// Scale sets //
+	////////////////
+	// List all pools
+	apiRouter.Handle("/scalesets/", http.HandlerFunc(han.ListAllScaleSetsHandler)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/scalesets", http.HandlerFunc(han.ListAllScaleSetsHandler)).Methods("GET", "OPTIONS")
+	// Get one pool
+	apiRouter.Handle("/scalesets/{scalesetID}/", http.HandlerFunc(han.GetScaleSetByIDHandler)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/scalesets/{scalesetID}", http.HandlerFunc(han.GetScaleSetByIDHandler)).Methods("GET", "OPTIONS")
+	// Delete one pool
+	apiRouter.Handle("/scalesets/{scalesetID}/", http.HandlerFunc(han.DeleteScaleSetByIDHandler)).Methods("DELETE", "OPTIONS")
+	apiRouter.Handle("/scalesets/{scalesetID}", http.HandlerFunc(han.DeleteScaleSetByIDHandler)).Methods("DELETE", "OPTIONS")
+	// Update one pool
+	apiRouter.Handle("/scalesets/{scalesetID}/", http.HandlerFunc(han.UpdateScaleSetByIDHandler)).Methods("PUT", "OPTIONS")
+	apiRouter.Handle("/scalesets/{scalesetID}", http.HandlerFunc(han.UpdateScaleSetByIDHandler)).Methods("PUT", "OPTIONS")
+	// List pool instances
+	apiRouter.Handle("/scalesets/{scalesetID}/instances/", http.HandlerFunc(han.ListScaleSetInstancesHandler)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/scalesets/{scalesetID}/instances", http.HandlerFunc(han.ListScaleSetInstancesHandler)).Methods("GET", "OPTIONS")
+
 	/////////////
 	// Runners //
 	/////////////
@ -131,6 +291,14 @@ func NewAPIRouter(han *controllers.APIController, logWriter io.Writer, authMiddl
 	apiRouter.Handle("/repositories/{repoID}/pools/", http.HandlerFunc(han.CreateRepoPoolHandler)).Methods("POST", "OPTIONS")
 	apiRouter.Handle("/repositories/{repoID}/pools", http.HandlerFunc(han.CreateRepoPoolHandler)).Methods("POST", "OPTIONS")

+	// Create scale set
+	apiRouter.Handle("/repositories/{repoID}/scalesets/", http.HandlerFunc(han.CreateRepoScaleSetHandler)).Methods("POST", "OPTIONS")
+	apiRouter.Handle("/repositories/{repoID}/scalesets", http.HandlerFunc(han.CreateRepoScaleSetHandler)).Methods("POST", "OPTIONS")
+
+	// List scale sets
+	apiRouter.Handle("/repositories/{repoID}/scalesets/", http.HandlerFunc(han.ListRepoScaleSetsHandler)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/repositories/{repoID}/scalesets", http.HandlerFunc(han.ListRepoScaleSetsHandler)).Methods("GET", "OPTIONS")
+
 	// Repo instances list
 	apiRouter.Handle("/repositories/{repoID}/instances/", http.HandlerFunc(han.ListRepoInstancesHandler)).Methods("GET", "OPTIONS")
 	apiRouter.Handle("/repositories/{repoID}/instances", http.HandlerFunc(han.ListRepoInstancesHandler)).Methods("GET", "OPTIONS")
@ -151,6 +319,17 @@ func NewAPIRouter(han *controllers.APIController, logWriter io.Writer, authMiddl
 	apiRouter.Handle("/repositories/", http.HandlerFunc(han.CreateRepoHandler)).Methods("POST", "OPTIONS")
 	apiRouter.Handle("/repositories", http.HandlerFunc(han.CreateRepoHandler)).Methods("POST", "OPTIONS")

+	if manageWebhooks {
+		// Install Webhook
+		apiRouter.Handle("/repositories/{repoID}/webhook/", http.HandlerFunc(han.InstallRepoWebhookHandler)).Methods("POST", "OPTIONS")
+		apiRouter.Handle("/repositories/{repoID}/webhook", http.HandlerFunc(han.InstallRepoWebhookHandler)).Methods("POST", "OPTIONS")
+		// Uninstall Webhook
+		apiRouter.Handle("/repositories/{repoID}/webhook/", http.HandlerFunc(han.UninstallRepoWebhookHandler)).Methods("DELETE", "OPTIONS")
+		apiRouter.Handle("/repositories/{repoID}/webhook", http.HandlerFunc(han.UninstallRepoWebhookHandler)).Methods("DELETE", "OPTIONS")
+		// Get webhook info
+		apiRouter.Handle("/repositories/{repoID}/webhook/", http.HandlerFunc(han.GetRepoWebhookInfoHandler)).Methods("GET", "OPTIONS")
+		apiRouter.Handle("/repositories/{repoID}/webhook", http.HandlerFunc(han.GetRepoWebhookInfoHandler)).Methods("GET", "OPTIONS")
+	}
 	/////////////////////////////
 	// Organizations and pools //
 	/////////////////////////////
@ -170,7 +349,15 @@ func NewAPIRouter(han *controllers.APIController, logWriter io.Writer, authMiddl
 	apiRouter.Handle("/organizations/{orgID}/pools/", http.HandlerFunc(han.CreateOrgPoolHandler)).Methods("POST", "OPTIONS")
 	apiRouter.Handle("/organizations/{orgID}/pools", http.HandlerFunc(han.CreateOrgPoolHandler)).Methods("POST", "OPTIONS")

-	// Repo instances list
+	// Create org scale set
+	apiRouter.Handle("/organizations/{orgID}/scalesets/", http.HandlerFunc(han.CreateOrgScaleSetHandler)).Methods("POST", "OPTIONS")
+	apiRouter.Handle("/organizations/{orgID}/scalesets", http.HandlerFunc(han.CreateOrgScaleSetHandler)).Methods("POST", "OPTIONS")
+
+	// List org scale sets
+	apiRouter.Handle("/organizations/{orgID}/scalesets/", http.HandlerFunc(han.ListOrgScaleSetsHandler)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/organizations/{orgID}/scalesets", http.HandlerFunc(han.ListOrgScaleSetsHandler)).Methods("GET", "OPTIONS")
+
+	// Org instances list
 	apiRouter.Handle("/organizations/{orgID}/instances/", http.HandlerFunc(han.ListOrgInstancesHandler)).Methods("GET", "OPTIONS")
 	apiRouter.Handle("/organizations/{orgID}/instances", http.HandlerFunc(han.ListOrgInstancesHandler)).Methods("GET", "OPTIONS")

@ -190,6 +377,17 @@ func NewAPIRouter(han *controllers.APIController, logWriter io.Writer, authMiddl
 	apiRouter.Handle("/organizations/", http.HandlerFunc(han.CreateOrgHandler)).Methods("POST", "OPTIONS")
 	apiRouter.Handle("/organizations", http.HandlerFunc(han.CreateOrgHandler)).Methods("POST", "OPTIONS")

+	if manageWebhooks {
+		// Install Webhook
+		apiRouter.Handle("/organizations/{orgID}/webhook/", http.HandlerFunc(han.InstallOrgWebhookHandler)).Methods("POST", "OPTIONS")
+		apiRouter.Handle("/organizations/{orgID}/webhook", http.HandlerFunc(han.InstallOrgWebhookHandler)).Methods("POST", "OPTIONS")
+		// Uninstall Webhook
+		apiRouter.Handle("/organizations/{orgID}/webhook/", http.HandlerFunc(han.UninstallOrgWebhookHandler)).Methods("DELETE", "OPTIONS")
+		apiRouter.Handle("/organizations/{orgID}/webhook", http.HandlerFunc(han.UninstallOrgWebhookHandler)).Methods("DELETE", "OPTIONS")
+		// Get webhook info
+		apiRouter.Handle("/organizations/{orgID}/webhook/", http.HandlerFunc(han.GetOrgWebhookInfoHandler)).Methods("GET", "OPTIONS")
+		apiRouter.Handle("/organizations/{orgID}/webhook", http.HandlerFunc(han.GetOrgWebhookInfoHandler)).Methods("GET", "OPTIONS")
+	}
 	/////////////////////////////
 	//  Enterprises and pools  //
 	/////////////////////////////
@ -209,33 +407,131 @@ func NewAPIRouter(han *controllers.APIController, logWriter io.Writer, authMiddl
 	apiRouter.Handle("/enterprises/{enterpriseID}/pools/", http.HandlerFunc(han.CreateEnterprisePoolHandler)).Methods("POST", "OPTIONS")
 	apiRouter.Handle("/enterprises/{enterpriseID}/pools", http.HandlerFunc(han.CreateEnterprisePoolHandler)).Methods("POST", "OPTIONS")

-	// Repo instances list
+	// Create enterprise scale sets
+	apiRouter.Handle("/enterprises/{enterpriseID}/scalesets/", http.HandlerFunc(han.CreateEnterpriseScaleSetHandler)).Methods("POST", "OPTIONS")
+	apiRouter.Handle("/enterprises/{enterpriseID}/scalesets", http.HandlerFunc(han.CreateEnterpriseScaleSetHandler)).Methods("POST", "OPTIONS")
+
+	// List enterprise scale sets
+	apiRouter.Handle("/enterprises/{enterpriseID}/scalesets/", http.HandlerFunc(han.ListEnterpriseScaleSetsHandler)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/enterprises/{enterpriseID}/scalesets", http.HandlerFunc(han.ListEnterpriseScaleSetsHandler)).Methods("GET", "OPTIONS")
+
+	// Enterprise instances list
 	apiRouter.Handle("/enterprises/{enterpriseID}/instances/", http.HandlerFunc(han.ListEnterpriseInstancesHandler)).Methods("GET", "OPTIONS")
 	apiRouter.Handle("/enterprises/{enterpriseID}/instances", http.HandlerFunc(han.ListEnterpriseInstancesHandler)).Methods("GET", "OPTIONS")

-	// Get org
+	// Get enterprise
 	apiRouter.Handle("/enterprises/{enterpriseID}/", http.HandlerFunc(han.GetEnterpriseByIDHandler)).Methods("GET", "OPTIONS")
 	apiRouter.Handle("/enterprises/{enterpriseID}", http.HandlerFunc(han.GetEnterpriseByIDHandler)).Methods("GET", "OPTIONS")
-	// Update org
+	// Update enterprise
 	apiRouter.Handle("/enterprises/{enterpriseID}/", http.HandlerFunc(han.UpdateEnterpriseHandler)).Methods("PUT", "OPTIONS")
 	apiRouter.Handle("/enterprises/{enterpriseID}", http.HandlerFunc(han.UpdateEnterpriseHandler)).Methods("PUT", "OPTIONS")
-	// Delete org
+	// Delete enterprise
 	apiRouter.Handle("/enterprises/{enterpriseID}/", http.HandlerFunc(han.DeleteEnterpriseHandler)).Methods("DELETE", "OPTIONS")
 	apiRouter.Handle("/enterprises/{enterpriseID}", http.HandlerFunc(han.DeleteEnterpriseHandler)).Methods("DELETE", "OPTIONS")
-	// List orgs
+	// List enterprises
 	apiRouter.Handle("/enterprises/", http.HandlerFunc(han.ListEnterprisesHandler)).Methods("GET", "OPTIONS")
 	apiRouter.Handle("/enterprises", http.HandlerFunc(han.ListEnterprisesHandler)).Methods("GET", "OPTIONS")
-	// Create org
+	// Create enterprise
 	apiRouter.Handle("/enterprises/", http.HandlerFunc(han.CreateEnterpriseHandler)).Methods("POST", "OPTIONS")
 	apiRouter.Handle("/enterprises", http.HandlerFunc(han.CreateEnterpriseHandler)).Methods("POST", "OPTIONS")

-	// Credentials and providers
-	apiRouter.Handle("/credentials/", http.HandlerFunc(han.ListCredentials)).Methods("GET", "OPTIONS")
-	apiRouter.Handle("/credentials", http.HandlerFunc(han.ListCredentials)).Methods("GET", "OPTIONS")
+	// Providers
 	apiRouter.Handle("/providers/", http.HandlerFunc(han.ListProviders)).Methods("GET", "OPTIONS")
 	apiRouter.Handle("/providers", http.HandlerFunc(han.ListProviders)).Methods("GET", "OPTIONS")

-	// Websocket log writer
-	apiRouter.Handle("/{ws:ws\\/?}", http.HandlerFunc(han.WSHandler)).Methods("GET")
+	//////////////////////
+	// Github Endpoints //
+	//////////////////////
+	// Create Github Endpoint
+	apiRouter.Handle("/github/endpoints/", http.HandlerFunc(han.CreateGithubEndpoint)).Methods("POST", "OPTIONS")
+	apiRouter.Handle("/github/endpoints", http.HandlerFunc(han.CreateGithubEndpoint)).Methods("POST", "OPTIONS")
+	// List Github Endpoints
+	apiRouter.Handle("/github/endpoints/", http.HandlerFunc(han.ListGithubEndpoints)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/github/endpoints", http.HandlerFunc(han.ListGithubEndpoints)).Methods("GET", "OPTIONS")
+	// Get Github Endpoint
+	apiRouter.Handle("/github/endpoints/{name}/", http.HandlerFunc(han.GetGithubEndpoint)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/github/endpoints/{name}", http.HandlerFunc(han.GetGithubEndpoint)).Methods("GET", "OPTIONS")
+	// Delete Github Endpoint
+	apiRouter.Handle("/github/endpoints/{name}/", http.HandlerFunc(han.DeleteGithubEndpoint)).Methods("DELETE", "OPTIONS")
+	apiRouter.Handle("/github/endpoints/{name}", http.HandlerFunc(han.DeleteGithubEndpoint)).Methods("DELETE", "OPTIONS")
+	// Update Github Endpoint
+	apiRouter.Handle("/github/endpoints/{name}/", http.HandlerFunc(han.UpdateGithubEndpoint)).Methods("PUT", "OPTIONS")
+	apiRouter.Handle("/github/endpoints/{name}", http.HandlerFunc(han.UpdateGithubEndpoint)).Methods("PUT", "OPTIONS")
+
+	////////////////////////
+	// Github credentials //
+	////////////////////////
+	// Legacy credentials path
+	apiRouter.Handle("/credentials/", http.HandlerFunc(han.ListCredentials)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/credentials", http.HandlerFunc(han.ListCredentials)).Methods("GET", "OPTIONS")
+	// List Github Credentials
+	apiRouter.Handle("/github/credentials/", http.HandlerFunc(han.ListCredentials)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/github/credentials", http.HandlerFunc(han.ListCredentials)).Methods("GET", "OPTIONS")
+	// Create Github Credentials
+	apiRouter.Handle("/github/credentials/", http.HandlerFunc(han.CreateGithubCredential)).Methods("POST", "OPTIONS")
+	apiRouter.Handle("/github/credentials", http.HandlerFunc(han.CreateGithubCredential)).Methods("POST", "OPTIONS")
+	// Get Github Credential
+	apiRouter.Handle("/github/credentials/{id}/", http.HandlerFunc(han.GetGithubCredential)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/github/credentials/{id}", http.HandlerFunc(han.GetGithubCredential)).Methods("GET", "OPTIONS")
+	// Delete Github Credential
+	apiRouter.Handle("/github/credentials/{id}/", http.HandlerFunc(han.DeleteGithubCredential)).Methods("DELETE", "OPTIONS")
+	apiRouter.Handle("/github/credentials/{id}", http.HandlerFunc(han.DeleteGithubCredential)).Methods("DELETE", "OPTIONS")
+	// Update Github Credential
+	apiRouter.Handle("/github/credentials/{id}/", http.HandlerFunc(han.UpdateGithubCredential)).Methods("PUT", "OPTIONS")
+	apiRouter.Handle("/github/credentials/{id}", http.HandlerFunc(han.UpdateGithubCredential)).Methods("PUT", "OPTIONS")
+
+	//////////////////////
+	// Gitea Endpoints  //
+	//////////////////////
+	// Create Gitea Endpoint
+	apiRouter.Handle("/gitea/endpoints/", http.HandlerFunc(han.CreateGiteaEndpoint)).Methods("POST", "OPTIONS")
+	apiRouter.Handle("/gitea/endpoints", http.HandlerFunc(han.CreateGiteaEndpoint)).Methods("POST", "OPTIONS")
+	// List Gitea Endpoints
+	apiRouter.Handle("/gitea/endpoints/", http.HandlerFunc(han.ListGiteaEndpoints)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/gitea/endpoints", http.HandlerFunc(han.ListGiteaEndpoints)).Methods("GET", "OPTIONS")
+	// Get Gitea Endpoint
+	apiRouter.Handle("/gitea/endpoints/{name}/", http.HandlerFunc(han.GetGiteaEndpoint)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/gitea/endpoints/{name}", http.HandlerFunc(han.GetGiteaEndpoint)).Methods("GET", "OPTIONS")
+	// Delete Gitea Endpoint
+	apiRouter.Handle("/gitea/endpoints/{name}/", http.HandlerFunc(han.DeleteGiteaEndpoint)).Methods("DELETE", "OPTIONS")
+	apiRouter.Handle("/gitea/endpoints/{name}", http.HandlerFunc(han.DeleteGiteaEndpoint)).Methods("DELETE", "OPTIONS")
+	// Update Gitea Endpoint
+	apiRouter.Handle("/gitea/endpoints/{name}/", http.HandlerFunc(han.UpdateGiteaEndpoint)).Methods("PUT", "OPTIONS")
+	apiRouter.Handle("/gitea/endpoints/{name}", http.HandlerFunc(han.UpdateGiteaEndpoint)).Methods("PUT", "OPTIONS")
+
+	////////////////////////
+	// Gitea credentials  //
+	////////////////////////
+	// List Gitea Credentials
+	apiRouter.Handle("/gitea/credentials/", http.HandlerFunc(han.ListGiteaCredentials)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/gitea/credentials", http.HandlerFunc(han.ListGiteaCredentials)).Methods("GET", "OPTIONS")
+	// Create Gitea Credentials
+	apiRouter.Handle("/gitea/credentials/", http.HandlerFunc(han.CreateGiteaCredential)).Methods("POST", "OPTIONS")
+	apiRouter.Handle("/gitea/credentials", http.HandlerFunc(han.CreateGiteaCredential)).Methods("POST", "OPTIONS")
+	// Get Gitea Credential
+	apiRouter.Handle("/gitea/credentials/{id}/", http.HandlerFunc(han.GetGiteaCredential)).Methods("GET", "OPTIONS")
+	apiRouter.Handle("/gitea/credentials/{id}", http.HandlerFunc(han.GetGiteaCredential)).Methods("GET", "OPTIONS")
+	// Delete Gitea Credential
+	apiRouter.Handle("/gitea/credentials/{id}/", http.HandlerFunc(han.DeleteGiteaCredential)).Methods("DELETE", "OPTIONS")
+	apiRouter.Handle("/gitea/credentials/{id}", http.HandlerFunc(han.DeleteGiteaCredential)).Methods("DELETE", "OPTIONS")
+	// Update Gitea Credential
+	apiRouter.Handle("/gitea/credentials/{id}/", http.HandlerFunc(han.UpdateGiteaCredential)).Methods("PUT", "OPTIONS")
+	apiRouter.Handle("/gitea/credentials/{id}", http.HandlerFunc(han.UpdateGiteaCredential)).Methods("PUT", "OPTIONS")
+
+	/////////////////////////
+	// Websocket endpoints //
+	/////////////////////////
+	// Legacy log websocket path
+	apiRouter.Handle("/ws/", http.HandlerFunc(han.WSHandler)).Methods("GET")
+	apiRouter.Handle("/ws", http.HandlerFunc(han.WSHandler)).Methods("GET")
+	// Log websocket endpoint
+	apiRouter.Handle("/ws/logs/", http.HandlerFunc(han.WSHandler)).Methods("GET")
+	apiRouter.Handle("/ws/logs", http.HandlerFunc(han.WSHandler)).Methods("GET")
+	// DB watcher websocket endpoint
+	apiRouter.Handle("/ws/events/", http.HandlerFunc(han.EventsHandler)).Methods("GET")
+	apiRouter.Handle("/ws/events", http.HandlerFunc(han.EventsHandler)).Methods("GET")
+
+	// NotFound handler - this should be last
+	apiRouter.PathPrefix("/").HandlerFunc(han.NotFoundHandler).Methods("GET", "POST", "PUT", "DELETE", "OPTIONS")
 	return router
 }
--- a/apiserver/swagger-models.yaml
+++ b/apiserver/swagger-models.yaml
@ -0,0 +1,345 @@
+# NOTE: The purpose of these definitions is to reuse the existing golang
+# types from GARM packages.
+definitions:
+  User:
+    type: object
+    x-go-type:
+        type: User
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  HookInfo:
+    type: object
+    x-go-type:
+        type: HookInfo
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  ControllerInfo:
+    type: object
+    x-go-type:
+        type: ControllerInfo
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  InstallWebhookParams:
+    type: object
+    x-go-type:
+        type: InstallWebhookParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  NewUserParams:
+    type: object
+    x-go-type:
+        type: NewUserParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  PasswordLoginParams:
+    type: object
+    x-go-type:
+        type: PasswordLoginParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  JWTResponse:
+    type: object
+    x-go-type:
+        type: JWTResponse
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  Jobs:
+    type: array
+    x-go-type:
+        type: Jobs
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/Job'
+  Job: 
+    type: object
+    x-go-type:
+        type: Job
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  Credentials:
+    type: array
+    x-go-type:
+        type: Credentials
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/ForgeCredentials'
+  ForgeCredentials:
+    type: object
+    x-go-type:
+        type: ForgeCredentials
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  Providers:
+    type: array
+    x-go-type:
+        type: Providers
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/Provider'
+  Provider:
+    type: object
+    x-go-type:
+        type: Provider
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  Instances:
+    type: array
+    x-go-type:
+        type: Instances
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/Instance'
+  Instance:
+    type: object
+    x-go-type:
+        type: Instance
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  Pools:
+    type: array
+    x-go-type:
+        type: Pools
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/Pool'
+  Pool:
+    type: object
+    x-go-type:
+        type: Pool
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  ScaleSets:
+    type: array
+    x-go-type:
+        type: ScaleSets
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/ScaleSet'
+  ScaleSet:
+    type: object
+    x-go-type:
+        type: ScaleSet
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  Repositories:
+    type: array
+    x-go-type:
+        type: Repositories
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/Repository'
+  Repository:
+    type: object
+    x-go-type:
+        type: Repository
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  CreateRepoParams:
+    type: object
+    x-go-type:
+        type: CreateRepoParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  Organizations:
+    type: array
+    x-go-type:
+        type: Organizations
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/Organization'
+  Organization:
+    type: object
+    x-go-type:
+        type: Organization
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  CreateOrgParams:
+    type: object
+    x-go-type:
+        type: CreateOrgParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  Enterprises:
+    type: array
+    x-go-type:
+        type: Enterprises
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/Enterprise'
+  Enterprise:
+    type: object
+    x-go-type:
+        type: Enterprise
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  CreateEnterpriseParams:
+    type: object
+    x-go-type:
+        type: CreateEnterpriseParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  UpdateEntityParams:
+    type: object
+    x-go-type:
+        type: UpdateEntityParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  CreatePoolParams:
+    type: object
+    x-go-type:
+        type: CreatePoolParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  CreateScaleSetParams:
+    type: object
+    x-go-type:
+        type: CreateScaleSetParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  UpdatePoolParams:
+    type: object
+    x-go-type:
+        type: UpdatePoolParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  UpdateScaleSetParams:
+    type: object
+    x-go-type:
+        type: UpdateScaleSetParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  APIErrorResponse:
+    type: object
+    x-go-type:
+        type: APIErrorResponse
+        import:
+            package: github.com/cloudbase/garm/apiserver/params
+            alias: apiserver_params
+  CreateInstanceParams:
+    type: object
+    x-go-type:
+        type: CreateInstanceParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  UpdateGithubEndpointParams:
+    type: object
+    x-go-type:
+        type: UpdateGithubEndpointParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  UpdateGiteaEndpointParams:
+    type: object
+    x-go-type:
+        type: UpdateGiteaEndpointParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  ForgeEndpoint:
+    type: object
+    x-go-type:
+        type: ForgeEndpoint
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  ForgeEndpoints:
+    type: array
+    x-go-type:
+        type: ForgeEndpoints
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+    items:
+        $ref: '#/definitions/ForgeEndpoint'
+  CreateGithubEndpointParams:
+    type: object
+    x-go-type:
+        type: CreateGithubEndpointParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  CreateGiteaEndpointParams:
+    type: object
+    x-go-type:
+        type: CreateGiteaEndpointParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  CreateGithubCredentialsParams:
+    type: object
+    x-go-type:
+        type: CreateGithubCredentialsParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  CreateGiteaCredentialsParams:
+    type: object
+    x-go-type:
+        type: CreateGiteaCredentialsParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  UpdateGithubCredentialsParams:
+    type: object
+    x-go-type:
+        type: UpdateGithubCredentialsParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  UpdateGiteaCredentialsParams:
+    type: object
+    x-go-type:
+        type: UpdateGiteaCredentialsParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
+  UpdateControllerParams:
+    type: object
+    x-go-type:
+        type: UpdateControllerParams
+        import:
+            package: github.com/cloudbase/garm/params
+            alias: garm_params
--- a/apiserver/swagger.yaml
+++ b/apiserver/swagger.yaml
--- a/auth/admin_required.go
+++ b/auth/admin_required.go
@ -0,0 +1,27 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package auth
+
+import "net/http"
+
+func AdminRequiredMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		if !IsAdmin(ctx) {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
--- a/auth/auth.go
+++ b/auth/auth.go
@ -16,18 +16,19 @@ package auth

 import (
 	"context"
+	"errors"
+	"fmt"
 	"time"

+	jwt "github.com/golang-jwt/jwt/v5"
+	"github.com/nbutton23/zxcvbn-go"
+	"golang.org/x/crypto/bcrypt"
+
+	runnerErrors "github.com/cloudbase/garm-provider-common/errors"
+	"github.com/cloudbase/garm-provider-common/util"
 	"github.com/cloudbase/garm/config"
 	"github.com/cloudbase/garm/database/common"
-	runnerErrors "github.com/cloudbase/garm/errors"
 	"github.com/cloudbase/garm/params"
-	"github.com/cloudbase/garm/util"
-
-	"github.com/golang-jwt/jwt"
-	"github.com/nbutton23/zxcvbn-go"
-	"github.com/pkg/errors"
-	"golang.org/x/crypto/bcrypt"
 )

 func NewAuthenticator(cfg config.JWTAuth, store common.Store) *Authenticator {
@ -49,24 +50,30 @@ func (a *Authenticator) IsInitialized() bool {
 func (a *Authenticator) GetJWTToken(ctx context.Context) (string, error) {
 	tokenID, err := util.GetRandomString(16)
 	if err != nil {
-		return "", errors.Wrap(err, "generating random string")
+		return "", fmt.Errorf("error generating random string: %w", err)
 	}
-	expireToken := time.Now().Add(a.cfg.TimeToLive.Duration()).Unix()
+	expireToken := time.Now().Add(a.cfg.TimeToLive.Duration())
+	expires := &jwt.NumericDate{
+		Time: expireToken,
+	}
+	generation := PasswordGeneration(ctx)
 	claims := JWTClaims{
-		StandardClaims: jwt.StandardClaims{
-			ExpiresAt: expireToken,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: expires,
+			// nolint:golangci-lint,godox
 			// TODO: make this configurable
 			Issuer: "garm",
 		},
-		UserID:   UserID(ctx),
-		TokenID:  tokenID,
-		IsAdmin:  IsAdmin(ctx),
-		FullName: FullName(ctx),
+		UserID:     UserID(ctx),
+		TokenID:    tokenID,
+		IsAdmin:    IsAdmin(ctx),
+		FullName:   FullName(ctx),
+		Generation: generation,
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	tokenString, err := token.SignedString([]byte(a.cfg.Secret))
 	if err != nil {
-		return "", errors.Wrap(err, "fetching token string")
+		return "", fmt.Errorf("error fetching token string: %w", err)
 	}

 	return tokenString, nil
@ -75,22 +82,26 @@ func (a *Authenticator) GetJWTToken(ctx context.Context) (string, error) {
 // GetJWTMetricsToken returns a JWT token that can be used to read metrics.
 // This token is not tied to a user, no user is stored in the db.
 func (a *Authenticator) GetJWTMetricsToken(ctx context.Context) (string, error) {
-
 	if !IsAdmin(ctx) {
 		return "", runnerErrors.ErrUnauthorized
 	}

 	tokenID, err := util.GetRandomString(16)
 	if err != nil {
-		return "", errors.Wrap(err, "generating random string")
+		return "", fmt.Errorf("error generating random string: %w", err)
 	}
+	// nolint:golangci-lint,godox
 	// TODO: currently this is the same TTL as the normal Token
 	// maybe we should make this configurable
 	// it's usually pretty nasty if the monitoring fails because the token expired
-	expireToken := time.Now().Add(a.cfg.TimeToLive.Duration()).Unix()
+	expireToken := time.Now().Add(a.cfg.TimeToLive.Duration())
+	expires := &jwt.NumericDate{
+		Time: expireToken,
+	}
 	claims := JWTClaims{
-		StandardClaims: jwt.StandardClaims{
-			ExpiresAt: expireToken,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: expires,
+			// nolint:golangci-lint,godox
 			// TODO: make this configurable
 			Issuer: "garm",
 		},
@ -101,7 +112,7 @@ func (a *Authenticator) GetJWTMetricsToken(ctx context.Context) (string, error)
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	tokenString, err := token.SignedString([]byte(a.cfg.Secret))
 	if err != nil {
-		return "", errors.Wrap(err, "fetching token string")
+		return "", fmt.Errorf("error fetching token string: %w", err)
 	}

 	return tokenString, nil
@ -111,7 +122,7 @@ func (a *Authenticator) InitController(ctx context.Context, param params.NewUser
 	_, err := a.store.ControllerInfo()
 	if err != nil {
 		if !errors.Is(err, runnerErrors.ErrNotFound) {
-			return params.User{}, errors.Wrap(err, "initializing controller")
+			return params.User{}, fmt.Errorf("error initializing controller: %w", err)
 		}
 	}
 	if a.store.HasAdminUser(ctx) {
@ -141,7 +152,7 @@ func (a *Authenticator) InitController(ctx context.Context, param params.NewUser

 	hashed, err := util.PaswsordToBcrypt(param.Password)
 	if err != nil {
-		return params.User{}, errors.Wrap(err, "creating user")
+		return params.User{}, fmt.Errorf("error creating user: %w", err)
 	}

 	param.Password = hashed
@ -159,7 +170,7 @@ func (a *Authenticator) AuthenticateUser(ctx context.Context, info params.Passwo
 		if errors.Is(err, runnerErrors.ErrNotFound) {
 			return ctx, runnerErrors.ErrUnauthorized
 		}
-		return ctx, errors.Wrap(err, "authenticating")
+		return ctx, fmt.Errorf("error authenticating: %w", err)
 	}

 	if !user.Enabled {
@ -174,5 +185,5 @@ func (a *Authenticator) AuthenticateUser(ctx context.Context, info params.Passwo
 		return ctx, runnerErrors.ErrUnauthorized
 	}

-	return PopulateContext(ctx, user), nil
+	return PopulateContext(ctx, user, nil), nil
 }
--- a/auth/context.go
+++ b/auth/context.go
@ -16,9 +16,10 @@ package auth

 import (
 	"context"
+	"time"

+	runnerErrors "github.com/cloudbase/garm-provider-common/errors"
 	"github.com/cloudbase/garm/params"
-	"github.com/cloudbase/garm/runner/providers/common"
 )

 type contextFlags string
@ -28,9 +29,11 @@ const (
 	fullNameKey    contextFlags = "full_name"
 	readMetricsKey contextFlags = "read_metrics"
 	// UserIDFlag is the User ID flag we set in the context
-	UserIDFlag    contextFlags = "user_id"
-	isEnabledFlag contextFlags = "is_enabled"
-	jwtTokenFlag  contextFlags = "jwt_token"
+	UserIDFlag             contextFlags = "user_id"
+	isEnabledFlag          contextFlags = "is_enabled"
+	jwtTokenFlag           contextFlags = "jwt_token"
+	authExpiresFlag        contextFlags = "auth_expires"
+	passwordGenerationFlag contextFlags = "password_generation"

 	instanceIDKey        contextFlags = "id"
 	instanceNameKey      contextFlags = "name"
@ -39,8 +42,23 @@ const (
 	instanceEntityKey    contextFlags = "entity"
 	instanceRunnerStatus contextFlags = "status"
 	instanceTokenFetched contextFlags = "tokenFetched"
+	instanceHasJITConfig contextFlags = "hasJITConfig"
+	instanceParams       contextFlags = "instanceParams"
+	instanceForgeTypeKey contextFlags = "forge_type"
 )

+func SetInstanceForgeType(ctx context.Context, val string) context.Context {
+	return context.WithValue(ctx, instanceForgeTypeKey, val)
+}
+
+func InstanceForgeType(ctx context.Context) params.EndpointType {
+	elem := ctx.Value(instanceForgeTypeKey)
+	if elem == nil {
+		return ""
+	}
+	return elem.(params.EndpointType)
+}
+
 func SetInstanceID(ctx context.Context, id string) context.Context {
 	return context.WithValue(ctx, instanceIDKey, id)
 }
@ -65,16 +83,45 @@ func InstanceTokenFetched(ctx context.Context) bool {
 	return elem.(bool)
 }

-func SetInstanceRunnerStatus(ctx context.Context, val common.RunnerStatus) context.Context {
+func SetInstanceHasJITConfig(ctx context.Context, cfg map[string]string) context.Context {
+	return context.WithValue(ctx, instanceHasJITConfig, len(cfg) > 0)
+}
+
+func InstanceHasJITConfig(ctx context.Context) bool {
+	elem := ctx.Value(instanceHasJITConfig)
+	if elem == nil {
+		return false
+	}
+	return elem.(bool)
+}
+
+func SetInstanceParams(ctx context.Context, instance params.Instance) context.Context {
+	return context.WithValue(ctx, instanceParams, instance)
+}
+
+func InstanceParams(ctx context.Context) (params.Instance, error) {
+	elem := ctx.Value(instanceParams)
+	if elem == nil {
+		return params.Instance{}, runnerErrors.ErrNotFound
+	}
+
+	instanceParams, ok := elem.(params.Instance)
+	if !ok {
+		return params.Instance{}, runnerErrors.ErrNotFound
+	}
+	return instanceParams, nil
+}
+
+func SetInstanceRunnerStatus(ctx context.Context, val params.RunnerStatus) context.Context {
 	return context.WithValue(ctx, instanceRunnerStatus, val)
 }

-func InstanceRunnerStatus(ctx context.Context) common.RunnerStatus {
+func InstanceRunnerStatus(ctx context.Context) params.RunnerStatus {
 	elem := ctx.Value(instanceRunnerStatus)
 	if elem == nil {
-		return common.RunnerPending
+		return params.RunnerPending
 	}
-	return elem.(common.RunnerStatus)
+	return elem.(params.RunnerStatus)
 }

 func SetInstanceName(ctx context.Context, val string) context.Context {
@ -125,25 +172,57 @@ func InstanceEntity(ctx context.Context) string {
 	return elem.(string)
 }

-func PopulateInstanceContext(ctx context.Context, instance params.Instance) context.Context {
+func PopulateInstanceContext(ctx context.Context, instance params.Instance, claims *InstanceJWTClaims) context.Context {
 	ctx = SetInstanceID(ctx, instance.ID)
 	ctx = SetInstanceName(ctx, instance.Name)
 	ctx = SetInstancePoolID(ctx, instance.PoolID)
 	ctx = SetInstanceRunnerStatus(ctx, instance.RunnerStatus)
 	ctx = SetInstanceTokenFetched(ctx, instance.TokenFetched)
+	ctx = SetInstanceHasJITConfig(ctx, instance.JitConfiguration)
+	ctx = SetInstanceParams(ctx, instance)
+	ctx = SetInstanceForgeType(ctx, claims.ForgeType)
 	return ctx
 }

 // PopulateContext sets the appropriate fields in the context, based on
 // the user object
-func PopulateContext(ctx context.Context, user params.User) context.Context {
+func PopulateContext(ctx context.Context, user params.User, authExpires *time.Time) context.Context {
 	ctx = SetUserID(ctx, user.ID)
 	ctx = SetAdmin(ctx, user.IsAdmin)
 	ctx = SetIsEnabled(ctx, user.Enabled)
 	ctx = SetFullName(ctx, user.FullName)
+	ctx = SetExpires(ctx, authExpires)
+	ctx = SetPasswordGeneration(ctx, user.Generation)
 	return ctx
 }

+func SetExpires(ctx context.Context, expires *time.Time) context.Context {
+	if expires == nil {
+		return ctx
+	}
+	return context.WithValue(ctx, authExpiresFlag, expires)
+}
+
+func Expires(ctx context.Context) *time.Time {
+	elem := ctx.Value(authExpiresFlag)
+	if elem == nil {
+		return nil
+	}
+	return elem.(*time.Time)
+}
+
+func SetPasswordGeneration(ctx context.Context, val uint) context.Context {
+	return context.WithValue(ctx, passwordGenerationFlag, val)
+}
+
+func PasswordGeneration(ctx context.Context) uint {
+	elem := ctx.Value(passwordGenerationFlag)
+	if elem == nil {
+		return 0
+	}
+	return elem.(uint)
+}
+
 // SetFullName sets the user full name in the context
 func SetFullName(ctx context.Context, fullName string) context.Context {
 	return context.WithValue(ctx, fullNameKey, fullName)
@ -205,8 +284,10 @@ func UserID(ctx context.Context) string {

 // GetAdminContext will return an admin context. This can be used internally
 // when fetching users.
-func GetAdminContext() context.Context {
-	ctx := context.Background()
+func GetAdminContext(ctx context.Context) context.Context {
+	if ctx == nil {
+		ctx = context.Background()
+	}
 	ctx = SetUserID(ctx, "")
 	ctx = SetAdmin(ctx, true)
 	ctx = SetIsEnabled(ctx, true)
--- a/auth/init_required.go
+++ b/auth/init_required.go
@ -16,7 +16,7 @@ package auth

 import (
 	"encoding/json"
-	"log"
+	"log/slog"
 	"net/http"

 	"github.com/cloudbase/garm/apiserver/params"
@ -37,16 +37,44 @@ type initRequired struct {
 // Middleware implements the middleware interface
 func (i *initRequired) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		ctrlInfo, err := i.store.ControllerInfo()
-		if err != nil || ctrlInfo.ControllerID.String() == "" {
+		ctx := r.Context()
+
+		if !i.store.HasAdminUser(ctx) {
 			w.Header().Add("Content-Type", "application/json")
 			w.WriteHeader(http.StatusConflict)
 			if err := json.NewEncoder(w).Encode(params.InitializationRequired); err != nil {
-				log.Printf("failed to encode response: %s", err)
+				slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 			}
 			return
 		}
-		ctx := r.Context()
+
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func NewUrlsRequiredMiddleware(store common.Store) (Middleware, error) {
+	return &urlsRequired{
+		store: store,
+	}, nil
+}
+
+type urlsRequired struct {
+	store common.Store
+}
+
+func (u *urlsRequired) Middleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+		ctrlInfo, err := u.store.ControllerInfo()
+		if err != nil || ctrlInfo.MetadataURL == "" || ctrlInfo.CallbackURL == "" {
+			w.Header().Add("Content-Type", "application/json")
+			w.WriteHeader(http.StatusConflict)
+			if err := json.NewEncoder(w).Encode(params.URLsRequired); err != nil {
+				slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
+			}
+			return
+		}
+
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }
--- a/auth/instance_middleware.go
+++ b/auth/instance_middleware.go
@ -17,19 +17,20 @@ package auth
 import (
 	"context"
 	"fmt"
+	"log/slog"
+	"math"
 	"net/http"
 	"strings"
 	"time"

+	jwt "github.com/golang-jwt/jwt/v5"
+
+	runnerErrors "github.com/cloudbase/garm-provider-common/errors"
+	commonParams "github.com/cloudbase/garm-provider-common/params"
 	"github.com/cloudbase/garm/config"
 	dbCommon "github.com/cloudbase/garm/database/common"
-	runnerErrors "github.com/cloudbase/garm/errors"
 	"github.com/cloudbase/garm/params"
 	"github.com/cloudbase/garm/runner/common"
-	providerCommon "github.com/cloudbase/garm/runner/providers/common"
-
-	"github.com/golang-jwt/jwt"
-	"github.com/pkg/errors"
 )

 // InstanceJWTClaims holds JWT claims
@ -38,32 +39,58 @@ type InstanceJWTClaims struct {
 	Name   string `json:"name"`
 	PoolID string `json:"provider_id"`
 	// Scope is either repository or organization
-	Scope params.PoolType `json:"scope"`
+	Scope params.ForgeEntityType `json:"scope"`
 	// Entity is the repo or org name
-	Entity string `json:"entity"`
-	jwt.StandardClaims
+	Entity        string `json:"entity"`
+	CreateAttempt int    `json:"create_attempt"`
+	ForgeType     string `json:"forge_type"`
+	jwt.RegisteredClaims
 }

-func NewInstanceJWTToken(instance params.Instance, secret, entity string, poolType params.PoolType, ttlMinutes uint) (string, error) {
+func NewInstanceTokenGetter(jwtSecret string) (InstanceTokenGetter, error) {
+	if jwtSecret == "" {
+		return nil, fmt.Errorf("jwt secret is required")
+	}
+	return &instanceToken{
+		jwtSecret: jwtSecret,
+	}, nil
+}
+
+type instanceToken struct {
+	jwtSecret string
+}
+
+func (i *instanceToken) NewInstanceJWTToken(instance params.Instance, entity params.ForgeEntity, entityType params.ForgeEntityType, ttlMinutes uint) (string, error) {
 	// Token expiration is equal to the bootstrap timeout set on the pool plus the polling
 	// interval garm uses to check for timed out runners. Runners that have not sent their info
 	// by the end of this interval are most likely failed and will be reaped by garm anyway.
-	expireToken := time.Now().Add(time.Duration(ttlMinutes)*time.Minute + common.PoolReapTimeoutInterval).Unix()
+	var ttl int
+	if ttlMinutes > math.MaxInt {
+		ttl = math.MaxInt
+	} else {
+		ttl = int(ttlMinutes)
+	}
+	expireToken := time.Now().Add(time.Duration(ttl)*time.Minute + common.PoolReapTimeoutInterval)
+	expires := &jwt.NumericDate{
+		Time: expireToken,
+	}
 	claims := InstanceJWTClaims{
-		StandardClaims: jwt.StandardClaims{
-			ExpiresAt: expireToken,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: expires,
 			Issuer:    "garm",
 		},
-		ID:     instance.ID,
-		Name:   instance.Name,
-		PoolID: instance.PoolID,
-		Scope:  poolType,
-		Entity: entity,
+		ID:            instance.ID,
+		Name:          instance.Name,
+		PoolID:        instance.PoolID,
+		Scope:         entityType,
+		Entity:        entity.String(),
+		ForgeType:     string(entity.Credentials.ForgeType),
+		CreateAttempt: instance.CreateAttempt,
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	tokenString, err := token.SignedString([]byte(secret))
+	tokenString, err := token.SignedString([]byte(i.jwtSecret))
 	if err != nil {
-		return "", errors.Wrap(err, "signing token")
+		return "", fmt.Errorf("error signing token: %w", err)
 	}

 	return tokenString, nil
@ -93,29 +120,30 @@ func (amw *instanceMiddleware) claimsToContext(ctx context.Context, claims *Inst
 		return nil, runnerErrors.ErrUnauthorized
 	}

-	instanceInfo, err := amw.store.GetInstanceByName(ctx, claims.Name)
+	instanceInfo, err := amw.store.GetInstance(ctx, claims.Name)
 	if err != nil {
 		return ctx, runnerErrors.ErrUnauthorized
 	}

-	ctx = PopulateInstanceContext(ctx, instanceInfo)
+	ctx = PopulateInstanceContext(ctx, instanceInfo, claims)
 	return ctx, nil
 }

 // Middleware implements the middleware interface
 func (amw *instanceMiddleware) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// nolint:golangci-lint,godox
 		// TODO: Log error details when authentication fails
 		ctx := r.Context()
 		authorizationHeader := r.Header.Get("authorization")
 		if authorizationHeader == "" {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		bearerToken := strings.Split(authorizationHeader, " ")
 		if len(bearerToken) != 2 {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

@ -126,32 +154,61 @@ func (amw *instanceMiddleware) Middleware(next http.Handler) http.Handler {
 			}
 			return []byte(amw.cfg.Secret), nil
 		})
-
 		if err != nil {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		if !token.Valid {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		ctx, err = amw.claimsToContext(ctx, claims)
 		if err != nil {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		if InstanceID(ctx) == "" {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		runnerStatus := InstanceRunnerStatus(ctx)
-		if runnerStatus != providerCommon.RunnerInstalling && runnerStatus != providerCommon.RunnerPending {
+		if runnerStatus != params.RunnerInstalling && runnerStatus != params.RunnerPending {
 			// Instances that have finished installing can no longer authenticate to the API
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
+			return
+		}
+
+		instanceParams, err := InstanceParams(ctx)
+		if err != nil {
+			slog.InfoContext(
+				ctx, "could not find instance params",
+				"runner_name", InstanceName(ctx))
+			invalidAuthResponse(ctx, w)
+			return
+		}
+
+		// Token was generated for a previous attempt at creating this instance.
+		if claims.CreateAttempt != instanceParams.CreateAttempt {
+			slog.InfoContext(
+				ctx, "invalid token create attempt",
+				"runner_name", InstanceName(ctx),
+				"token_create_attempt", claims.CreateAttempt,
+				"instance_create_attempt", instanceParams.CreateAttempt)
+			invalidAuthResponse(ctx, w)
+			return
+		}
+
+		// Only allow instances that are in the creating or running state to authenticate.
+		if instanceParams.Status != commonParams.InstanceCreating && instanceParams.Status != commonParams.InstanceRunning {
+			slog.InfoContext(
+				ctx, "invalid instance status",
+				"runner_name", InstanceName(ctx),
+				"status", instanceParams.Status)
+			invalidAuthResponse(ctx, w)
 			return
 		}

--- a/auth/interfaces.go
+++ b/auth/interfaces.go
@ -14,9 +14,17 @@

 package auth

-import "net/http"
+import (
+	"net/http"
+
+	"github.com/cloudbase/garm/params"
+)

 // Middleware defines an authentication middleware
 type Middleware interface {
 	Middleware(next http.Handler) http.Handler
 }
+
+type InstanceTokenGetter interface {
+	NewInstanceJWTToken(instance params.Instance, entity params.ForgeEntity, poolType params.ForgeEntityType, ttlMinutes uint) (string, error)
+}
--- a/auth/jwt.go
+++ b/auth/jwt.go
@ -18,16 +18,17 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"log"
+	"log/slog"
 	"net/http"
 	"strings"
+	"time"

+	jwt "github.com/golang-jwt/jwt/v5"
+
+	runnerErrors "github.com/cloudbase/garm-provider-common/errors"
 	apiParams "github.com/cloudbase/garm/apiserver/params"
 	"github.com/cloudbase/garm/config"
 	dbCommon "github.com/cloudbase/garm/database/common"
-	runnerErrors "github.com/cloudbase/garm/errors"
-
-	"github.com/golang-jwt/jwt"
 )

 // JWTClaims holds JWT claims
@ -37,7 +38,8 @@ type JWTClaims struct {
 	FullName    string `json:"full_name"`
 	IsAdmin     bool   `json:"is_admin"`
 	ReadMetrics bool   `json:"read_metrics"`
-	jwt.StandardClaims
+	Generation  uint   `json:"generation"`
+	jwt.RegisteredClaims
 }

 // jwtMiddleware is the authentication middleware
@ -69,63 +71,85 @@ func (amw *jwtMiddleware) claimsToContext(ctx context.Context, claims *JWTClaims
 		return ctx, runnerErrors.ErrUnauthorized
 	}

-	ctx = PopulateContext(ctx, userInfo)
+	var expiresAt *time.Time
+	if claims.ExpiresAt != nil {
+		expires := claims.ExpiresAt.Time.UTC()
+		expiresAt = &expires
+	}
+
+	if userInfo.Generation != claims.Generation {
+		// Password was reset since token was issued. Invalidate.
+		return ctx, runnerErrors.ErrUnauthorized
+	}
+
+	ctx = PopulateContext(ctx, userInfo, expiresAt)
 	return ctx, nil
 }

-func invalidAuthResponse(w http.ResponseWriter) {
-	w.WriteHeader(http.StatusUnauthorized)
+func invalidAuthResponse(ctx context.Context, w http.ResponseWriter) {
 	w.Header().Add("Content-Type", "application/json")
+	w.WriteHeader(http.StatusUnauthorized)
 	if err := json.NewEncoder(w).Encode(
 		apiParams.APIErrorResponse{
 			Error: "Authentication failed",
 		}); err != nil {
-		log.Printf("failed to encode response: %s", err)
+		slog.With(slog.Any("error", err)).ErrorContext(ctx, "failed to encode response")
 	}
 }

+func (amw *jwtMiddleware) getTokenFromRequest(r *http.Request) (string, error) {
+	authorizationHeader := r.Header.Get("authorization")
+	if authorizationHeader == "" {
+		cookie, err := r.Cookie("garm_token")
+		if err != nil {
+			return "", fmt.Errorf("failed to get cookie: %w", err)
+		}
+		return cookie.Value, nil
+	}
+
+	bearerToken := strings.Split(authorizationHeader, " ")
+	if len(bearerToken) != 2 {
+		return "", fmt.Errorf("invalid auth header")
+	}
+	return bearerToken[1], nil
+}
+
 // Middleware implements the middleware interface
 func (amw *jwtMiddleware) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// nolint:golangci-lint,godox
 		// TODO: Log error details when authentication fails
 		ctx := r.Context()
-		authorizationHeader := r.Header.Get("authorization")
-		if authorizationHeader == "" {
-			invalidAuthResponse(w)
+		authToken, err := amw.getTokenFromRequest(r)
+		if err != nil {
+			slog.ErrorContext(ctx, "failed to get auth token", "error", err)
+			invalidAuthResponse(ctx, w)
 			return
 		}
-
-		bearerToken := strings.Split(authorizationHeader, " ")
-		if len(bearerToken) != 2 {
-			invalidAuthResponse(w)
-			return
-		}
-
 		claims := &JWTClaims{}
-		token, err := jwt.ParseWithClaims(bearerToken[1], claims, func(token *jwt.Token) (interface{}, error) {
+		token, err := jwt.ParseWithClaims(authToken, claims, func(token *jwt.Token) (interface{}, error) {
 			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 				return nil, fmt.Errorf("invalid signing method")
 			}
 			return []byte(amw.cfg.Secret), nil
 		})
-
 		if err != nil {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		if !token.Valid {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		ctx, err = amw.claimsToContext(ctx, claims)
 		if err != nil {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}
 		if !IsEnabled(ctx) {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

--- a/auth/metrics.go
+++ b/auth/metrics.go
@ -1,3 +1,16 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
 package auth

 import (
@ -6,9 +19,9 @@ import (
 	"net/http"
 	"strings"

-	"github.com/cloudbase/garm/config"
+	jwt "github.com/golang-jwt/jwt/v5"

-	"github.com/golang-jwt/jwt"
+	"github.com/cloudbase/garm/config"
 )

 type MetricsMiddleware struct {
@ -23,17 +36,16 @@ func NewMetricsMiddleware(cfg config.JWTAuth) (*MetricsMiddleware, error) {

 func (m *MetricsMiddleware) Middleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-
 		ctx := r.Context()
 		authorizationHeader := r.Header.Get("authorization")
 		if authorizationHeader == "" {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		bearerToken := strings.Split(authorizationHeader, " ")
 		if len(bearerToken) != 2 {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

@ -44,20 +56,19 @@ func (m *MetricsMiddleware) Middleware(next http.Handler) http.Handler {
 			}
 			return []byte(m.cfg.Secret), nil
 		})
-
 		if err != nil {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		if !token.Valid {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

 		// we fully trust the claims
 		if !claims.ReadMetrics {
-			invalidAuthResponse(w)
+			invalidAuthResponse(ctx, w)
 			return
 		}

--- a/build-webapp.sh
+++ b/build-webapp.sh
@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+echo "Building GARM SPA (SvelteKit)..."
+
+# Navigate to webapp directory
+cd webapp
+
+# Install dependencies if node_modules doesn't exist
+npm install
+
+# Build the SPA
+echo "Building SPA..."
+npm run build
+echo "SPA built successfully!"
--- a/cache/cache_test.go
+++ b/cache/cache_test.go
--- a/cache/credentials_cache.go
+++ b/cache/credentials_cache.go
@ -0,0 +1,148 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package cache
+
+import (
+	"sync"
+
+	"github.com/cloudbase/garm/params"
+)
+
+var (
+	credentialsCache      *CredentialCache
+	giteaCredentialsCache *CredentialCache
+)
+
+func init() {
+	ghCredentialsCache := &CredentialCache{
+		cache: make(map[uint]params.ForgeCredentials),
+	}
+	gtCredentialsCache := &CredentialCache{
+		cache: make(map[uint]params.ForgeCredentials),
+	}
+
+	credentialsCache = ghCredentialsCache
+	giteaCredentialsCache = gtCredentialsCache
+}
+
+type CredentialCache struct {
+	mux sync.Mutex
+
+	cache map[uint]params.ForgeCredentials
+}
+
+func (g *CredentialCache) SetCredentialsRateLimit(credsID uint, rateLimit params.GithubRateLimit) {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	if creds, ok := g.cache[credsID]; ok {
+		creds.RateLimit = &rateLimit
+		g.cache[credsID] = creds
+	}
+}
+
+func (g *CredentialCache) SetCredentials(credentials params.ForgeCredentials) {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	g.cache[credentials.ID] = credentials
+	UpdateCredentialsInAffectedEntities(credentials)
+}
+
+func (g *CredentialCache) GetCredentials(id uint) (params.ForgeCredentials, bool) {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	if creds, ok := g.cache[id]; ok {
+		return creds, true
+	}
+	return params.ForgeCredentials{}, false
+}
+
+func (g *CredentialCache) DeleteCredentials(id uint) {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	delete(g.cache, id)
+}
+
+func (g *CredentialCache) GetAllCredentials() []params.ForgeCredentials {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	creds := make([]params.ForgeCredentials, 0, len(g.cache))
+	for _, cred := range g.cache {
+		creds = append(creds, cred)
+	}
+
+	// Sort the credentials by ID
+	sortByID(creds)
+	return creds
+}
+
+func (g *CredentialCache) GetAllCredentialsAsMap() map[uint]params.ForgeCredentials {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	creds := make(map[uint]params.ForgeCredentials, len(g.cache))
+	for id, cred := range g.cache {
+		creds[id] = cred
+	}
+
+	return creds
+}
+
+func SetGithubCredentials(credentials params.ForgeCredentials) {
+	credentialsCache.SetCredentials(credentials)
+}
+
+func GetGithubCredentials(id uint) (params.ForgeCredentials, bool) {
+	return credentialsCache.GetCredentials(id)
+}
+
+func DeleteGithubCredentials(id uint) {
+	credentialsCache.DeleteCredentials(id)
+}
+
+func GetAllGithubCredentials() []params.ForgeCredentials {
+	return credentialsCache.GetAllCredentials()
+}
+
+func SetCredentialsRateLimit(credsID uint, rateLimit params.GithubRateLimit) {
+	credentialsCache.SetCredentialsRateLimit(credsID, rateLimit)
+}
+
+func GetAllGithubCredentialsAsMap() map[uint]params.ForgeCredentials {
+	return credentialsCache.GetAllCredentialsAsMap()
+}
+
+func SetGiteaCredentials(credentials params.ForgeCredentials) {
+	giteaCredentialsCache.SetCredentials(credentials)
+}
+
+func GetGiteaCredentials(id uint) (params.ForgeCredentials, bool) {
+	return giteaCredentialsCache.GetCredentials(id)
+}
+
+func DeleteGiteaCredentials(id uint) {
+	giteaCredentialsCache.DeleteCredentials(id)
+}
+
+func GetAllGiteaCredentials() []params.ForgeCredentials {
+	return giteaCredentialsCache.GetAllCredentials()
+}
+
+func GetAllGiteaCredentialsAsMap() map[uint]params.ForgeCredentials {
+	return giteaCredentialsCache.GetAllCredentialsAsMap()
+}
--- a/cache/entity_cache.go
+++ b/cache/entity_cache.go
@ -0,0 +1,435 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package cache
+
+import (
+	"sync"
+	"time"
+
+	"github.com/cloudbase/garm/params"
+)
+
+var entityCache *EntityCache
+
+func init() {
+	ghEntityCache := &EntityCache{
+		entities: make(map[string]EntityItem),
+	}
+	entityCache = ghEntityCache
+}
+
+type RunnerGroupEntry struct {
+	RunnerGroupID int64
+	time          time.Time
+}
+
+type EntityItem struct {
+	Entity       params.ForgeEntity
+	Pools        map[string]params.Pool
+	ScaleSets    map[uint]params.ScaleSet
+	RunnerGroups map[string]RunnerGroupEntry
+}
+
+type EntityCache struct {
+	mux sync.Mutex
+	// entity IDs are UUID4s. It is highly unlikely they will collide (🤞).
+	entities map[string]EntityItem
+}
+
+func (e *EntityCache) UpdateCredentialsInAffectedEntities(creds params.ForgeCredentials) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	for entityID, cache := range e.entities {
+		if cache.Entity.Credentials.GetID() == creds.GetID() {
+			cache.Entity.Credentials = creds
+			e.entities[entityID] = cache
+		}
+	}
+}
+
+func (e *EntityCache) GetEntity(entityID string) (params.ForgeEntity, bool) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		var creds params.ForgeCredentials
+		var ok bool
+		switch cache.Entity.Credentials.ForgeType {
+		case params.GithubEndpointType:
+			creds, ok = GetGithubCredentials(cache.Entity.Credentials.ID)
+		case params.GiteaEndpointType:
+			creds, ok = GetGiteaCredentials(cache.Entity.Credentials.ID)
+		}
+		if ok {
+			cache.Entity.Credentials = creds
+		}
+		return cache.Entity, true
+	}
+	return params.ForgeEntity{}, false
+}
+
+func (e *EntityCache) SetEntity(entity params.ForgeEntity) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	cache, ok := e.entities[entity.ID]
+	if !ok {
+		e.entities[entity.ID] = EntityItem{
+			Entity:       entity,
+			Pools:        make(map[string]params.Pool),
+			ScaleSets:    make(map[uint]params.ScaleSet),
+			RunnerGroups: make(map[string]RunnerGroupEntry),
+		}
+		return
+	}
+	cache.Entity = entity
+	e.entities[entity.ID] = cache
+}
+
+func (e *EntityCache) ReplaceEntityPools(entityID string, pools []params.Pool) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	cache, ok := e.entities[entityID]
+	if !ok {
+		return
+	}
+
+	poolsByID := map[string]params.Pool{}
+	for _, pool := range pools {
+		poolsByID[pool.ID] = pool
+	}
+	cache.Pools = poolsByID
+	e.entities[entityID] = cache
+}
+
+func (e *EntityCache) ReplaceEntityScaleSets(entityID string, scaleSets []params.ScaleSet) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	cache, ok := e.entities[entityID]
+	if !ok {
+		return
+	}
+
+	scaleSetsByID := map[uint]params.ScaleSet{}
+	for _, scaleSet := range scaleSets {
+		scaleSetsByID[scaleSet.ID] = scaleSet
+	}
+	cache.ScaleSets = scaleSetsByID
+	e.entities[entityID] = cache
+}
+
+func (e *EntityCache) DeleteEntity(entityID string) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+	delete(e.entities, entityID)
+}
+
+func (e *EntityCache) SetEntityPool(entityID string, pool params.Pool) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		cache.Pools[pool.ID] = pool
+		e.entities[entityID] = cache
+	}
+}
+
+func (e *EntityCache) SetEntityScaleSet(entityID string, scaleSet params.ScaleSet) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		cache.ScaleSets[scaleSet.ID] = scaleSet
+		e.entities[entityID] = cache
+	}
+}
+
+func (e *EntityCache) DeleteEntityPool(entityID string, poolID string) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		delete(cache.Pools, poolID)
+		e.entities[entityID] = cache
+	}
+}
+
+func (e *EntityCache) DeleteEntityScaleSet(entityID string, scaleSetID uint) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		delete(cache.ScaleSets, scaleSetID)
+		e.entities[entityID] = cache
+	}
+}
+
+func (e *EntityCache) GetEntityPool(entityID string, poolID string) (params.Pool, bool) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		if pool, ok := cache.Pools[poolID]; ok {
+			return pool, true
+		}
+	}
+	return params.Pool{}, false
+}
+
+func (e *EntityCache) GetEntityScaleSet(entityID string, scaleSetID uint) (params.ScaleSet, bool) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		if scaleSet, ok := cache.ScaleSets[scaleSetID]; ok {
+			return scaleSet, true
+		}
+	}
+	return params.ScaleSet{}, false
+}
+
+func (e *EntityCache) FindPoolsMatchingAllTags(entityID string, tags []string) []params.Pool {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		var pools []params.Pool
+		for _, pool := range cache.Pools {
+			if pool.HasRequiredLabels(tags) {
+				pools = append(pools, pool)
+			}
+		}
+		// Sort the pools by creation date.
+		sortByCreationDate(pools)
+		return pools
+	}
+	return nil
+}
+
+func (e *EntityCache) GetEntityPools(entityID string) []params.Pool {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		var pools []params.Pool
+		for _, pool := range cache.Pools {
+			pools = append(pools, pool)
+		}
+		// Sort the pools by creation date.
+		sortByCreationDate(pools)
+		return pools
+	}
+	return nil
+}
+
+func (e *EntityCache) GetEntityScaleSets(entityID string) []params.ScaleSet {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if cache, ok := e.entities[entityID]; ok {
+		var scaleSets []params.ScaleSet
+		for _, scaleSet := range cache.ScaleSets {
+			scaleSets = append(scaleSets, scaleSet)
+		}
+		// Sort the scale sets by creation date.
+		sortByID(scaleSets)
+		return scaleSets
+	}
+	return nil
+}
+
+func (e *EntityCache) GetEntitiesUsingCredentials(creds params.ForgeCredentials) []params.ForgeEntity {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	var entities []params.ForgeEntity
+	for _, cache := range e.entities {
+		if cache.Entity.Credentials.ForgeType != creds.ForgeType {
+			continue
+		}
+
+		if cache.Entity.Credentials.GetID() == creds.GetID() {
+			entities = append(entities, cache.Entity)
+		}
+	}
+	sortByCreationDate(entities)
+	return entities
+}
+
+func (e *EntityCache) GetAllEntities() []params.ForgeEntity {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	var entities []params.ForgeEntity
+	for _, cache := range e.entities {
+		// Get the credentials from the credentials cache.
+		var creds params.ForgeCredentials
+		var ok bool
+		switch cache.Entity.Credentials.ForgeType {
+		case params.GithubEndpointType:
+			creds, ok = GetGithubCredentials(cache.Entity.Credentials.ID)
+		case params.GiteaEndpointType:
+			creds, ok = GetGiteaCredentials(cache.Entity.Credentials.ID)
+		}
+		if ok {
+			cache.Entity.Credentials = creds
+		}
+		entities = append(entities, cache.Entity)
+	}
+	sortByCreationDate(entities)
+	return entities
+}
+
+func (e *EntityCache) GetAllPools() []params.Pool {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	var pools []params.Pool
+	for _, cache := range e.entities {
+		for _, pool := range cache.Pools {
+			pools = append(pools, pool)
+		}
+	}
+	sortByCreationDate(pools)
+	return pools
+}
+
+func (e *EntityCache) GetAllScaleSets() []params.ScaleSet {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	var scaleSets []params.ScaleSet
+	for _, cache := range e.entities {
+		for _, scaleSet := range cache.ScaleSets {
+			scaleSets = append(scaleSets, scaleSet)
+		}
+	}
+	sortByID(scaleSets)
+	return scaleSets
+}
+
+func (e *EntityCache) SetEntityRunnerGroup(entityID, runnerGroupName string, runnerGroupID int64) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if _, ok := e.entities[entityID]; ok {
+		e.entities[entityID].RunnerGroups[runnerGroupName] = RunnerGroupEntry{
+			RunnerGroupID: runnerGroupID,
+			time:          time.Now().UTC(),
+		}
+	}
+}
+
+func (e *EntityCache) GetEntityRunnerGroup(entityID, runnerGroupName string) (int64, bool) {
+	e.mux.Lock()
+	defer e.mux.Unlock()
+
+	if _, ok := e.entities[entityID]; ok {
+		if runnerGroup, ok := e.entities[entityID].RunnerGroups[runnerGroupName]; ok {
+			if time.Now().UTC().After(runnerGroup.time.Add(1 * time.Hour)) {
+				delete(e.entities[entityID].RunnerGroups, runnerGroupName)
+				return 0, false
+			}
+			return runnerGroup.RunnerGroupID, true
+		}
+	}
+	return 0, false
+}
+
+func SetEntityRunnerGroup(entityID, runnerGroupName string, runnerGroupID int64) {
+	entityCache.SetEntityRunnerGroup(entityID, runnerGroupName, runnerGroupID)
+}
+
+func GetEntityRunnerGroup(entityID, runnerGroupName string) (int64, bool) {
+	return entityCache.GetEntityRunnerGroup(entityID, runnerGroupName)
+}
+
+func GetEntity(entityID string) (params.ForgeEntity, bool) {
+	return entityCache.GetEntity(entityID)
+}
+
+func SetEntity(entity params.ForgeEntity) {
+	entityCache.SetEntity(entity)
+}
+
+func ReplaceEntityPools(entityID string, pools []params.Pool) {
+	entityCache.ReplaceEntityPools(entityID, pools)
+}
+
+func ReplaceEntityScaleSets(entityID string, scaleSets []params.ScaleSet) {
+	entityCache.ReplaceEntityScaleSets(entityID, scaleSets)
+}
+
+func DeleteEntity(entityID string) {
+	entityCache.DeleteEntity(entityID)
+}
+
+func SetEntityPool(entityID string, pool params.Pool) {
+	entityCache.SetEntityPool(entityID, pool)
+}
+
+func SetEntityScaleSet(entityID string, scaleSet params.ScaleSet) {
+	entityCache.SetEntityScaleSet(entityID, scaleSet)
+}
+
+func DeleteEntityPool(entityID string, poolID string) {
+	entityCache.DeleteEntityPool(entityID, poolID)
+}
+
+func DeleteEntityScaleSet(entityID string, scaleSetID uint) {
+	entityCache.DeleteEntityScaleSet(entityID, scaleSetID)
+}
+
+func GetEntityPool(entityID string, poolID string) (params.Pool, bool) {
+	return entityCache.GetEntityPool(entityID, poolID)
+}
+
+func GetEntityScaleSet(entityID string, scaleSetID uint) (params.ScaleSet, bool) {
+	return entityCache.GetEntityScaleSet(entityID, scaleSetID)
+}
+
+func FindPoolsMatchingAllTags(entityID string, tags []string) []params.Pool {
+	return entityCache.FindPoolsMatchingAllTags(entityID, tags)
+}
+
+func GetEntityPools(entityID string) []params.Pool {
+	return entityCache.GetEntityPools(entityID)
+}
+
+func GetEntityScaleSets(entityID string) []params.ScaleSet {
+	return entityCache.GetEntityScaleSets(entityID)
+}
+
+func UpdateCredentialsInAffectedEntities(creds params.ForgeCredentials) {
+	entityCache.UpdateCredentialsInAffectedEntities(creds)
+}
+
+func GetEntitiesUsingCredentials(creds params.ForgeCredentials) []params.ForgeEntity {
+	return entityCache.GetEntitiesUsingCredentials(creds)
+}
+
+func GetAllEntities() []params.ForgeEntity {
+	return entityCache.GetAllEntities()
+}
+
+func GetAllPools() []params.Pool {
+	return entityCache.GetAllPools()
+}
+
+func GetAllScaleSets() []params.ScaleSet {
+	return entityCache.GetAllScaleSets()
+}
--- a/cache/github_client.go
+++ b/cache/github_client.go
@ -0,0 +1,60 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package cache
+
+import (
+	"sync"
+
+	"github.com/cloudbase/garm/runner/common"
+)
+
+var ghClientCache *GithubClientCache
+
+type GithubClientCache struct {
+	mux sync.Mutex
+
+	cache map[string]common.GithubClient
+}
+
+func init() {
+	clientCache := &GithubClientCache{
+		cache: make(map[string]common.GithubClient),
+	}
+	ghClientCache = clientCache
+}
+
+func (g *GithubClientCache) SetClient(entityID string, client common.GithubClient) {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	g.cache[entityID] = client
+}
+
+func (g *GithubClientCache) GetClient(entityID string) (common.GithubClient, bool) {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	if client, ok := g.cache[entityID]; ok {
+		return client, true
+	}
+	return nil, false
+}
+
+func SetGithubClient(entityID string, client common.GithubClient) {
+	ghClientCache.SetClient(entityID, client)
+}
+
+func GetGithubClient(entityID string) (common.GithubClient, bool) {
+	return ghClientCache.GetClient(entityID)
+}
--- a/cache/instance_cache.go
+++ b/cache/instance_cache.go
@ -0,0 +1,143 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package cache
+
+import (
+	"sync"
+
+	"github.com/cloudbase/garm/params"
+)
+
+var instanceCache *InstanceCache
+
+func init() {
+	cache := &InstanceCache{
+		cache: make(map[string]params.Instance),
+	}
+	instanceCache = cache
+}
+
+type InstanceCache struct {
+	mux sync.Mutex
+
+	cache map[string]params.Instance
+}
+
+func (i *InstanceCache) SetInstance(instance params.Instance) {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	i.cache[instance.Name] = instance
+}
+
+func (i *InstanceCache) GetInstance(name string) (params.Instance, bool) {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	if instance, ok := i.cache[name]; ok {
+		return instance, true
+	}
+	return params.Instance{}, false
+}
+
+func (i *InstanceCache) DeleteInstance(name string) {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	delete(i.cache, name)
+}
+
+func (i *InstanceCache) GetAllInstances() []params.Instance {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	instances := make([]params.Instance, 0, len(i.cache))
+	for _, instance := range i.cache {
+		instances = append(instances, instance)
+	}
+	sortByCreationDate(instances)
+	return instances
+}
+
+func (i *InstanceCache) GetInstancesForPool(poolID string) []params.Instance {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	var filteredInstances []params.Instance
+	for _, instance := range i.cache {
+		if instance.PoolID == poolID {
+			filteredInstances = append(filteredInstances, instance)
+		}
+	}
+	sortByCreationDate(filteredInstances)
+	return filteredInstances
+}
+
+func (i *InstanceCache) GetInstancesForScaleSet(scaleSetID uint) []params.Instance {
+	i.mux.Lock()
+	defer i.mux.Unlock()
+
+	var filteredInstances []params.Instance
+	for _, instance := range i.cache {
+		if instance.ScaleSetID == scaleSetID {
+			filteredInstances = append(filteredInstances, instance)
+		}
+	}
+	sortByCreationDate(filteredInstances)
+	return filteredInstances
+}
+
+func (i *InstanceCache) GetEntityInstances(entityID string) []params.Instance {
+	pools := GetEntityPools(entityID)
+	poolsAsMap := map[string]bool{}
+	for _, pool := range pools {
+		poolsAsMap[pool.ID] = true
+	}
+
+	ret := []params.Instance{}
+	for _, val := range i.GetAllInstances() {
+		if _, ok := poolsAsMap[val.PoolID]; ok {
+			ret = append(ret, val)
+		}
+	}
+	return ret
+}
+
+func SetInstanceCache(instance params.Instance) {
+	instanceCache.SetInstance(instance)
+}
+
+func GetInstanceCache(name string) (params.Instance, bool) {
+	return instanceCache.GetInstance(name)
+}
+
+func DeleteInstanceCache(name string) {
+	instanceCache.DeleteInstance(name)
+}
+
+func GetAllInstancesCache() []params.Instance {
+	return instanceCache.GetAllInstances()
+}
+
+func GetInstancesForPool(poolID string) []params.Instance {
+	return instanceCache.GetInstancesForPool(poolID)
+}
+
+func GetInstancesForScaleSet(scaleSetID uint) []params.Instance {
+	return instanceCache.GetInstancesForScaleSet(scaleSetID)
+}
+
+func GetEntityInstances(entityID string) []params.Instance {
+	return instanceCache.GetEntityInstances(entityID)
+}
--- a/cache/tools_cache.go
+++ b/cache/tools_cache.go
@ -0,0 +1,116 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package cache
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	commonParams "github.com/cloudbase/garm-provider-common/params"
+	"github.com/cloudbase/garm/params"
+)
+
+var githubToolsCache *GithubToolsCache
+
+func init() {
+	ghToolsCache := &GithubToolsCache{
+		entities: make(map[string]GithubEntityTools),
+	}
+	githubToolsCache = ghToolsCache
+}
+
+type GithubEntityTools struct {
+	updatedAt time.Time
+	expiresAt time.Time
+	err       error
+	entity    params.ForgeEntity
+	tools     []commonParams.RunnerApplicationDownload
+}
+
+type GithubToolsCache struct {
+	mux sync.Mutex
+	// entity IDs are UUID4s. It is highly unlikely they will collide (🤞).
+	entities map[string]GithubEntityTools
+}
+
+func (g *GithubToolsCache) Get(entityID string) ([]commonParams.RunnerApplicationDownload, error) {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	if cache, ok := g.entities[entityID]; ok {
+		if cache.entity.Credentials.ForgeType == params.GithubEndpointType {
+			if time.Now().UTC().After(cache.expiresAt.Add(-5 * time.Minute)) {
+				// Stale cache, remove it.
+				delete(g.entities, entityID)
+				return nil, fmt.Errorf("cache expired for entity %s", entityID)
+			}
+		}
+		if cache.err != nil {
+			return nil, cache.err
+		}
+		return cache.tools, nil
+	}
+	return nil, fmt.Errorf("no cache found for entity %s", entityID)
+}
+
+func (g *GithubToolsCache) Set(entity params.ForgeEntity, tools []commonParams.RunnerApplicationDownload) {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	forgeTools := GithubEntityTools{
+		updatedAt: time.Now(),
+		entity:    entity,
+		tools:     tools,
+		err:       nil,
+	}
+
+	if entity.Credentials.ForgeType == params.GithubEndpointType {
+		forgeTools.expiresAt = time.Now().Add(1 * time.Hour)
+	}
+
+	g.entities[entity.ID] = forgeTools
+}
+
+func (g *GithubToolsCache) SetToolsError(entity params.ForgeEntity, err error) {
+	g.mux.Lock()
+	defer g.mux.Unlock()
+
+	// If the entity is not in the cache, add it with the error.
+	cache, ok := g.entities[entity.ID]
+	if !ok {
+		g.entities[entity.ID] = GithubEntityTools{
+			updatedAt: time.Now(),
+			entity:    entity,
+			err:       err,
+		}
+		return
+	}
+
+	// Update the error for the existing entity.
+	cache.err = err
+	g.entities[entity.ID] = cache
+}
+
+func SetGithubToolsCache(entity params.ForgeEntity, tools []commonParams.RunnerApplicationDownload) {
+	githubToolsCache.Set(entity, tools)
+}
+
+func GetGithubToolsCache(entityID string) ([]commonParams.RunnerApplicationDownload, error) {
+	return githubToolsCache.Get(entityID)
+}
+
+func SetGithubToolsCacheError(entity params.ForgeEntity, err error) {
+	githubToolsCache.SetToolsError(entity, err)
+}
--- a/cache/util.go
+++ b/cache/util.go
@ -0,0 +1,32 @@
+// Copyright 2025 Cloudbase Solutions SRL
+//
+//	Licensed under the Apache License, Version 2.0 (the "License"); you may
+//	not use this file except in compliance with the License. You may obtain
+//	a copy of the License at
+//
+//	     http://www.apache.org/licenses/LICENSE-2.0
+//
+//	Unless required by applicable law or agreed to in writing, software
+//	distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+//	WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+//	License for the specific language governing permissions and limitations
+//	under the License.
+package cache
+
+import (
+	"sort"
+
+	"github.com/cloudbase/garm/params"
+)
+
+func sortByID[T params.IDGetter](s []T) {
+	sort.Slice(s, func(i, j int) bool {
+		return s[i].GetID() < s[j].GetID()
+	})
+}
+
+func sortByCreationDate[T params.CreationDateGetter](s []T) {
+	sort.Slice(s, func(i, j int) bool {
+		return s[i].GetCreatedAt().Before(s[j].GetCreatedAt())
+	})
+}
--- a/client/controller/controller_client.go
+++ b/client/controller/controller_client.go
@ -0,0 +1,106 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package controller
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"fmt"
+
+	"github.com/go-openapi/runtime"
+	httptransport "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// New creates a new controller API client.
+func New(transport runtime.ClientTransport, formats strfmt.Registry) ClientService {
+	return &Client{transport: transport, formats: formats}
+}
+
+// New creates a new controller API client with basic auth credentials.
+// It takes the following parameters:
+// - host: http host (github.com).
+// - basePath: any base path for the API client ("/v1", "/v3").
+// - scheme: http scheme ("http", "https").
+// - user: user for basic authentication header.
+// - password: password for basic authentication header.
+func NewClientWithBasicAuth(host, basePath, scheme, user, password string) ClientService {
+	transport := httptransport.New(host, basePath, []string{scheme})
+	transport.DefaultAuthentication = httptransport.BasicAuth(user, password)
+	return &Client{transport: transport, formats: strfmt.Default}
+}
+
+// New creates a new controller API client with a bearer token for authentication.
+// It takes the following parameters:
+// - host: http host (github.com).
+// - basePath: any base path for the API client ("/v1", "/v3").
+// - scheme: http scheme ("http", "https").
+// - bearerToken: bearer token for Bearer authentication header.
+func NewClientWithBearerToken(host, basePath, scheme, bearerToken string) ClientService {
+	transport := httptransport.New(host, basePath, []string{scheme})
+	transport.DefaultAuthentication = httptransport.BearerToken(bearerToken)
+	return &Client{transport: transport, formats: strfmt.Default}
+}
+
+/*
+Client for controller API
+*/
+type Client struct {
+	transport runtime.ClientTransport
+	formats   strfmt.Registry
+}
+
+// ClientOption may be used to customize the behavior of Client methods.
+type ClientOption func(*runtime.ClientOperation)
+
+// ClientService is the interface for Client methods
+type ClientService interface {
+	UpdateController(params *UpdateControllerParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateControllerOK, error)
+
+	SetTransport(transport runtime.ClientTransport)
+}
+
+/*
+UpdateController updates controller
+*/
+func (a *Client) UpdateController(params *UpdateControllerParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateControllerOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewUpdateControllerParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "UpdateController",
+		Method:             "PUT",
+		PathPattern:        "/controller",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &UpdateControllerReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*UpdateControllerOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for UpdateController: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+// SetTransport changes the transport on the client
+func (a *Client) SetTransport(transport runtime.ClientTransport) {
+	a.transport = transport
+}
--- a/client/controller/update_controller_parameters.go
+++ b/client/controller/update_controller_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package controller
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewUpdateControllerParams creates a new UpdateControllerParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewUpdateControllerParams() *UpdateControllerParams {
+	return &UpdateControllerParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewUpdateControllerParamsWithTimeout creates a new UpdateControllerParams object
+// with the ability to set a timeout on a request.
+func NewUpdateControllerParamsWithTimeout(timeout time.Duration) *UpdateControllerParams {
+	return &UpdateControllerParams{
+		timeout: timeout,
+	}
+}
+
+// NewUpdateControllerParamsWithContext creates a new UpdateControllerParams object
+// with the ability to set a context for a request.
+func NewUpdateControllerParamsWithContext(ctx context.Context) *UpdateControllerParams {
+	return &UpdateControllerParams{
+		Context: ctx,
+	}
+}
+
+// NewUpdateControllerParamsWithHTTPClient creates a new UpdateControllerParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewUpdateControllerParamsWithHTTPClient(client *http.Client) *UpdateControllerParams {
+	return &UpdateControllerParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+UpdateControllerParams contains all the parameters to send to the API endpoint
+
+	for the update controller operation.
+
+	Typically these are written to a http.Request.
+*/
+type UpdateControllerParams struct {
+
+	/* Body.
+
+	   Parameters used when updating the controller.
+	*/
+	Body garm_params.UpdateControllerParams
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the update controller params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateControllerParams) WithDefaults() *UpdateControllerParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the update controller params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateControllerParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the update controller params
+func (o *UpdateControllerParams) WithTimeout(timeout time.Duration) *UpdateControllerParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the update controller params
+func (o *UpdateControllerParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the update controller params
+func (o *UpdateControllerParams) WithContext(ctx context.Context) *UpdateControllerParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the update controller params
+func (o *UpdateControllerParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the update controller params
+func (o *UpdateControllerParams) WithHTTPClient(client *http.Client) *UpdateControllerParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the update controller params
+func (o *UpdateControllerParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the update controller params
+func (o *UpdateControllerParams) WithBody(body garm_params.UpdateControllerParams) *UpdateControllerParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the update controller params
+func (o *UpdateControllerParams) SetBody(body garm_params.UpdateControllerParams) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *UpdateControllerParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/controller/update_controller_responses.go
+++ b/client/controller/update_controller_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package controller
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// UpdateControllerReader is a Reader for the UpdateController structure.
+type UpdateControllerReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *UpdateControllerReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewUpdateControllerOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewUpdateControllerBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[PUT /controller] UpdateController", response, response.Code())
+	}
+}
+
+// NewUpdateControllerOK creates a UpdateControllerOK with default headers values
+func NewUpdateControllerOK() *UpdateControllerOK {
+	return &UpdateControllerOK{}
+}
+
+/*
+UpdateControllerOK describes a response with status code 200, with default header values.
+
+ControllerInfo
+*/
+type UpdateControllerOK struct {
+	Payload garm_params.ControllerInfo
+}
+
+// IsSuccess returns true when this update controller o k response has a 2xx status code
+func (o *UpdateControllerOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this update controller o k response has a 3xx status code
+func (o *UpdateControllerOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this update controller o k response has a 4xx status code
+func (o *UpdateControllerOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this update controller o k response has a 5xx status code
+func (o *UpdateControllerOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this update controller o k response a status code equal to that given
+func (o *UpdateControllerOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the update controller o k response
+func (o *UpdateControllerOK) Code() int {
+	return 200
+}
+
+func (o *UpdateControllerOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /controller][%d] updateControllerOK %s", 200, payload)
+}
+
+func (o *UpdateControllerOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /controller][%d] updateControllerOK %s", 200, payload)
+}
+
+func (o *UpdateControllerOK) GetPayload() garm_params.ControllerInfo {
+	return o.Payload
+}
+
+func (o *UpdateControllerOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewUpdateControllerBadRequest creates a UpdateControllerBadRequest with default headers values
+func NewUpdateControllerBadRequest() *UpdateControllerBadRequest {
+	return &UpdateControllerBadRequest{}
+}
+
+/*
+UpdateControllerBadRequest describes a response with status code 400, with default header values.
+
+APIErrorResponse
+*/
+type UpdateControllerBadRequest struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this update controller bad request response has a 2xx status code
+func (o *UpdateControllerBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this update controller bad request response has a 3xx status code
+func (o *UpdateControllerBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this update controller bad request response has a 4xx status code
+func (o *UpdateControllerBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this update controller bad request response has a 5xx status code
+func (o *UpdateControllerBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this update controller bad request response a status code equal to that given
+func (o *UpdateControllerBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the update controller bad request response
+func (o *UpdateControllerBadRequest) Code() int {
+	return 400
+}
+
+func (o *UpdateControllerBadRequest) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /controller][%d] updateControllerBadRequest %s", 400, payload)
+}
+
+func (o *UpdateControllerBadRequest) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /controller][%d] updateControllerBadRequest %s", 400, payload)
+}
+
+func (o *UpdateControllerBadRequest) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *UpdateControllerBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/controller_info/controller_info_client.go
+++ b/client/controller_info/controller_info_client.go
@ -0,0 +1,106 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package controller_info
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"fmt"
+
+	"github.com/go-openapi/runtime"
+	httptransport "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// New creates a new controller info API client.
+func New(transport runtime.ClientTransport, formats strfmt.Registry) ClientService {
+	return &Client{transport: transport, formats: formats}
+}
+
+// New creates a new controller info API client with basic auth credentials.
+// It takes the following parameters:
+// - host: http host (github.com).
+// - basePath: any base path for the API client ("/v1", "/v3").
+// - scheme: http scheme ("http", "https").
+// - user: user for basic authentication header.
+// - password: password for basic authentication header.
+func NewClientWithBasicAuth(host, basePath, scheme, user, password string) ClientService {
+	transport := httptransport.New(host, basePath, []string{scheme})
+	transport.DefaultAuthentication = httptransport.BasicAuth(user, password)
+	return &Client{transport: transport, formats: strfmt.Default}
+}
+
+// New creates a new controller info API client with a bearer token for authentication.
+// It takes the following parameters:
+// - host: http host (github.com).
+// - basePath: any base path for the API client ("/v1", "/v3").
+// - scheme: http scheme ("http", "https").
+// - bearerToken: bearer token for Bearer authentication header.
+func NewClientWithBearerToken(host, basePath, scheme, bearerToken string) ClientService {
+	transport := httptransport.New(host, basePath, []string{scheme})
+	transport.DefaultAuthentication = httptransport.BearerToken(bearerToken)
+	return &Client{transport: transport, formats: strfmt.Default}
+}
+
+/*
+Client for controller info API
+*/
+type Client struct {
+	transport runtime.ClientTransport
+	formats   strfmt.Registry
+}
+
+// ClientOption may be used to customize the behavior of Client methods.
+type ClientOption func(*runtime.ClientOperation)
+
+// ClientService is the interface for Client methods
+type ClientService interface {
+	ControllerInfo(params *ControllerInfoParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ControllerInfoOK, error)
+
+	SetTransport(transport runtime.ClientTransport)
+}
+
+/*
+ControllerInfo gets controller info
+*/
+func (a *Client) ControllerInfo(params *ControllerInfoParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ControllerInfoOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewControllerInfoParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "ControllerInfo",
+		Method:             "GET",
+		PathPattern:        "/controller-info",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &ControllerInfoReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*ControllerInfoOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for ControllerInfo: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+// SetTransport changes the transport on the client
+func (a *Client) SetTransport(transport runtime.ClientTransport) {
+	a.transport = transport
+}
--- a/client/controller_info/controller_info_parameters.go
+++ b/client/controller_info/controller_info_parameters.go
@ -0,0 +1,128 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package controller_info
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewControllerInfoParams creates a new ControllerInfoParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewControllerInfoParams() *ControllerInfoParams {
+	return &ControllerInfoParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewControllerInfoParamsWithTimeout creates a new ControllerInfoParams object
+// with the ability to set a timeout on a request.
+func NewControllerInfoParamsWithTimeout(timeout time.Duration) *ControllerInfoParams {
+	return &ControllerInfoParams{
+		timeout: timeout,
+	}
+}
+
+// NewControllerInfoParamsWithContext creates a new ControllerInfoParams object
+// with the ability to set a context for a request.
+func NewControllerInfoParamsWithContext(ctx context.Context) *ControllerInfoParams {
+	return &ControllerInfoParams{
+		Context: ctx,
+	}
+}
+
+// NewControllerInfoParamsWithHTTPClient creates a new ControllerInfoParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewControllerInfoParamsWithHTTPClient(client *http.Client) *ControllerInfoParams {
+	return &ControllerInfoParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+ControllerInfoParams contains all the parameters to send to the API endpoint
+
+	for the controller info operation.
+
+	Typically these are written to a http.Request.
+*/
+type ControllerInfoParams struct {
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the controller info params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ControllerInfoParams) WithDefaults() *ControllerInfoParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the controller info params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ControllerInfoParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the controller info params
+func (o *ControllerInfoParams) WithTimeout(timeout time.Duration) *ControllerInfoParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the controller info params
+func (o *ControllerInfoParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the controller info params
+func (o *ControllerInfoParams) WithContext(ctx context.Context) *ControllerInfoParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the controller info params
+func (o *ControllerInfoParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the controller info params
+func (o *ControllerInfoParams) WithHTTPClient(client *http.Client) *ControllerInfoParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the controller info params
+func (o *ControllerInfoParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *ControllerInfoParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/controller_info/controller_info_responses.go
+++ b/client/controller_info/controller_info_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package controller_info
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// ControllerInfoReader is a Reader for the ControllerInfo structure.
+type ControllerInfoReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *ControllerInfoReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewControllerInfoOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 409:
+		result := NewControllerInfoConflict()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[GET /controller-info] ControllerInfo", response, response.Code())
+	}
+}
+
+// NewControllerInfoOK creates a ControllerInfoOK with default headers values
+func NewControllerInfoOK() *ControllerInfoOK {
+	return &ControllerInfoOK{}
+}
+
+/*
+ControllerInfoOK describes a response with status code 200, with default header values.
+
+ControllerInfo
+*/
+type ControllerInfoOK struct {
+	Payload garm_params.ControllerInfo
+}
+
+// IsSuccess returns true when this controller info o k response has a 2xx status code
+func (o *ControllerInfoOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this controller info o k response has a 3xx status code
+func (o *ControllerInfoOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this controller info o k response has a 4xx status code
+func (o *ControllerInfoOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this controller info o k response has a 5xx status code
+func (o *ControllerInfoOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this controller info o k response a status code equal to that given
+func (o *ControllerInfoOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the controller info o k response
+func (o *ControllerInfoOK) Code() int {
+	return 200
+}
+
+func (o *ControllerInfoOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /controller-info][%d] controllerInfoOK %s", 200, payload)
+}
+
+func (o *ControllerInfoOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /controller-info][%d] controllerInfoOK %s", 200, payload)
+}
+
+func (o *ControllerInfoOK) GetPayload() garm_params.ControllerInfo {
+	return o.Payload
+}
+
+func (o *ControllerInfoOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewControllerInfoConflict creates a ControllerInfoConflict with default headers values
+func NewControllerInfoConflict() *ControllerInfoConflict {
+	return &ControllerInfoConflict{}
+}
+
+/*
+ControllerInfoConflict describes a response with status code 409, with default header values.
+
+APIErrorResponse
+*/
+type ControllerInfoConflict struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this controller info conflict response has a 2xx status code
+func (o *ControllerInfoConflict) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this controller info conflict response has a 3xx status code
+func (o *ControllerInfoConflict) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this controller info conflict response has a 4xx status code
+func (o *ControllerInfoConflict) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this controller info conflict response has a 5xx status code
+func (o *ControllerInfoConflict) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this controller info conflict response a status code equal to that given
+func (o *ControllerInfoConflict) IsCode(code int) bool {
+	return code == 409
+}
+
+// Code gets the status code for the controller info conflict response
+func (o *ControllerInfoConflict) Code() int {
+	return 409
+}
+
+func (o *ControllerInfoConflict) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /controller-info][%d] controllerInfoConflict %s", 409, payload)
+}
+
+func (o *ControllerInfoConflict) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /controller-info][%d] controllerInfoConflict %s", 409, payload)
+}
+
+func (o *ControllerInfoConflict) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *ControllerInfoConflict) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/create_credentials_parameters.go
+++ b/client/credentials/create_credentials_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewCreateCredentialsParams creates a new CreateCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewCreateCredentialsParams() *CreateCredentialsParams {
+	return &CreateCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewCreateCredentialsParamsWithTimeout creates a new CreateCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewCreateCredentialsParamsWithTimeout(timeout time.Duration) *CreateCredentialsParams {
+	return &CreateCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewCreateCredentialsParamsWithContext creates a new CreateCredentialsParams object
+// with the ability to set a context for a request.
+func NewCreateCredentialsParamsWithContext(ctx context.Context) *CreateCredentialsParams {
+	return &CreateCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewCreateCredentialsParamsWithHTTPClient creates a new CreateCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewCreateCredentialsParamsWithHTTPClient(client *http.Client) *CreateCredentialsParams {
+	return &CreateCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+CreateCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the create credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type CreateCredentialsParams struct {
+
+	/* Body.
+
+	   Parameters used when creating a GitHub credential.
+	*/
+	Body garm_params.CreateGithubCredentialsParams
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the create credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateCredentialsParams) WithDefaults() *CreateCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the create credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the create credentials params
+func (o *CreateCredentialsParams) WithTimeout(timeout time.Duration) *CreateCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the create credentials params
+func (o *CreateCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the create credentials params
+func (o *CreateCredentialsParams) WithContext(ctx context.Context) *CreateCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the create credentials params
+func (o *CreateCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the create credentials params
+func (o *CreateCredentialsParams) WithHTTPClient(client *http.Client) *CreateCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the create credentials params
+func (o *CreateCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the create credentials params
+func (o *CreateCredentialsParams) WithBody(body garm_params.CreateGithubCredentialsParams) *CreateCredentialsParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the create credentials params
+func (o *CreateCredentialsParams) SetBody(body garm_params.CreateGithubCredentialsParams) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *CreateCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/create_credentials_responses.go
+++ b/client/credentials/create_credentials_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// CreateCredentialsReader is a Reader for the CreateCredentials structure.
+type CreateCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *CreateCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewCreateCredentialsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewCreateCredentialsBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[POST /github/credentials] CreateCredentials", response, response.Code())
+	}
+}
+
+// NewCreateCredentialsOK creates a CreateCredentialsOK with default headers values
+func NewCreateCredentialsOK() *CreateCredentialsOK {
+	return &CreateCredentialsOK{}
+}
+
+/*
+CreateCredentialsOK describes a response with status code 200, with default header values.
+
+ForgeCredentials
+*/
+type CreateCredentialsOK struct {
+	Payload garm_params.ForgeCredentials
+}
+
+// IsSuccess returns true when this create credentials o k response has a 2xx status code
+func (o *CreateCredentialsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this create credentials o k response has a 3xx status code
+func (o *CreateCredentialsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this create credentials o k response has a 4xx status code
+func (o *CreateCredentialsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this create credentials o k response has a 5xx status code
+func (o *CreateCredentialsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this create credentials o k response a status code equal to that given
+func (o *CreateCredentialsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the create credentials o k response
+func (o *CreateCredentialsOK) Code() int {
+	return 200
+}
+
+func (o *CreateCredentialsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /github/credentials][%d] createCredentialsOK %s", 200, payload)
+}
+
+func (o *CreateCredentialsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /github/credentials][%d] createCredentialsOK %s", 200, payload)
+}
+
+func (o *CreateCredentialsOK) GetPayload() garm_params.ForgeCredentials {
+	return o.Payload
+}
+
+func (o *CreateCredentialsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewCreateCredentialsBadRequest creates a CreateCredentialsBadRequest with default headers values
+func NewCreateCredentialsBadRequest() *CreateCredentialsBadRequest {
+	return &CreateCredentialsBadRequest{}
+}
+
+/*
+CreateCredentialsBadRequest describes a response with status code 400, with default header values.
+
+APIErrorResponse
+*/
+type CreateCredentialsBadRequest struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this create credentials bad request response has a 2xx status code
+func (o *CreateCredentialsBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this create credentials bad request response has a 3xx status code
+func (o *CreateCredentialsBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this create credentials bad request response has a 4xx status code
+func (o *CreateCredentialsBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this create credentials bad request response has a 5xx status code
+func (o *CreateCredentialsBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this create credentials bad request response a status code equal to that given
+func (o *CreateCredentialsBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the create credentials bad request response
+func (o *CreateCredentialsBadRequest) Code() int {
+	return 400
+}
+
+func (o *CreateCredentialsBadRequest) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /github/credentials][%d] createCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *CreateCredentialsBadRequest) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /github/credentials][%d] createCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *CreateCredentialsBadRequest) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *CreateCredentialsBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/create_gitea_credentials_parameters.go
+++ b/client/credentials/create_gitea_credentials_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewCreateGiteaCredentialsParams creates a new CreateGiteaCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewCreateGiteaCredentialsParams() *CreateGiteaCredentialsParams {
+	return &CreateGiteaCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewCreateGiteaCredentialsParamsWithTimeout creates a new CreateGiteaCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewCreateGiteaCredentialsParamsWithTimeout(timeout time.Duration) *CreateGiteaCredentialsParams {
+	return &CreateGiteaCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewCreateGiteaCredentialsParamsWithContext creates a new CreateGiteaCredentialsParams object
+// with the ability to set a context for a request.
+func NewCreateGiteaCredentialsParamsWithContext(ctx context.Context) *CreateGiteaCredentialsParams {
+	return &CreateGiteaCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewCreateGiteaCredentialsParamsWithHTTPClient creates a new CreateGiteaCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewCreateGiteaCredentialsParamsWithHTTPClient(client *http.Client) *CreateGiteaCredentialsParams {
+	return &CreateGiteaCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+CreateGiteaCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the create gitea credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type CreateGiteaCredentialsParams struct {
+
+	/* Body.
+
+	   Parameters used when creating a Gitea credential.
+	*/
+	Body garm_params.CreateGiteaCredentialsParams
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the create gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateGiteaCredentialsParams) WithDefaults() *CreateGiteaCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the create gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateGiteaCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the create gitea credentials params
+func (o *CreateGiteaCredentialsParams) WithTimeout(timeout time.Duration) *CreateGiteaCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the create gitea credentials params
+func (o *CreateGiteaCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the create gitea credentials params
+func (o *CreateGiteaCredentialsParams) WithContext(ctx context.Context) *CreateGiteaCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the create gitea credentials params
+func (o *CreateGiteaCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the create gitea credentials params
+func (o *CreateGiteaCredentialsParams) WithHTTPClient(client *http.Client) *CreateGiteaCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the create gitea credentials params
+func (o *CreateGiteaCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the create gitea credentials params
+func (o *CreateGiteaCredentialsParams) WithBody(body garm_params.CreateGiteaCredentialsParams) *CreateGiteaCredentialsParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the create gitea credentials params
+func (o *CreateGiteaCredentialsParams) SetBody(body garm_params.CreateGiteaCredentialsParams) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *CreateGiteaCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/create_gitea_credentials_responses.go
+++ b/client/credentials/create_gitea_credentials_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// CreateGiteaCredentialsReader is a Reader for the CreateGiteaCredentials structure.
+type CreateGiteaCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *CreateGiteaCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewCreateGiteaCredentialsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewCreateGiteaCredentialsBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[POST /gitea/credentials] CreateGiteaCredentials", response, response.Code())
+	}
+}
+
+// NewCreateGiteaCredentialsOK creates a CreateGiteaCredentialsOK with default headers values
+func NewCreateGiteaCredentialsOK() *CreateGiteaCredentialsOK {
+	return &CreateGiteaCredentialsOK{}
+}
+
+/*
+CreateGiteaCredentialsOK describes a response with status code 200, with default header values.
+
+ForgeCredentials
+*/
+type CreateGiteaCredentialsOK struct {
+	Payload garm_params.ForgeCredentials
+}
+
+// IsSuccess returns true when this create gitea credentials o k response has a 2xx status code
+func (o *CreateGiteaCredentialsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this create gitea credentials o k response has a 3xx status code
+func (o *CreateGiteaCredentialsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this create gitea credentials o k response has a 4xx status code
+func (o *CreateGiteaCredentialsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this create gitea credentials o k response has a 5xx status code
+func (o *CreateGiteaCredentialsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this create gitea credentials o k response a status code equal to that given
+func (o *CreateGiteaCredentialsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the create gitea credentials o k response
+func (o *CreateGiteaCredentialsOK) Code() int {
+	return 200
+}
+
+func (o *CreateGiteaCredentialsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /gitea/credentials][%d] createGiteaCredentialsOK %s", 200, payload)
+}
+
+func (o *CreateGiteaCredentialsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /gitea/credentials][%d] createGiteaCredentialsOK %s", 200, payload)
+}
+
+func (o *CreateGiteaCredentialsOK) GetPayload() garm_params.ForgeCredentials {
+	return o.Payload
+}
+
+func (o *CreateGiteaCredentialsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewCreateGiteaCredentialsBadRequest creates a CreateGiteaCredentialsBadRequest with default headers values
+func NewCreateGiteaCredentialsBadRequest() *CreateGiteaCredentialsBadRequest {
+	return &CreateGiteaCredentialsBadRequest{}
+}
+
+/*
+CreateGiteaCredentialsBadRequest describes a response with status code 400, with default header values.
+
+APIErrorResponse
+*/
+type CreateGiteaCredentialsBadRequest struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this create gitea credentials bad request response has a 2xx status code
+func (o *CreateGiteaCredentialsBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this create gitea credentials bad request response has a 3xx status code
+func (o *CreateGiteaCredentialsBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this create gitea credentials bad request response has a 4xx status code
+func (o *CreateGiteaCredentialsBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this create gitea credentials bad request response has a 5xx status code
+func (o *CreateGiteaCredentialsBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this create gitea credentials bad request response a status code equal to that given
+func (o *CreateGiteaCredentialsBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the create gitea credentials bad request response
+func (o *CreateGiteaCredentialsBadRequest) Code() int {
+	return 400
+}
+
+func (o *CreateGiteaCredentialsBadRequest) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /gitea/credentials][%d] createGiteaCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *CreateGiteaCredentialsBadRequest) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /gitea/credentials][%d] createGiteaCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *CreateGiteaCredentialsBadRequest) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *CreateGiteaCredentialsBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/credentials_client.go
+++ b/client/credentials/credentials_client.go
@ -0,0 +1,461 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"fmt"
+
+	"github.com/go-openapi/runtime"
+	httptransport "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// New creates a new credentials API client.
+func New(transport runtime.ClientTransport, formats strfmt.Registry) ClientService {
+	return &Client{transport: transport, formats: formats}
+}
+
+// New creates a new credentials API client with basic auth credentials.
+// It takes the following parameters:
+// - host: http host (github.com).
+// - basePath: any base path for the API client ("/v1", "/v3").
+// - scheme: http scheme ("http", "https").
+// - user: user for basic authentication header.
+// - password: password for basic authentication header.
+func NewClientWithBasicAuth(host, basePath, scheme, user, password string) ClientService {
+	transport := httptransport.New(host, basePath, []string{scheme})
+	transport.DefaultAuthentication = httptransport.BasicAuth(user, password)
+	return &Client{transport: transport, formats: strfmt.Default}
+}
+
+// New creates a new credentials API client with a bearer token for authentication.
+// It takes the following parameters:
+// - host: http host (github.com).
+// - basePath: any base path for the API client ("/v1", "/v3").
+// - scheme: http scheme ("http", "https").
+// - bearerToken: bearer token for Bearer authentication header.
+func NewClientWithBearerToken(host, basePath, scheme, bearerToken string) ClientService {
+	transport := httptransport.New(host, basePath, []string{scheme})
+	transport.DefaultAuthentication = httptransport.BearerToken(bearerToken)
+	return &Client{transport: transport, formats: strfmt.Default}
+}
+
+/*
+Client for credentials API
+*/
+type Client struct {
+	transport runtime.ClientTransport
+	formats   strfmt.Registry
+}
+
+// ClientOption may be used to customize the behavior of Client methods.
+type ClientOption func(*runtime.ClientOperation)
+
+// ClientService is the interface for Client methods
+type ClientService interface {
+	CreateCredentials(params *CreateCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateCredentialsOK, error)
+
+	CreateGiteaCredentials(params *CreateGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateGiteaCredentialsOK, error)
+
+	DeleteCredentials(params *DeleteCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) error
+
+	DeleteGiteaCredentials(params *DeleteGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) error
+
+	GetCredentials(params *GetCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GetCredentialsOK, error)
+
+	GetGiteaCredentials(params *GetGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GetGiteaCredentialsOK, error)
+
+	ListCredentials(params *ListCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListCredentialsOK, error)
+
+	ListGiteaCredentials(params *ListGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListGiteaCredentialsOK, error)
+
+	UpdateCredentials(params *UpdateCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateCredentialsOK, error)
+
+	UpdateGiteaCredentials(params *UpdateGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateGiteaCredentialsOK, error)
+
+	SetTransport(transport runtime.ClientTransport)
+}
+
+/*
+CreateCredentials creates a git hub credential
+*/
+func (a *Client) CreateCredentials(params *CreateCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateCredentialsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewCreateCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "CreateCredentials",
+		Method:             "POST",
+		PathPattern:        "/github/credentials",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &CreateCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*CreateCredentialsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for CreateCredentials: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+/*
+CreateGiteaCredentials creates a gitea credential
+*/
+func (a *Client) CreateGiteaCredentials(params *CreateGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateGiteaCredentialsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewCreateGiteaCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "CreateGiteaCredentials",
+		Method:             "POST",
+		PathPattern:        "/gitea/credentials",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &CreateGiteaCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*CreateGiteaCredentialsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for CreateGiteaCredentials: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+/*
+DeleteCredentials deletes a git hub credential
+*/
+func (a *Client) DeleteCredentials(params *DeleteCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) error {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewDeleteCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "DeleteCredentials",
+		Method:             "DELETE",
+		PathPattern:        "/github/credentials/{id}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &DeleteCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	_, err := a.transport.Submit(op)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+/*
+DeleteGiteaCredentials deletes a gitea credential
+*/
+func (a *Client) DeleteGiteaCredentials(params *DeleteGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) error {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewDeleteGiteaCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "DeleteGiteaCredentials",
+		Method:             "DELETE",
+		PathPattern:        "/gitea/credentials/{id}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &DeleteGiteaCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	_, err := a.transport.Submit(op)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+/*
+GetCredentials gets a git hub credential
+*/
+func (a *Client) GetCredentials(params *GetCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GetCredentialsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewGetCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "GetCredentials",
+		Method:             "GET",
+		PathPattern:        "/github/credentials/{id}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &GetCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*GetCredentialsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for GetCredentials: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+/*
+GetGiteaCredentials gets a gitea credential
+*/
+func (a *Client) GetGiteaCredentials(params *GetGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GetGiteaCredentialsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewGetGiteaCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "GetGiteaCredentials",
+		Method:             "GET",
+		PathPattern:        "/gitea/credentials/{id}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &GetGiteaCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*GetGiteaCredentialsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for GetGiteaCredentials: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+/*
+ListCredentials lists all credentials
+*/
+func (a *Client) ListCredentials(params *ListCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListCredentialsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewListCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "ListCredentials",
+		Method:             "GET",
+		PathPattern:        "/github/credentials",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &ListCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*ListCredentialsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for ListCredentials: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+/*
+ListGiteaCredentials lists all credentials
+*/
+func (a *Client) ListGiteaCredentials(params *ListGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListGiteaCredentialsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewListGiteaCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "ListGiteaCredentials",
+		Method:             "GET",
+		PathPattern:        "/gitea/credentials",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &ListGiteaCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*ListGiteaCredentialsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for ListGiteaCredentials: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+/*
+UpdateCredentials updates a git hub credential
+*/
+func (a *Client) UpdateCredentials(params *UpdateCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateCredentialsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewUpdateCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "UpdateCredentials",
+		Method:             "PUT",
+		PathPattern:        "/github/credentials/{id}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &UpdateCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*UpdateCredentialsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for UpdateCredentials: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+/*
+UpdateGiteaCredentials updates a gitea credential
+*/
+func (a *Client) UpdateGiteaCredentials(params *UpdateGiteaCredentialsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateGiteaCredentialsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewUpdateGiteaCredentialsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "UpdateGiteaCredentials",
+		Method:             "PUT",
+		PathPattern:        "/gitea/credentials/{id}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &UpdateGiteaCredentialsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*UpdateGiteaCredentialsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	// safeguard: normally, absent a default response, unknown success responses return an error above: so this is a codegen issue
+	msg := fmt.Sprintf("unexpected success response for UpdateGiteaCredentials: API contract not enforced by server. Client expected to get an error, but got: %T", result)
+	panic(msg)
+}
+
+// SetTransport changes the transport on the client
+func (a *Client) SetTransport(transport runtime.ClientTransport) {
+	a.transport = transport
+}
--- a/client/credentials/delete_credentials_parameters.go
+++ b/client/credentials/delete_credentials_parameters.go
@ -0,0 +1,152 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// NewDeleteCredentialsParams creates a new DeleteCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewDeleteCredentialsParams() *DeleteCredentialsParams {
+	return &DeleteCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewDeleteCredentialsParamsWithTimeout creates a new DeleteCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewDeleteCredentialsParamsWithTimeout(timeout time.Duration) *DeleteCredentialsParams {
+	return &DeleteCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewDeleteCredentialsParamsWithContext creates a new DeleteCredentialsParams object
+// with the ability to set a context for a request.
+func NewDeleteCredentialsParamsWithContext(ctx context.Context) *DeleteCredentialsParams {
+	return &DeleteCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewDeleteCredentialsParamsWithHTTPClient creates a new DeleteCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewDeleteCredentialsParamsWithHTTPClient(client *http.Client) *DeleteCredentialsParams {
+	return &DeleteCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+DeleteCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the delete credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type DeleteCredentialsParams struct {
+
+	/* ID.
+
+	   ID of the GitHub credential.
+	*/
+	ID int64
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the delete credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteCredentialsParams) WithDefaults() *DeleteCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the delete credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the delete credentials params
+func (o *DeleteCredentialsParams) WithTimeout(timeout time.Duration) *DeleteCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the delete credentials params
+func (o *DeleteCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the delete credentials params
+func (o *DeleteCredentialsParams) WithContext(ctx context.Context) *DeleteCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the delete credentials params
+func (o *DeleteCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the delete credentials params
+func (o *DeleteCredentialsParams) WithHTTPClient(client *http.Client) *DeleteCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the delete credentials params
+func (o *DeleteCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithID adds the id to the delete credentials params
+func (o *DeleteCredentialsParams) WithID(id int64) *DeleteCredentialsParams {
+	o.SetID(id)
+	return o
+}
+
+// SetID adds the id to the delete credentials params
+func (o *DeleteCredentialsParams) SetID(id int64) {
+	o.ID = id
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *DeleteCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param id
+	if err := r.SetPathParam("id", swag.FormatInt64(o.ID)); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/delete_credentials_responses.go
+++ b/client/credentials/delete_credentials_responses.go
@ -0,0 +1,106 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+)
+
+// DeleteCredentialsReader is a Reader for the DeleteCredentials structure.
+type DeleteCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *DeleteCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	result := NewDeleteCredentialsDefault(response.Code())
+	if err := result.readResponse(response, consumer, o.formats); err != nil {
+		return nil, err
+	}
+	if response.Code()/100 == 2 {
+		return result, nil
+	}
+	return nil, result
+}
+
+// NewDeleteCredentialsDefault creates a DeleteCredentialsDefault with default headers values
+func NewDeleteCredentialsDefault(code int) *DeleteCredentialsDefault {
+	return &DeleteCredentialsDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+DeleteCredentialsDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type DeleteCredentialsDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this delete credentials default response has a 2xx status code
+func (o *DeleteCredentialsDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this delete credentials default response has a 3xx status code
+func (o *DeleteCredentialsDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this delete credentials default response has a 4xx status code
+func (o *DeleteCredentialsDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this delete credentials default response has a 5xx status code
+func (o *DeleteCredentialsDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this delete credentials default response a status code equal to that given
+func (o *DeleteCredentialsDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the delete credentials default response
+func (o *DeleteCredentialsDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *DeleteCredentialsDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[DELETE /github/credentials/{id}][%d] DeleteCredentials default %s", o._statusCode, payload)
+}
+
+func (o *DeleteCredentialsDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[DELETE /github/credentials/{id}][%d] DeleteCredentials default %s", o._statusCode, payload)
+}
+
+func (o *DeleteCredentialsDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *DeleteCredentialsDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/delete_gitea_credentials_parameters.go
+++ b/client/credentials/delete_gitea_credentials_parameters.go
@ -0,0 +1,152 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// NewDeleteGiteaCredentialsParams creates a new DeleteGiteaCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewDeleteGiteaCredentialsParams() *DeleteGiteaCredentialsParams {
+	return &DeleteGiteaCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewDeleteGiteaCredentialsParamsWithTimeout creates a new DeleteGiteaCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewDeleteGiteaCredentialsParamsWithTimeout(timeout time.Duration) *DeleteGiteaCredentialsParams {
+	return &DeleteGiteaCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewDeleteGiteaCredentialsParamsWithContext creates a new DeleteGiteaCredentialsParams object
+// with the ability to set a context for a request.
+func NewDeleteGiteaCredentialsParamsWithContext(ctx context.Context) *DeleteGiteaCredentialsParams {
+	return &DeleteGiteaCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewDeleteGiteaCredentialsParamsWithHTTPClient creates a new DeleteGiteaCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewDeleteGiteaCredentialsParamsWithHTTPClient(client *http.Client) *DeleteGiteaCredentialsParams {
+	return &DeleteGiteaCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+DeleteGiteaCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the delete gitea credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type DeleteGiteaCredentialsParams struct {
+
+	/* ID.
+
+	   ID of the Gitea credential.
+	*/
+	ID int64
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the delete gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteGiteaCredentialsParams) WithDefaults() *DeleteGiteaCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the delete gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteGiteaCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the delete gitea credentials params
+func (o *DeleteGiteaCredentialsParams) WithTimeout(timeout time.Duration) *DeleteGiteaCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the delete gitea credentials params
+func (o *DeleteGiteaCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the delete gitea credentials params
+func (o *DeleteGiteaCredentialsParams) WithContext(ctx context.Context) *DeleteGiteaCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the delete gitea credentials params
+func (o *DeleteGiteaCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the delete gitea credentials params
+func (o *DeleteGiteaCredentialsParams) WithHTTPClient(client *http.Client) *DeleteGiteaCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the delete gitea credentials params
+func (o *DeleteGiteaCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithID adds the id to the delete gitea credentials params
+func (o *DeleteGiteaCredentialsParams) WithID(id int64) *DeleteGiteaCredentialsParams {
+	o.SetID(id)
+	return o
+}
+
+// SetID adds the id to the delete gitea credentials params
+func (o *DeleteGiteaCredentialsParams) SetID(id int64) {
+	o.ID = id
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *DeleteGiteaCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param id
+	if err := r.SetPathParam("id", swag.FormatInt64(o.ID)); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/delete_gitea_credentials_responses.go
+++ b/client/credentials/delete_gitea_credentials_responses.go
@ -0,0 +1,106 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+)
+
+// DeleteGiteaCredentialsReader is a Reader for the DeleteGiteaCredentials structure.
+type DeleteGiteaCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *DeleteGiteaCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	result := NewDeleteGiteaCredentialsDefault(response.Code())
+	if err := result.readResponse(response, consumer, o.formats); err != nil {
+		return nil, err
+	}
+	if response.Code()/100 == 2 {
+		return result, nil
+	}
+	return nil, result
+}
+
+// NewDeleteGiteaCredentialsDefault creates a DeleteGiteaCredentialsDefault with default headers values
+func NewDeleteGiteaCredentialsDefault(code int) *DeleteGiteaCredentialsDefault {
+	return &DeleteGiteaCredentialsDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+DeleteGiteaCredentialsDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type DeleteGiteaCredentialsDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this delete gitea credentials default response has a 2xx status code
+func (o *DeleteGiteaCredentialsDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this delete gitea credentials default response has a 3xx status code
+func (o *DeleteGiteaCredentialsDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this delete gitea credentials default response has a 4xx status code
+func (o *DeleteGiteaCredentialsDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this delete gitea credentials default response has a 5xx status code
+func (o *DeleteGiteaCredentialsDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this delete gitea credentials default response a status code equal to that given
+func (o *DeleteGiteaCredentialsDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the delete gitea credentials default response
+func (o *DeleteGiteaCredentialsDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *DeleteGiteaCredentialsDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[DELETE /gitea/credentials/{id}][%d] DeleteGiteaCredentials default %s", o._statusCode, payload)
+}
+
+func (o *DeleteGiteaCredentialsDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[DELETE /gitea/credentials/{id}][%d] DeleteGiteaCredentials default %s", o._statusCode, payload)
+}
+
+func (o *DeleteGiteaCredentialsDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *DeleteGiteaCredentialsDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/get_credentials_parameters.go
+++ b/client/credentials/get_credentials_parameters.go
@ -0,0 +1,152 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// NewGetCredentialsParams creates a new GetCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewGetCredentialsParams() *GetCredentialsParams {
+	return &GetCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewGetCredentialsParamsWithTimeout creates a new GetCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewGetCredentialsParamsWithTimeout(timeout time.Duration) *GetCredentialsParams {
+	return &GetCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewGetCredentialsParamsWithContext creates a new GetCredentialsParams object
+// with the ability to set a context for a request.
+func NewGetCredentialsParamsWithContext(ctx context.Context) *GetCredentialsParams {
+	return &GetCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewGetCredentialsParamsWithHTTPClient creates a new GetCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewGetCredentialsParamsWithHTTPClient(client *http.Client) *GetCredentialsParams {
+	return &GetCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+GetCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the get credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type GetCredentialsParams struct {
+
+	/* ID.
+
+	   ID of the GitHub credential.
+	*/
+	ID int64
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the get credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *GetCredentialsParams) WithDefaults() *GetCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the get credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *GetCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the get credentials params
+func (o *GetCredentialsParams) WithTimeout(timeout time.Duration) *GetCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the get credentials params
+func (o *GetCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the get credentials params
+func (o *GetCredentialsParams) WithContext(ctx context.Context) *GetCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the get credentials params
+func (o *GetCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the get credentials params
+func (o *GetCredentialsParams) WithHTTPClient(client *http.Client) *GetCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the get credentials params
+func (o *GetCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithID adds the id to the get credentials params
+func (o *GetCredentialsParams) WithID(id int64) *GetCredentialsParams {
+	o.SetID(id)
+	return o
+}
+
+// SetID adds the id to the get credentials params
+func (o *GetCredentialsParams) SetID(id int64) {
+	o.ID = id
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *GetCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param id
+	if err := r.SetPathParam("id", swag.FormatInt64(o.ID)); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/get_credentials_responses.go
+++ b/client/credentials/get_credentials_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// GetCredentialsReader is a Reader for the GetCredentials structure.
+type GetCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *GetCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewGetCredentialsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewGetCredentialsBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[GET /github/credentials/{id}] GetCredentials", response, response.Code())
+	}
+}
+
+// NewGetCredentialsOK creates a GetCredentialsOK with default headers values
+func NewGetCredentialsOK() *GetCredentialsOK {
+	return &GetCredentialsOK{}
+}
+
+/*
+GetCredentialsOK describes a response with status code 200, with default header values.
+
+ForgeCredentials
+*/
+type GetCredentialsOK struct {
+	Payload garm_params.ForgeCredentials
+}
+
+// IsSuccess returns true when this get credentials o k response has a 2xx status code
+func (o *GetCredentialsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this get credentials o k response has a 3xx status code
+func (o *GetCredentialsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this get credentials o k response has a 4xx status code
+func (o *GetCredentialsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this get credentials o k response has a 5xx status code
+func (o *GetCredentialsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this get credentials o k response a status code equal to that given
+func (o *GetCredentialsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the get credentials o k response
+func (o *GetCredentialsOK) Code() int {
+	return 200
+}
+
+func (o *GetCredentialsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/credentials/{id}][%d] getCredentialsOK %s", 200, payload)
+}
+
+func (o *GetCredentialsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/credentials/{id}][%d] getCredentialsOK %s", 200, payload)
+}
+
+func (o *GetCredentialsOK) GetPayload() garm_params.ForgeCredentials {
+	return o.Payload
+}
+
+func (o *GetCredentialsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewGetCredentialsBadRequest creates a GetCredentialsBadRequest with default headers values
+func NewGetCredentialsBadRequest() *GetCredentialsBadRequest {
+	return &GetCredentialsBadRequest{}
+}
+
+/*
+GetCredentialsBadRequest describes a response with status code 400, with default header values.
+
+APIErrorResponse
+*/
+type GetCredentialsBadRequest struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this get credentials bad request response has a 2xx status code
+func (o *GetCredentialsBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this get credentials bad request response has a 3xx status code
+func (o *GetCredentialsBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this get credentials bad request response has a 4xx status code
+func (o *GetCredentialsBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this get credentials bad request response has a 5xx status code
+func (o *GetCredentialsBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this get credentials bad request response a status code equal to that given
+func (o *GetCredentialsBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the get credentials bad request response
+func (o *GetCredentialsBadRequest) Code() int {
+	return 400
+}
+
+func (o *GetCredentialsBadRequest) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/credentials/{id}][%d] getCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *GetCredentialsBadRequest) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/credentials/{id}][%d] getCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *GetCredentialsBadRequest) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *GetCredentialsBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/get_gitea_credentials_parameters.go
+++ b/client/credentials/get_gitea_credentials_parameters.go
@ -0,0 +1,152 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+)
+
+// NewGetGiteaCredentialsParams creates a new GetGiteaCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewGetGiteaCredentialsParams() *GetGiteaCredentialsParams {
+	return &GetGiteaCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewGetGiteaCredentialsParamsWithTimeout creates a new GetGiteaCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewGetGiteaCredentialsParamsWithTimeout(timeout time.Duration) *GetGiteaCredentialsParams {
+	return &GetGiteaCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewGetGiteaCredentialsParamsWithContext creates a new GetGiteaCredentialsParams object
+// with the ability to set a context for a request.
+func NewGetGiteaCredentialsParamsWithContext(ctx context.Context) *GetGiteaCredentialsParams {
+	return &GetGiteaCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewGetGiteaCredentialsParamsWithHTTPClient creates a new GetGiteaCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewGetGiteaCredentialsParamsWithHTTPClient(client *http.Client) *GetGiteaCredentialsParams {
+	return &GetGiteaCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+GetGiteaCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the get gitea credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type GetGiteaCredentialsParams struct {
+
+	/* ID.
+
+	   ID of the Gitea credential.
+	*/
+	ID int64
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the get gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *GetGiteaCredentialsParams) WithDefaults() *GetGiteaCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the get gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *GetGiteaCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the get gitea credentials params
+func (o *GetGiteaCredentialsParams) WithTimeout(timeout time.Duration) *GetGiteaCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the get gitea credentials params
+func (o *GetGiteaCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the get gitea credentials params
+func (o *GetGiteaCredentialsParams) WithContext(ctx context.Context) *GetGiteaCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the get gitea credentials params
+func (o *GetGiteaCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the get gitea credentials params
+func (o *GetGiteaCredentialsParams) WithHTTPClient(client *http.Client) *GetGiteaCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the get gitea credentials params
+func (o *GetGiteaCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithID adds the id to the get gitea credentials params
+func (o *GetGiteaCredentialsParams) WithID(id int64) *GetGiteaCredentialsParams {
+	o.SetID(id)
+	return o
+}
+
+// SetID adds the id to the get gitea credentials params
+func (o *GetGiteaCredentialsParams) SetID(id int64) {
+	o.ID = id
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *GetGiteaCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param id
+	if err := r.SetPathParam("id", swag.FormatInt64(o.ID)); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/get_gitea_credentials_responses.go
+++ b/client/credentials/get_gitea_credentials_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// GetGiteaCredentialsReader is a Reader for the GetGiteaCredentials structure.
+type GetGiteaCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *GetGiteaCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewGetGiteaCredentialsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewGetGiteaCredentialsBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[GET /gitea/credentials/{id}] GetGiteaCredentials", response, response.Code())
+	}
+}
+
+// NewGetGiteaCredentialsOK creates a GetGiteaCredentialsOK with default headers values
+func NewGetGiteaCredentialsOK() *GetGiteaCredentialsOK {
+	return &GetGiteaCredentialsOK{}
+}
+
+/*
+GetGiteaCredentialsOK describes a response with status code 200, with default header values.
+
+ForgeCredentials
+*/
+type GetGiteaCredentialsOK struct {
+	Payload garm_params.ForgeCredentials
+}
+
+// IsSuccess returns true when this get gitea credentials o k response has a 2xx status code
+func (o *GetGiteaCredentialsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this get gitea credentials o k response has a 3xx status code
+func (o *GetGiteaCredentialsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this get gitea credentials o k response has a 4xx status code
+func (o *GetGiteaCredentialsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this get gitea credentials o k response has a 5xx status code
+func (o *GetGiteaCredentialsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this get gitea credentials o k response a status code equal to that given
+func (o *GetGiteaCredentialsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the get gitea credentials o k response
+func (o *GetGiteaCredentialsOK) Code() int {
+	return 200
+}
+
+func (o *GetGiteaCredentialsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/credentials/{id}][%d] getGiteaCredentialsOK %s", 200, payload)
+}
+
+func (o *GetGiteaCredentialsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/credentials/{id}][%d] getGiteaCredentialsOK %s", 200, payload)
+}
+
+func (o *GetGiteaCredentialsOK) GetPayload() garm_params.ForgeCredentials {
+	return o.Payload
+}
+
+func (o *GetGiteaCredentialsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewGetGiteaCredentialsBadRequest creates a GetGiteaCredentialsBadRequest with default headers values
+func NewGetGiteaCredentialsBadRequest() *GetGiteaCredentialsBadRequest {
+	return &GetGiteaCredentialsBadRequest{}
+}
+
+/*
+GetGiteaCredentialsBadRequest describes a response with status code 400, with default header values.
+
+APIErrorResponse
+*/
+type GetGiteaCredentialsBadRequest struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this get gitea credentials bad request response has a 2xx status code
+func (o *GetGiteaCredentialsBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this get gitea credentials bad request response has a 3xx status code
+func (o *GetGiteaCredentialsBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this get gitea credentials bad request response has a 4xx status code
+func (o *GetGiteaCredentialsBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this get gitea credentials bad request response has a 5xx status code
+func (o *GetGiteaCredentialsBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this get gitea credentials bad request response a status code equal to that given
+func (o *GetGiteaCredentialsBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the get gitea credentials bad request response
+func (o *GetGiteaCredentialsBadRequest) Code() int {
+	return 400
+}
+
+func (o *GetGiteaCredentialsBadRequest) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/credentials/{id}][%d] getGiteaCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *GetGiteaCredentialsBadRequest) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/credentials/{id}][%d] getGiteaCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *GetGiteaCredentialsBadRequest) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *GetGiteaCredentialsBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/list_credentials_parameters.go
+++ b/client/credentials/list_credentials_parameters.go
@ -0,0 +1,128 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewListCredentialsParams creates a new ListCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewListCredentialsParams() *ListCredentialsParams {
+	return &ListCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewListCredentialsParamsWithTimeout creates a new ListCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewListCredentialsParamsWithTimeout(timeout time.Duration) *ListCredentialsParams {
+	return &ListCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewListCredentialsParamsWithContext creates a new ListCredentialsParams object
+// with the ability to set a context for a request.
+func NewListCredentialsParamsWithContext(ctx context.Context) *ListCredentialsParams {
+	return &ListCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewListCredentialsParamsWithHTTPClient creates a new ListCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewListCredentialsParamsWithHTTPClient(client *http.Client) *ListCredentialsParams {
+	return &ListCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+ListCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the list credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type ListCredentialsParams struct {
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the list credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListCredentialsParams) WithDefaults() *ListCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the list credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the list credentials params
+func (o *ListCredentialsParams) WithTimeout(timeout time.Duration) *ListCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the list credentials params
+func (o *ListCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the list credentials params
+func (o *ListCredentialsParams) WithContext(ctx context.Context) *ListCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the list credentials params
+func (o *ListCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the list credentials params
+func (o *ListCredentialsParams) WithHTTPClient(client *http.Client) *ListCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the list credentials params
+func (o *ListCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *ListCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/list_credentials_responses.go
+++ b/client/credentials/list_credentials_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// ListCredentialsReader is a Reader for the ListCredentials structure.
+type ListCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *ListCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewListCredentialsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewListCredentialsBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[GET /github/credentials] ListCredentials", response, response.Code())
+	}
+}
+
+// NewListCredentialsOK creates a ListCredentialsOK with default headers values
+func NewListCredentialsOK() *ListCredentialsOK {
+	return &ListCredentialsOK{}
+}
+
+/*
+ListCredentialsOK describes a response with status code 200, with default header values.
+
+Credentials
+*/
+type ListCredentialsOK struct {
+	Payload garm_params.Credentials
+}
+
+// IsSuccess returns true when this list credentials o k response has a 2xx status code
+func (o *ListCredentialsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this list credentials o k response has a 3xx status code
+func (o *ListCredentialsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list credentials o k response has a 4xx status code
+func (o *ListCredentialsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this list credentials o k response has a 5xx status code
+func (o *ListCredentialsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list credentials o k response a status code equal to that given
+func (o *ListCredentialsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the list credentials o k response
+func (o *ListCredentialsOK) Code() int {
+	return 200
+}
+
+func (o *ListCredentialsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/credentials][%d] listCredentialsOK %s", 200, payload)
+}
+
+func (o *ListCredentialsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/credentials][%d] listCredentialsOK %s", 200, payload)
+}
+
+func (o *ListCredentialsOK) GetPayload() garm_params.Credentials {
+	return o.Payload
+}
+
+func (o *ListCredentialsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewListCredentialsBadRequest creates a ListCredentialsBadRequest with default headers values
+func NewListCredentialsBadRequest() *ListCredentialsBadRequest {
+	return &ListCredentialsBadRequest{}
+}
+
+/*
+ListCredentialsBadRequest describes a response with status code 400, with default header values.
+
+APIErrorResponse
+*/
+type ListCredentialsBadRequest struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this list credentials bad request response has a 2xx status code
+func (o *ListCredentialsBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this list credentials bad request response has a 3xx status code
+func (o *ListCredentialsBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list credentials bad request response has a 4xx status code
+func (o *ListCredentialsBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this list credentials bad request response has a 5xx status code
+func (o *ListCredentialsBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list credentials bad request response a status code equal to that given
+func (o *ListCredentialsBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the list credentials bad request response
+func (o *ListCredentialsBadRequest) Code() int {
+	return 400
+}
+
+func (o *ListCredentialsBadRequest) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/credentials][%d] listCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *ListCredentialsBadRequest) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/credentials][%d] listCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *ListCredentialsBadRequest) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *ListCredentialsBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/list_gitea_credentials_parameters.go
+++ b/client/credentials/list_gitea_credentials_parameters.go
@ -0,0 +1,128 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewListGiteaCredentialsParams creates a new ListGiteaCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewListGiteaCredentialsParams() *ListGiteaCredentialsParams {
+	return &ListGiteaCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewListGiteaCredentialsParamsWithTimeout creates a new ListGiteaCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewListGiteaCredentialsParamsWithTimeout(timeout time.Duration) *ListGiteaCredentialsParams {
+	return &ListGiteaCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewListGiteaCredentialsParamsWithContext creates a new ListGiteaCredentialsParams object
+// with the ability to set a context for a request.
+func NewListGiteaCredentialsParamsWithContext(ctx context.Context) *ListGiteaCredentialsParams {
+	return &ListGiteaCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewListGiteaCredentialsParamsWithHTTPClient creates a new ListGiteaCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewListGiteaCredentialsParamsWithHTTPClient(client *http.Client) *ListGiteaCredentialsParams {
+	return &ListGiteaCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+ListGiteaCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the list gitea credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type ListGiteaCredentialsParams struct {
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the list gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListGiteaCredentialsParams) WithDefaults() *ListGiteaCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the list gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListGiteaCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the list gitea credentials params
+func (o *ListGiteaCredentialsParams) WithTimeout(timeout time.Duration) *ListGiteaCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the list gitea credentials params
+func (o *ListGiteaCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the list gitea credentials params
+func (o *ListGiteaCredentialsParams) WithContext(ctx context.Context) *ListGiteaCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the list gitea credentials params
+func (o *ListGiteaCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the list gitea credentials params
+func (o *ListGiteaCredentialsParams) WithHTTPClient(client *http.Client) *ListGiteaCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the list gitea credentials params
+func (o *ListGiteaCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *ListGiteaCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/list_gitea_credentials_responses.go
+++ b/client/credentials/list_gitea_credentials_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// ListGiteaCredentialsReader is a Reader for the ListGiteaCredentials structure.
+type ListGiteaCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *ListGiteaCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewListGiteaCredentialsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewListGiteaCredentialsBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[GET /gitea/credentials] ListGiteaCredentials", response, response.Code())
+	}
+}
+
+// NewListGiteaCredentialsOK creates a ListGiteaCredentialsOK with default headers values
+func NewListGiteaCredentialsOK() *ListGiteaCredentialsOK {
+	return &ListGiteaCredentialsOK{}
+}
+
+/*
+ListGiteaCredentialsOK describes a response with status code 200, with default header values.
+
+Credentials
+*/
+type ListGiteaCredentialsOK struct {
+	Payload garm_params.Credentials
+}
+
+// IsSuccess returns true when this list gitea credentials o k response has a 2xx status code
+func (o *ListGiteaCredentialsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this list gitea credentials o k response has a 3xx status code
+func (o *ListGiteaCredentialsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list gitea credentials o k response has a 4xx status code
+func (o *ListGiteaCredentialsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this list gitea credentials o k response has a 5xx status code
+func (o *ListGiteaCredentialsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list gitea credentials o k response a status code equal to that given
+func (o *ListGiteaCredentialsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the list gitea credentials o k response
+func (o *ListGiteaCredentialsOK) Code() int {
+	return 200
+}
+
+func (o *ListGiteaCredentialsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/credentials][%d] listGiteaCredentialsOK %s", 200, payload)
+}
+
+func (o *ListGiteaCredentialsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/credentials][%d] listGiteaCredentialsOK %s", 200, payload)
+}
+
+func (o *ListGiteaCredentialsOK) GetPayload() garm_params.Credentials {
+	return o.Payload
+}
+
+func (o *ListGiteaCredentialsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewListGiteaCredentialsBadRequest creates a ListGiteaCredentialsBadRequest with default headers values
+func NewListGiteaCredentialsBadRequest() *ListGiteaCredentialsBadRequest {
+	return &ListGiteaCredentialsBadRequest{}
+}
+
+/*
+ListGiteaCredentialsBadRequest describes a response with status code 400, with default header values.
+
+APIErrorResponse
+*/
+type ListGiteaCredentialsBadRequest struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this list gitea credentials bad request response has a 2xx status code
+func (o *ListGiteaCredentialsBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this list gitea credentials bad request response has a 3xx status code
+func (o *ListGiteaCredentialsBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list gitea credentials bad request response has a 4xx status code
+func (o *ListGiteaCredentialsBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this list gitea credentials bad request response has a 5xx status code
+func (o *ListGiteaCredentialsBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list gitea credentials bad request response a status code equal to that given
+func (o *ListGiteaCredentialsBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the list gitea credentials bad request response
+func (o *ListGiteaCredentialsBadRequest) Code() int {
+	return 400
+}
+
+func (o *ListGiteaCredentialsBadRequest) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/credentials][%d] listGiteaCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *ListGiteaCredentialsBadRequest) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/credentials][%d] listGiteaCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *ListGiteaCredentialsBadRequest) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *ListGiteaCredentialsBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/update_credentials_parameters.go
+++ b/client/credentials/update_credentials_parameters.go
@ -0,0 +1,174 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewUpdateCredentialsParams creates a new UpdateCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewUpdateCredentialsParams() *UpdateCredentialsParams {
+	return &UpdateCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewUpdateCredentialsParamsWithTimeout creates a new UpdateCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewUpdateCredentialsParamsWithTimeout(timeout time.Duration) *UpdateCredentialsParams {
+	return &UpdateCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewUpdateCredentialsParamsWithContext creates a new UpdateCredentialsParams object
+// with the ability to set a context for a request.
+func NewUpdateCredentialsParamsWithContext(ctx context.Context) *UpdateCredentialsParams {
+	return &UpdateCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewUpdateCredentialsParamsWithHTTPClient creates a new UpdateCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewUpdateCredentialsParamsWithHTTPClient(client *http.Client) *UpdateCredentialsParams {
+	return &UpdateCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+UpdateCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the update credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type UpdateCredentialsParams struct {
+
+	/* Body.
+
+	   Parameters used when updating a GitHub credential.
+	*/
+	Body garm_params.UpdateGithubCredentialsParams
+
+	/* ID.
+
+	   ID of the GitHub credential.
+	*/
+	ID int64
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the update credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateCredentialsParams) WithDefaults() *UpdateCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the update credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the update credentials params
+func (o *UpdateCredentialsParams) WithTimeout(timeout time.Duration) *UpdateCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the update credentials params
+func (o *UpdateCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the update credentials params
+func (o *UpdateCredentialsParams) WithContext(ctx context.Context) *UpdateCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the update credentials params
+func (o *UpdateCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the update credentials params
+func (o *UpdateCredentialsParams) WithHTTPClient(client *http.Client) *UpdateCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the update credentials params
+func (o *UpdateCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the update credentials params
+func (o *UpdateCredentialsParams) WithBody(body garm_params.UpdateGithubCredentialsParams) *UpdateCredentialsParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the update credentials params
+func (o *UpdateCredentialsParams) SetBody(body garm_params.UpdateGithubCredentialsParams) {
+	o.Body = body
+}
+
+// WithID adds the id to the update credentials params
+func (o *UpdateCredentialsParams) WithID(id int64) *UpdateCredentialsParams {
+	o.SetID(id)
+	return o
+}
+
+// SetID adds the id to the update credentials params
+func (o *UpdateCredentialsParams) SetID(id int64) {
+	o.ID = id
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *UpdateCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	// path param id
+	if err := r.SetPathParam("id", swag.FormatInt64(o.ID)); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/update_credentials_responses.go
+++ b/client/credentials/update_credentials_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// UpdateCredentialsReader is a Reader for the UpdateCredentials structure.
+type UpdateCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *UpdateCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewUpdateCredentialsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewUpdateCredentialsBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[PUT /github/credentials/{id}] UpdateCredentials", response, response.Code())
+	}
+}
+
+// NewUpdateCredentialsOK creates a UpdateCredentialsOK with default headers values
+func NewUpdateCredentialsOK() *UpdateCredentialsOK {
+	return &UpdateCredentialsOK{}
+}
+
+/*
+UpdateCredentialsOK describes a response with status code 200, with default header values.
+
+ForgeCredentials
+*/
+type UpdateCredentialsOK struct {
+	Payload garm_params.ForgeCredentials
+}
+
+// IsSuccess returns true when this update credentials o k response has a 2xx status code
+func (o *UpdateCredentialsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this update credentials o k response has a 3xx status code
+func (o *UpdateCredentialsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this update credentials o k response has a 4xx status code
+func (o *UpdateCredentialsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this update credentials o k response has a 5xx status code
+func (o *UpdateCredentialsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this update credentials o k response a status code equal to that given
+func (o *UpdateCredentialsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the update credentials o k response
+func (o *UpdateCredentialsOK) Code() int {
+	return 200
+}
+
+func (o *UpdateCredentialsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /github/credentials/{id}][%d] updateCredentialsOK %s", 200, payload)
+}
+
+func (o *UpdateCredentialsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /github/credentials/{id}][%d] updateCredentialsOK %s", 200, payload)
+}
+
+func (o *UpdateCredentialsOK) GetPayload() garm_params.ForgeCredentials {
+	return o.Payload
+}
+
+func (o *UpdateCredentialsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewUpdateCredentialsBadRequest creates a UpdateCredentialsBadRequest with default headers values
+func NewUpdateCredentialsBadRequest() *UpdateCredentialsBadRequest {
+	return &UpdateCredentialsBadRequest{}
+}
+
+/*
+UpdateCredentialsBadRequest describes a response with status code 400, with default header values.
+
+APIErrorResponse
+*/
+type UpdateCredentialsBadRequest struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this update credentials bad request response has a 2xx status code
+func (o *UpdateCredentialsBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this update credentials bad request response has a 3xx status code
+func (o *UpdateCredentialsBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this update credentials bad request response has a 4xx status code
+func (o *UpdateCredentialsBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this update credentials bad request response has a 5xx status code
+func (o *UpdateCredentialsBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this update credentials bad request response a status code equal to that given
+func (o *UpdateCredentialsBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the update credentials bad request response
+func (o *UpdateCredentialsBadRequest) Code() int {
+	return 400
+}
+
+func (o *UpdateCredentialsBadRequest) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /github/credentials/{id}][%d] updateCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *UpdateCredentialsBadRequest) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /github/credentials/{id}][%d] updateCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *UpdateCredentialsBadRequest) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *UpdateCredentialsBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/credentials/update_gitea_credentials_parameters.go
+++ b/client/credentials/update_gitea_credentials_parameters.go
@ -0,0 +1,174 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+	"github.com/go-openapi/swag"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewUpdateGiteaCredentialsParams creates a new UpdateGiteaCredentialsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewUpdateGiteaCredentialsParams() *UpdateGiteaCredentialsParams {
+	return &UpdateGiteaCredentialsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewUpdateGiteaCredentialsParamsWithTimeout creates a new UpdateGiteaCredentialsParams object
+// with the ability to set a timeout on a request.
+func NewUpdateGiteaCredentialsParamsWithTimeout(timeout time.Duration) *UpdateGiteaCredentialsParams {
+	return &UpdateGiteaCredentialsParams{
+		timeout: timeout,
+	}
+}
+
+// NewUpdateGiteaCredentialsParamsWithContext creates a new UpdateGiteaCredentialsParams object
+// with the ability to set a context for a request.
+func NewUpdateGiteaCredentialsParamsWithContext(ctx context.Context) *UpdateGiteaCredentialsParams {
+	return &UpdateGiteaCredentialsParams{
+		Context: ctx,
+	}
+}
+
+// NewUpdateGiteaCredentialsParamsWithHTTPClient creates a new UpdateGiteaCredentialsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewUpdateGiteaCredentialsParamsWithHTTPClient(client *http.Client) *UpdateGiteaCredentialsParams {
+	return &UpdateGiteaCredentialsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+UpdateGiteaCredentialsParams contains all the parameters to send to the API endpoint
+
+	for the update gitea credentials operation.
+
+	Typically these are written to a http.Request.
+*/
+type UpdateGiteaCredentialsParams struct {
+
+	/* Body.
+
+	   Parameters used when updating a Gitea credential.
+	*/
+	Body garm_params.UpdateGiteaCredentialsParams
+
+	/* ID.
+
+	   ID of the Gitea credential.
+	*/
+	ID int64
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the update gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateGiteaCredentialsParams) WithDefaults() *UpdateGiteaCredentialsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the update gitea credentials params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateGiteaCredentialsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) WithTimeout(timeout time.Duration) *UpdateGiteaCredentialsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) WithContext(ctx context.Context) *UpdateGiteaCredentialsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) WithHTTPClient(client *http.Client) *UpdateGiteaCredentialsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) WithBody(body garm_params.UpdateGiteaCredentialsParams) *UpdateGiteaCredentialsParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) SetBody(body garm_params.UpdateGiteaCredentialsParams) {
+	o.Body = body
+}
+
+// WithID adds the id to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) WithID(id int64) *UpdateGiteaCredentialsParams {
+	o.SetID(id)
+	return o
+}
+
+// SetID adds the id to the update gitea credentials params
+func (o *UpdateGiteaCredentialsParams) SetID(id int64) {
+	o.ID = id
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *UpdateGiteaCredentialsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	// path param id
+	if err := r.SetPathParam("id", swag.FormatInt64(o.ID)); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/credentials/update_gitea_credentials_responses.go
+++ b/client/credentials/update_gitea_credentials_responses.go
@ -0,0 +1,179 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package credentials
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// UpdateGiteaCredentialsReader is a Reader for the UpdateGiteaCredentials structure.
+type UpdateGiteaCredentialsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *UpdateGiteaCredentialsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewUpdateGiteaCredentialsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	case 400:
+		result := NewUpdateGiteaCredentialsBadRequest()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return nil, result
+	default:
+		return nil, runtime.NewAPIError("[PUT /gitea/credentials/{id}] UpdateGiteaCredentials", response, response.Code())
+	}
+}
+
+// NewUpdateGiteaCredentialsOK creates a UpdateGiteaCredentialsOK with default headers values
+func NewUpdateGiteaCredentialsOK() *UpdateGiteaCredentialsOK {
+	return &UpdateGiteaCredentialsOK{}
+}
+
+/*
+UpdateGiteaCredentialsOK describes a response with status code 200, with default header values.
+
+ForgeCredentials
+*/
+type UpdateGiteaCredentialsOK struct {
+	Payload garm_params.ForgeCredentials
+}
+
+// IsSuccess returns true when this update gitea credentials o k response has a 2xx status code
+func (o *UpdateGiteaCredentialsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this update gitea credentials o k response has a 3xx status code
+func (o *UpdateGiteaCredentialsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this update gitea credentials o k response has a 4xx status code
+func (o *UpdateGiteaCredentialsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this update gitea credentials o k response has a 5xx status code
+func (o *UpdateGiteaCredentialsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this update gitea credentials o k response a status code equal to that given
+func (o *UpdateGiteaCredentialsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the update gitea credentials o k response
+func (o *UpdateGiteaCredentialsOK) Code() int {
+	return 200
+}
+
+func (o *UpdateGiteaCredentialsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /gitea/credentials/{id}][%d] updateGiteaCredentialsOK %s", 200, payload)
+}
+
+func (o *UpdateGiteaCredentialsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /gitea/credentials/{id}][%d] updateGiteaCredentialsOK %s", 200, payload)
+}
+
+func (o *UpdateGiteaCredentialsOK) GetPayload() garm_params.ForgeCredentials {
+	return o.Payload
+}
+
+func (o *UpdateGiteaCredentialsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewUpdateGiteaCredentialsBadRequest creates a UpdateGiteaCredentialsBadRequest with default headers values
+func NewUpdateGiteaCredentialsBadRequest() *UpdateGiteaCredentialsBadRequest {
+	return &UpdateGiteaCredentialsBadRequest{}
+}
+
+/*
+UpdateGiteaCredentialsBadRequest describes a response with status code 400, with default header values.
+
+APIErrorResponse
+*/
+type UpdateGiteaCredentialsBadRequest struct {
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this update gitea credentials bad request response has a 2xx status code
+func (o *UpdateGiteaCredentialsBadRequest) IsSuccess() bool {
+	return false
+}
+
+// IsRedirect returns true when this update gitea credentials bad request response has a 3xx status code
+func (o *UpdateGiteaCredentialsBadRequest) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this update gitea credentials bad request response has a 4xx status code
+func (o *UpdateGiteaCredentialsBadRequest) IsClientError() bool {
+	return true
+}
+
+// IsServerError returns true when this update gitea credentials bad request response has a 5xx status code
+func (o *UpdateGiteaCredentialsBadRequest) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this update gitea credentials bad request response a status code equal to that given
+func (o *UpdateGiteaCredentialsBadRequest) IsCode(code int) bool {
+	return code == 400
+}
+
+// Code gets the status code for the update gitea credentials bad request response
+func (o *UpdateGiteaCredentialsBadRequest) Code() int {
+	return 400
+}
+
+func (o *UpdateGiteaCredentialsBadRequest) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /gitea/credentials/{id}][%d] updateGiteaCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *UpdateGiteaCredentialsBadRequest) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /gitea/credentials/{id}][%d] updateGiteaCredentialsBadRequest %s", 400, payload)
+}
+
+func (o *UpdateGiteaCredentialsBadRequest) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *UpdateGiteaCredentialsBadRequest) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/create_gitea_endpoint_parameters.go
+++ b/client/endpoints/create_gitea_endpoint_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewCreateGiteaEndpointParams creates a new CreateGiteaEndpointParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewCreateGiteaEndpointParams() *CreateGiteaEndpointParams {
+	return &CreateGiteaEndpointParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewCreateGiteaEndpointParamsWithTimeout creates a new CreateGiteaEndpointParams object
+// with the ability to set a timeout on a request.
+func NewCreateGiteaEndpointParamsWithTimeout(timeout time.Duration) *CreateGiteaEndpointParams {
+	return &CreateGiteaEndpointParams{
+		timeout: timeout,
+	}
+}
+
+// NewCreateGiteaEndpointParamsWithContext creates a new CreateGiteaEndpointParams object
+// with the ability to set a context for a request.
+func NewCreateGiteaEndpointParamsWithContext(ctx context.Context) *CreateGiteaEndpointParams {
+	return &CreateGiteaEndpointParams{
+		Context: ctx,
+	}
+}
+
+// NewCreateGiteaEndpointParamsWithHTTPClient creates a new CreateGiteaEndpointParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewCreateGiteaEndpointParamsWithHTTPClient(client *http.Client) *CreateGiteaEndpointParams {
+	return &CreateGiteaEndpointParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+CreateGiteaEndpointParams contains all the parameters to send to the API endpoint
+
+	for the create gitea endpoint operation.
+
+	Typically these are written to a http.Request.
+*/
+type CreateGiteaEndpointParams struct {
+
+	/* Body.
+
+	   Parameters used when creating a Gitea endpoint.
+	*/
+	Body garm_params.CreateGiteaEndpointParams
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the create gitea endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateGiteaEndpointParams) WithDefaults() *CreateGiteaEndpointParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the create gitea endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateGiteaEndpointParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the create gitea endpoint params
+func (o *CreateGiteaEndpointParams) WithTimeout(timeout time.Duration) *CreateGiteaEndpointParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the create gitea endpoint params
+func (o *CreateGiteaEndpointParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the create gitea endpoint params
+func (o *CreateGiteaEndpointParams) WithContext(ctx context.Context) *CreateGiteaEndpointParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the create gitea endpoint params
+func (o *CreateGiteaEndpointParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the create gitea endpoint params
+func (o *CreateGiteaEndpointParams) WithHTTPClient(client *http.Client) *CreateGiteaEndpointParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the create gitea endpoint params
+func (o *CreateGiteaEndpointParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the create gitea endpoint params
+func (o *CreateGiteaEndpointParams) WithBody(body garm_params.CreateGiteaEndpointParams) *CreateGiteaEndpointParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the create gitea endpoint params
+func (o *CreateGiteaEndpointParams) SetBody(body garm_params.CreateGiteaEndpointParams) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *CreateGiteaEndpointParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/create_gitea_endpoint_responses.go
+++ b/client/endpoints/create_gitea_endpoint_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// CreateGiteaEndpointReader is a Reader for the CreateGiteaEndpoint structure.
+type CreateGiteaEndpointReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *CreateGiteaEndpointReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewCreateGiteaEndpointOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewCreateGiteaEndpointDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewCreateGiteaEndpointOK creates a CreateGiteaEndpointOK with default headers values
+func NewCreateGiteaEndpointOK() *CreateGiteaEndpointOK {
+	return &CreateGiteaEndpointOK{}
+}
+
+/*
+CreateGiteaEndpointOK describes a response with status code 200, with default header values.
+
+ForgeEndpoint
+*/
+type CreateGiteaEndpointOK struct {
+	Payload garm_params.ForgeEndpoint
+}
+
+// IsSuccess returns true when this create gitea endpoint o k response has a 2xx status code
+func (o *CreateGiteaEndpointOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this create gitea endpoint o k response has a 3xx status code
+func (o *CreateGiteaEndpointOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this create gitea endpoint o k response has a 4xx status code
+func (o *CreateGiteaEndpointOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this create gitea endpoint o k response has a 5xx status code
+func (o *CreateGiteaEndpointOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this create gitea endpoint o k response a status code equal to that given
+func (o *CreateGiteaEndpointOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the create gitea endpoint o k response
+func (o *CreateGiteaEndpointOK) Code() int {
+	return 200
+}
+
+func (o *CreateGiteaEndpointOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /gitea/endpoints][%d] createGiteaEndpointOK %s", 200, payload)
+}
+
+func (o *CreateGiteaEndpointOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /gitea/endpoints][%d] createGiteaEndpointOK %s", 200, payload)
+}
+
+func (o *CreateGiteaEndpointOK) GetPayload() garm_params.ForgeEndpoint {
+	return o.Payload
+}
+
+func (o *CreateGiteaEndpointOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewCreateGiteaEndpointDefault creates a CreateGiteaEndpointDefault with default headers values
+func NewCreateGiteaEndpointDefault(code int) *CreateGiteaEndpointDefault {
+	return &CreateGiteaEndpointDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+CreateGiteaEndpointDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type CreateGiteaEndpointDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this create gitea endpoint default response has a 2xx status code
+func (o *CreateGiteaEndpointDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this create gitea endpoint default response has a 3xx status code
+func (o *CreateGiteaEndpointDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this create gitea endpoint default response has a 4xx status code
+func (o *CreateGiteaEndpointDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this create gitea endpoint default response has a 5xx status code
+func (o *CreateGiteaEndpointDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this create gitea endpoint default response a status code equal to that given
+func (o *CreateGiteaEndpointDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the create gitea endpoint default response
+func (o *CreateGiteaEndpointDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *CreateGiteaEndpointDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /gitea/endpoints][%d] CreateGiteaEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *CreateGiteaEndpointDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /gitea/endpoints][%d] CreateGiteaEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *CreateGiteaEndpointDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *CreateGiteaEndpointDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/create_github_endpoint_parameters.go
+++ b/client/endpoints/create_github_endpoint_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewCreateGithubEndpointParams creates a new CreateGithubEndpointParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewCreateGithubEndpointParams() *CreateGithubEndpointParams {
+	return &CreateGithubEndpointParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewCreateGithubEndpointParamsWithTimeout creates a new CreateGithubEndpointParams object
+// with the ability to set a timeout on a request.
+func NewCreateGithubEndpointParamsWithTimeout(timeout time.Duration) *CreateGithubEndpointParams {
+	return &CreateGithubEndpointParams{
+		timeout: timeout,
+	}
+}
+
+// NewCreateGithubEndpointParamsWithContext creates a new CreateGithubEndpointParams object
+// with the ability to set a context for a request.
+func NewCreateGithubEndpointParamsWithContext(ctx context.Context) *CreateGithubEndpointParams {
+	return &CreateGithubEndpointParams{
+		Context: ctx,
+	}
+}
+
+// NewCreateGithubEndpointParamsWithHTTPClient creates a new CreateGithubEndpointParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewCreateGithubEndpointParamsWithHTTPClient(client *http.Client) *CreateGithubEndpointParams {
+	return &CreateGithubEndpointParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+CreateGithubEndpointParams contains all the parameters to send to the API endpoint
+
+	for the create github endpoint operation.
+
+	Typically these are written to a http.Request.
+*/
+type CreateGithubEndpointParams struct {
+
+	/* Body.
+
+	   Parameters used when creating a GitHub endpoint.
+	*/
+	Body garm_params.CreateGithubEndpointParams
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the create github endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateGithubEndpointParams) WithDefaults() *CreateGithubEndpointParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the create github endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateGithubEndpointParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the create github endpoint params
+func (o *CreateGithubEndpointParams) WithTimeout(timeout time.Duration) *CreateGithubEndpointParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the create github endpoint params
+func (o *CreateGithubEndpointParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the create github endpoint params
+func (o *CreateGithubEndpointParams) WithContext(ctx context.Context) *CreateGithubEndpointParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the create github endpoint params
+func (o *CreateGithubEndpointParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the create github endpoint params
+func (o *CreateGithubEndpointParams) WithHTTPClient(client *http.Client) *CreateGithubEndpointParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the create github endpoint params
+func (o *CreateGithubEndpointParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the create github endpoint params
+func (o *CreateGithubEndpointParams) WithBody(body garm_params.CreateGithubEndpointParams) *CreateGithubEndpointParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the create github endpoint params
+func (o *CreateGithubEndpointParams) SetBody(body garm_params.CreateGithubEndpointParams) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *CreateGithubEndpointParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/create_github_endpoint_responses.go
+++ b/client/endpoints/create_github_endpoint_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// CreateGithubEndpointReader is a Reader for the CreateGithubEndpoint structure.
+type CreateGithubEndpointReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *CreateGithubEndpointReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewCreateGithubEndpointOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewCreateGithubEndpointDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewCreateGithubEndpointOK creates a CreateGithubEndpointOK with default headers values
+func NewCreateGithubEndpointOK() *CreateGithubEndpointOK {
+	return &CreateGithubEndpointOK{}
+}
+
+/*
+CreateGithubEndpointOK describes a response with status code 200, with default header values.
+
+ForgeEndpoint
+*/
+type CreateGithubEndpointOK struct {
+	Payload garm_params.ForgeEndpoint
+}
+
+// IsSuccess returns true when this create github endpoint o k response has a 2xx status code
+func (o *CreateGithubEndpointOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this create github endpoint o k response has a 3xx status code
+func (o *CreateGithubEndpointOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this create github endpoint o k response has a 4xx status code
+func (o *CreateGithubEndpointOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this create github endpoint o k response has a 5xx status code
+func (o *CreateGithubEndpointOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this create github endpoint o k response a status code equal to that given
+func (o *CreateGithubEndpointOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the create github endpoint o k response
+func (o *CreateGithubEndpointOK) Code() int {
+	return 200
+}
+
+func (o *CreateGithubEndpointOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /github/endpoints][%d] createGithubEndpointOK %s", 200, payload)
+}
+
+func (o *CreateGithubEndpointOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /github/endpoints][%d] createGithubEndpointOK %s", 200, payload)
+}
+
+func (o *CreateGithubEndpointOK) GetPayload() garm_params.ForgeEndpoint {
+	return o.Payload
+}
+
+func (o *CreateGithubEndpointOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewCreateGithubEndpointDefault creates a CreateGithubEndpointDefault with default headers values
+func NewCreateGithubEndpointDefault(code int) *CreateGithubEndpointDefault {
+	return &CreateGithubEndpointDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+CreateGithubEndpointDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type CreateGithubEndpointDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this create github endpoint default response has a 2xx status code
+func (o *CreateGithubEndpointDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this create github endpoint default response has a 3xx status code
+func (o *CreateGithubEndpointDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this create github endpoint default response has a 4xx status code
+func (o *CreateGithubEndpointDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this create github endpoint default response has a 5xx status code
+func (o *CreateGithubEndpointDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this create github endpoint default response a status code equal to that given
+func (o *CreateGithubEndpointDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the create github endpoint default response
+func (o *CreateGithubEndpointDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *CreateGithubEndpointDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /github/endpoints][%d] CreateGithubEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *CreateGithubEndpointDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /github/endpoints][%d] CreateGithubEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *CreateGithubEndpointDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *CreateGithubEndpointDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/delete_gitea_endpoint_parameters.go
+++ b/client/endpoints/delete_gitea_endpoint_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewDeleteGiteaEndpointParams creates a new DeleteGiteaEndpointParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewDeleteGiteaEndpointParams() *DeleteGiteaEndpointParams {
+	return &DeleteGiteaEndpointParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewDeleteGiteaEndpointParamsWithTimeout creates a new DeleteGiteaEndpointParams object
+// with the ability to set a timeout on a request.
+func NewDeleteGiteaEndpointParamsWithTimeout(timeout time.Duration) *DeleteGiteaEndpointParams {
+	return &DeleteGiteaEndpointParams{
+		timeout: timeout,
+	}
+}
+
+// NewDeleteGiteaEndpointParamsWithContext creates a new DeleteGiteaEndpointParams object
+// with the ability to set a context for a request.
+func NewDeleteGiteaEndpointParamsWithContext(ctx context.Context) *DeleteGiteaEndpointParams {
+	return &DeleteGiteaEndpointParams{
+		Context: ctx,
+	}
+}
+
+// NewDeleteGiteaEndpointParamsWithHTTPClient creates a new DeleteGiteaEndpointParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewDeleteGiteaEndpointParamsWithHTTPClient(client *http.Client) *DeleteGiteaEndpointParams {
+	return &DeleteGiteaEndpointParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+DeleteGiteaEndpointParams contains all the parameters to send to the API endpoint
+
+	for the delete gitea endpoint operation.
+
+	Typically these are written to a http.Request.
+*/
+type DeleteGiteaEndpointParams struct {
+
+	/* Name.
+
+	   The name of the Gitea endpoint.
+	*/
+	Name string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the delete gitea endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteGiteaEndpointParams) WithDefaults() *DeleteGiteaEndpointParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the delete gitea endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteGiteaEndpointParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the delete gitea endpoint params
+func (o *DeleteGiteaEndpointParams) WithTimeout(timeout time.Duration) *DeleteGiteaEndpointParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the delete gitea endpoint params
+func (o *DeleteGiteaEndpointParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the delete gitea endpoint params
+func (o *DeleteGiteaEndpointParams) WithContext(ctx context.Context) *DeleteGiteaEndpointParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the delete gitea endpoint params
+func (o *DeleteGiteaEndpointParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the delete gitea endpoint params
+func (o *DeleteGiteaEndpointParams) WithHTTPClient(client *http.Client) *DeleteGiteaEndpointParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the delete gitea endpoint params
+func (o *DeleteGiteaEndpointParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithName adds the name to the delete gitea endpoint params
+func (o *DeleteGiteaEndpointParams) WithName(name string) *DeleteGiteaEndpointParams {
+	o.SetName(name)
+	return o
+}
+
+// SetName adds the name to the delete gitea endpoint params
+func (o *DeleteGiteaEndpointParams) SetName(name string) {
+	o.Name = name
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *DeleteGiteaEndpointParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param name
+	if err := r.SetPathParam("name", o.Name); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/delete_gitea_endpoint_responses.go
+++ b/client/endpoints/delete_gitea_endpoint_responses.go
@ -0,0 +1,106 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+)
+
+// DeleteGiteaEndpointReader is a Reader for the DeleteGiteaEndpoint structure.
+type DeleteGiteaEndpointReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *DeleteGiteaEndpointReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	result := NewDeleteGiteaEndpointDefault(response.Code())
+	if err := result.readResponse(response, consumer, o.formats); err != nil {
+		return nil, err
+	}
+	if response.Code()/100 == 2 {
+		return result, nil
+	}
+	return nil, result
+}
+
+// NewDeleteGiteaEndpointDefault creates a DeleteGiteaEndpointDefault with default headers values
+func NewDeleteGiteaEndpointDefault(code int) *DeleteGiteaEndpointDefault {
+	return &DeleteGiteaEndpointDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+DeleteGiteaEndpointDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type DeleteGiteaEndpointDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this delete gitea endpoint default response has a 2xx status code
+func (o *DeleteGiteaEndpointDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this delete gitea endpoint default response has a 3xx status code
+func (o *DeleteGiteaEndpointDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this delete gitea endpoint default response has a 4xx status code
+func (o *DeleteGiteaEndpointDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this delete gitea endpoint default response has a 5xx status code
+func (o *DeleteGiteaEndpointDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this delete gitea endpoint default response a status code equal to that given
+func (o *DeleteGiteaEndpointDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the delete gitea endpoint default response
+func (o *DeleteGiteaEndpointDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *DeleteGiteaEndpointDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[DELETE /gitea/endpoints/{name}][%d] DeleteGiteaEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *DeleteGiteaEndpointDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[DELETE /gitea/endpoints/{name}][%d] DeleteGiteaEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *DeleteGiteaEndpointDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *DeleteGiteaEndpointDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/delete_github_endpoint_parameters.go
+++ b/client/endpoints/delete_github_endpoint_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewDeleteGithubEndpointParams creates a new DeleteGithubEndpointParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewDeleteGithubEndpointParams() *DeleteGithubEndpointParams {
+	return &DeleteGithubEndpointParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewDeleteGithubEndpointParamsWithTimeout creates a new DeleteGithubEndpointParams object
+// with the ability to set a timeout on a request.
+func NewDeleteGithubEndpointParamsWithTimeout(timeout time.Duration) *DeleteGithubEndpointParams {
+	return &DeleteGithubEndpointParams{
+		timeout: timeout,
+	}
+}
+
+// NewDeleteGithubEndpointParamsWithContext creates a new DeleteGithubEndpointParams object
+// with the ability to set a context for a request.
+func NewDeleteGithubEndpointParamsWithContext(ctx context.Context) *DeleteGithubEndpointParams {
+	return &DeleteGithubEndpointParams{
+		Context: ctx,
+	}
+}
+
+// NewDeleteGithubEndpointParamsWithHTTPClient creates a new DeleteGithubEndpointParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewDeleteGithubEndpointParamsWithHTTPClient(client *http.Client) *DeleteGithubEndpointParams {
+	return &DeleteGithubEndpointParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+DeleteGithubEndpointParams contains all the parameters to send to the API endpoint
+
+	for the delete github endpoint operation.
+
+	Typically these are written to a http.Request.
+*/
+type DeleteGithubEndpointParams struct {
+
+	/* Name.
+
+	   The name of the GitHub endpoint.
+	*/
+	Name string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the delete github endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteGithubEndpointParams) WithDefaults() *DeleteGithubEndpointParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the delete github endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteGithubEndpointParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the delete github endpoint params
+func (o *DeleteGithubEndpointParams) WithTimeout(timeout time.Duration) *DeleteGithubEndpointParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the delete github endpoint params
+func (o *DeleteGithubEndpointParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the delete github endpoint params
+func (o *DeleteGithubEndpointParams) WithContext(ctx context.Context) *DeleteGithubEndpointParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the delete github endpoint params
+func (o *DeleteGithubEndpointParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the delete github endpoint params
+func (o *DeleteGithubEndpointParams) WithHTTPClient(client *http.Client) *DeleteGithubEndpointParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the delete github endpoint params
+func (o *DeleteGithubEndpointParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithName adds the name to the delete github endpoint params
+func (o *DeleteGithubEndpointParams) WithName(name string) *DeleteGithubEndpointParams {
+	o.SetName(name)
+	return o
+}
+
+// SetName adds the name to the delete github endpoint params
+func (o *DeleteGithubEndpointParams) SetName(name string) {
+	o.Name = name
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *DeleteGithubEndpointParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param name
+	if err := r.SetPathParam("name", o.Name); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/delete_github_endpoint_responses.go
+++ b/client/endpoints/delete_github_endpoint_responses.go
@ -0,0 +1,106 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+)
+
+// DeleteGithubEndpointReader is a Reader for the DeleteGithubEndpoint structure.
+type DeleteGithubEndpointReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *DeleteGithubEndpointReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	result := NewDeleteGithubEndpointDefault(response.Code())
+	if err := result.readResponse(response, consumer, o.formats); err != nil {
+		return nil, err
+	}
+	if response.Code()/100 == 2 {
+		return result, nil
+	}
+	return nil, result
+}
+
+// NewDeleteGithubEndpointDefault creates a DeleteGithubEndpointDefault with default headers values
+func NewDeleteGithubEndpointDefault(code int) *DeleteGithubEndpointDefault {
+	return &DeleteGithubEndpointDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+DeleteGithubEndpointDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type DeleteGithubEndpointDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this delete github endpoint default response has a 2xx status code
+func (o *DeleteGithubEndpointDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this delete github endpoint default response has a 3xx status code
+func (o *DeleteGithubEndpointDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this delete github endpoint default response has a 4xx status code
+func (o *DeleteGithubEndpointDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this delete github endpoint default response has a 5xx status code
+func (o *DeleteGithubEndpointDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this delete github endpoint default response a status code equal to that given
+func (o *DeleteGithubEndpointDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the delete github endpoint default response
+func (o *DeleteGithubEndpointDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *DeleteGithubEndpointDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[DELETE /github/endpoints/{name}][%d] DeleteGithubEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *DeleteGithubEndpointDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[DELETE /github/endpoints/{name}][%d] DeleteGithubEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *DeleteGithubEndpointDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *DeleteGithubEndpointDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/endpoints_client.go
+++ b/client/endpoints/endpoints_client.go
@ -0,0 +1,451 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"github.com/go-openapi/runtime"
+	httptransport "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// New creates a new endpoints API client.
+func New(transport runtime.ClientTransport, formats strfmt.Registry) ClientService {
+	return &Client{transport: transport, formats: formats}
+}
+
+// New creates a new endpoints API client with basic auth credentials.
+// It takes the following parameters:
+// - host: http host (github.com).
+// - basePath: any base path for the API client ("/v1", "/v3").
+// - scheme: http scheme ("http", "https").
+// - user: user for basic authentication header.
+// - password: password for basic authentication header.
+func NewClientWithBasicAuth(host, basePath, scheme, user, password string) ClientService {
+	transport := httptransport.New(host, basePath, []string{scheme})
+	transport.DefaultAuthentication = httptransport.BasicAuth(user, password)
+	return &Client{transport: transport, formats: strfmt.Default}
+}
+
+// New creates a new endpoints API client with a bearer token for authentication.
+// It takes the following parameters:
+// - host: http host (github.com).
+// - basePath: any base path for the API client ("/v1", "/v3").
+// - scheme: http scheme ("http", "https").
+// - bearerToken: bearer token for Bearer authentication header.
+func NewClientWithBearerToken(host, basePath, scheme, bearerToken string) ClientService {
+	transport := httptransport.New(host, basePath, []string{scheme})
+	transport.DefaultAuthentication = httptransport.BearerToken(bearerToken)
+	return &Client{transport: transport, formats: strfmt.Default}
+}
+
+/*
+Client for endpoints API
+*/
+type Client struct {
+	transport runtime.ClientTransport
+	formats   strfmt.Registry
+}
+
+// ClientOption may be used to customize the behavior of Client methods.
+type ClientOption func(*runtime.ClientOperation)
+
+// ClientService is the interface for Client methods
+type ClientService interface {
+	CreateGiteaEndpoint(params *CreateGiteaEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateGiteaEndpointOK, error)
+
+	CreateGithubEndpoint(params *CreateGithubEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateGithubEndpointOK, error)
+
+	DeleteGiteaEndpoint(params *DeleteGiteaEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) error
+
+	DeleteGithubEndpoint(params *DeleteGithubEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) error
+
+	GetGiteaEndpoint(params *GetGiteaEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GetGiteaEndpointOK, error)
+
+	GetGithubEndpoint(params *GetGithubEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GetGithubEndpointOK, error)
+
+	ListGiteaEndpoints(params *ListGiteaEndpointsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListGiteaEndpointsOK, error)
+
+	ListGithubEndpoints(params *ListGithubEndpointsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListGithubEndpointsOK, error)
+
+	UpdateGiteaEndpoint(params *UpdateGiteaEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateGiteaEndpointOK, error)
+
+	UpdateGithubEndpoint(params *UpdateGithubEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateGithubEndpointOK, error)
+
+	SetTransport(transport runtime.ClientTransport)
+}
+
+/*
+CreateGiteaEndpoint creates a gitea endpoint
+*/
+func (a *Client) CreateGiteaEndpoint(params *CreateGiteaEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateGiteaEndpointOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewCreateGiteaEndpointParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "CreateGiteaEndpoint",
+		Method:             "POST",
+		PathPattern:        "/gitea/endpoints",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &CreateGiteaEndpointReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*CreateGiteaEndpointOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	unexpectedSuccess := result.(*CreateGiteaEndpointDefault)
+	return nil, runtime.NewAPIError("unexpected success response: content available as default response in error", unexpectedSuccess, unexpectedSuccess.Code())
+}
+
+/*
+CreateGithubEndpoint creates a git hub endpoint
+*/
+func (a *Client) CreateGithubEndpoint(params *CreateGithubEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*CreateGithubEndpointOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewCreateGithubEndpointParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "CreateGithubEndpoint",
+		Method:             "POST",
+		PathPattern:        "/github/endpoints",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &CreateGithubEndpointReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*CreateGithubEndpointOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	unexpectedSuccess := result.(*CreateGithubEndpointDefault)
+	return nil, runtime.NewAPIError("unexpected success response: content available as default response in error", unexpectedSuccess, unexpectedSuccess.Code())
+}
+
+/*
+DeleteGiteaEndpoint deletes a gitea endpoint
+*/
+func (a *Client) DeleteGiteaEndpoint(params *DeleteGiteaEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) error {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewDeleteGiteaEndpointParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "DeleteGiteaEndpoint",
+		Method:             "DELETE",
+		PathPattern:        "/gitea/endpoints/{name}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &DeleteGiteaEndpointReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	_, err := a.transport.Submit(op)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+/*
+DeleteGithubEndpoint deletes a git hub endpoint
+*/
+func (a *Client) DeleteGithubEndpoint(params *DeleteGithubEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) error {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewDeleteGithubEndpointParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "DeleteGithubEndpoint",
+		Method:             "DELETE",
+		PathPattern:        "/github/endpoints/{name}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &DeleteGithubEndpointReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	_, err := a.transport.Submit(op)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+/*
+GetGiteaEndpoint gets a gitea endpoint
+*/
+func (a *Client) GetGiteaEndpoint(params *GetGiteaEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GetGiteaEndpointOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewGetGiteaEndpointParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "GetGiteaEndpoint",
+		Method:             "GET",
+		PathPattern:        "/gitea/endpoints/{name}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &GetGiteaEndpointReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*GetGiteaEndpointOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	unexpectedSuccess := result.(*GetGiteaEndpointDefault)
+	return nil, runtime.NewAPIError("unexpected success response: content available as default response in error", unexpectedSuccess, unexpectedSuccess.Code())
+}
+
+/*
+GetGithubEndpoint gets a git hub endpoint
+*/
+func (a *Client) GetGithubEndpoint(params *GetGithubEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*GetGithubEndpointOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewGetGithubEndpointParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "GetGithubEndpoint",
+		Method:             "GET",
+		PathPattern:        "/github/endpoints/{name}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &GetGithubEndpointReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*GetGithubEndpointOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	unexpectedSuccess := result.(*GetGithubEndpointDefault)
+	return nil, runtime.NewAPIError("unexpected success response: content available as default response in error", unexpectedSuccess, unexpectedSuccess.Code())
+}
+
+/*
+ListGiteaEndpoints lists all gitea endpoints
+*/
+func (a *Client) ListGiteaEndpoints(params *ListGiteaEndpointsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListGiteaEndpointsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewListGiteaEndpointsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "ListGiteaEndpoints",
+		Method:             "GET",
+		PathPattern:        "/gitea/endpoints",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &ListGiteaEndpointsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*ListGiteaEndpointsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	unexpectedSuccess := result.(*ListGiteaEndpointsDefault)
+	return nil, runtime.NewAPIError("unexpected success response: content available as default response in error", unexpectedSuccess, unexpectedSuccess.Code())
+}
+
+/*
+ListGithubEndpoints lists all git hub endpoints
+*/
+func (a *Client) ListGithubEndpoints(params *ListGithubEndpointsParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*ListGithubEndpointsOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewListGithubEndpointsParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "ListGithubEndpoints",
+		Method:             "GET",
+		PathPattern:        "/github/endpoints",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &ListGithubEndpointsReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*ListGithubEndpointsOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	unexpectedSuccess := result.(*ListGithubEndpointsDefault)
+	return nil, runtime.NewAPIError("unexpected success response: content available as default response in error", unexpectedSuccess, unexpectedSuccess.Code())
+}
+
+/*
+UpdateGiteaEndpoint updates a gitea endpoint
+*/
+func (a *Client) UpdateGiteaEndpoint(params *UpdateGiteaEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateGiteaEndpointOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewUpdateGiteaEndpointParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "UpdateGiteaEndpoint",
+		Method:             "PUT",
+		PathPattern:        "/gitea/endpoints/{name}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &UpdateGiteaEndpointReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*UpdateGiteaEndpointOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	unexpectedSuccess := result.(*UpdateGiteaEndpointDefault)
+	return nil, runtime.NewAPIError("unexpected success response: content available as default response in error", unexpectedSuccess, unexpectedSuccess.Code())
+}
+
+/*
+UpdateGithubEndpoint updates a git hub endpoint
+*/
+func (a *Client) UpdateGithubEndpoint(params *UpdateGithubEndpointParams, authInfo runtime.ClientAuthInfoWriter, opts ...ClientOption) (*UpdateGithubEndpointOK, error) {
+	// TODO: Validate the params before sending
+	if params == nil {
+		params = NewUpdateGithubEndpointParams()
+	}
+	op := &runtime.ClientOperation{
+		ID:                 "UpdateGithubEndpoint",
+		Method:             "PUT",
+		PathPattern:        "/github/endpoints/{name}",
+		ProducesMediaTypes: []string{"application/json"},
+		ConsumesMediaTypes: []string{"application/json"},
+		Schemes:            []string{"http"},
+		Params:             params,
+		Reader:             &UpdateGithubEndpointReader{formats: a.formats},
+		AuthInfo:           authInfo,
+		Context:            params.Context,
+		Client:             params.HTTPClient,
+	}
+	for _, opt := range opts {
+		opt(op)
+	}
+
+	result, err := a.transport.Submit(op)
+	if err != nil {
+		return nil, err
+	}
+	success, ok := result.(*UpdateGithubEndpointOK)
+	if ok {
+		return success, nil
+	}
+	// unexpected success response
+	unexpectedSuccess := result.(*UpdateGithubEndpointDefault)
+	return nil, runtime.NewAPIError("unexpected success response: content available as default response in error", unexpectedSuccess, unexpectedSuccess.Code())
+}
+
+// SetTransport changes the transport on the client
+func (a *Client) SetTransport(transport runtime.ClientTransport) {
+	a.transport = transport
+}
--- a/client/endpoints/get_gitea_endpoint_parameters.go
+++ b/client/endpoints/get_gitea_endpoint_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewGetGiteaEndpointParams creates a new GetGiteaEndpointParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewGetGiteaEndpointParams() *GetGiteaEndpointParams {
+	return &GetGiteaEndpointParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewGetGiteaEndpointParamsWithTimeout creates a new GetGiteaEndpointParams object
+// with the ability to set a timeout on a request.
+func NewGetGiteaEndpointParamsWithTimeout(timeout time.Duration) *GetGiteaEndpointParams {
+	return &GetGiteaEndpointParams{
+		timeout: timeout,
+	}
+}
+
+// NewGetGiteaEndpointParamsWithContext creates a new GetGiteaEndpointParams object
+// with the ability to set a context for a request.
+func NewGetGiteaEndpointParamsWithContext(ctx context.Context) *GetGiteaEndpointParams {
+	return &GetGiteaEndpointParams{
+		Context: ctx,
+	}
+}
+
+// NewGetGiteaEndpointParamsWithHTTPClient creates a new GetGiteaEndpointParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewGetGiteaEndpointParamsWithHTTPClient(client *http.Client) *GetGiteaEndpointParams {
+	return &GetGiteaEndpointParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+GetGiteaEndpointParams contains all the parameters to send to the API endpoint
+
+	for the get gitea endpoint operation.
+
+	Typically these are written to a http.Request.
+*/
+type GetGiteaEndpointParams struct {
+
+	/* Name.
+
+	   The name of the Gitea endpoint.
+	*/
+	Name string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the get gitea endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *GetGiteaEndpointParams) WithDefaults() *GetGiteaEndpointParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the get gitea endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *GetGiteaEndpointParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the get gitea endpoint params
+func (o *GetGiteaEndpointParams) WithTimeout(timeout time.Duration) *GetGiteaEndpointParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the get gitea endpoint params
+func (o *GetGiteaEndpointParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the get gitea endpoint params
+func (o *GetGiteaEndpointParams) WithContext(ctx context.Context) *GetGiteaEndpointParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the get gitea endpoint params
+func (o *GetGiteaEndpointParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the get gitea endpoint params
+func (o *GetGiteaEndpointParams) WithHTTPClient(client *http.Client) *GetGiteaEndpointParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the get gitea endpoint params
+func (o *GetGiteaEndpointParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithName adds the name to the get gitea endpoint params
+func (o *GetGiteaEndpointParams) WithName(name string) *GetGiteaEndpointParams {
+	o.SetName(name)
+	return o
+}
+
+// SetName adds the name to the get gitea endpoint params
+func (o *GetGiteaEndpointParams) SetName(name string) {
+	o.Name = name
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *GetGiteaEndpointParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param name
+	if err := r.SetPathParam("name", o.Name); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/get_gitea_endpoint_responses.go
+++ b/client/endpoints/get_gitea_endpoint_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// GetGiteaEndpointReader is a Reader for the GetGiteaEndpoint structure.
+type GetGiteaEndpointReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *GetGiteaEndpointReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewGetGiteaEndpointOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewGetGiteaEndpointDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewGetGiteaEndpointOK creates a GetGiteaEndpointOK with default headers values
+func NewGetGiteaEndpointOK() *GetGiteaEndpointOK {
+	return &GetGiteaEndpointOK{}
+}
+
+/*
+GetGiteaEndpointOK describes a response with status code 200, with default header values.
+
+ForgeEndpoint
+*/
+type GetGiteaEndpointOK struct {
+	Payload garm_params.ForgeEndpoint
+}
+
+// IsSuccess returns true when this get gitea endpoint o k response has a 2xx status code
+func (o *GetGiteaEndpointOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this get gitea endpoint o k response has a 3xx status code
+func (o *GetGiteaEndpointOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this get gitea endpoint o k response has a 4xx status code
+func (o *GetGiteaEndpointOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this get gitea endpoint o k response has a 5xx status code
+func (o *GetGiteaEndpointOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this get gitea endpoint o k response a status code equal to that given
+func (o *GetGiteaEndpointOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the get gitea endpoint o k response
+func (o *GetGiteaEndpointOK) Code() int {
+	return 200
+}
+
+func (o *GetGiteaEndpointOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/endpoints/{name}][%d] getGiteaEndpointOK %s", 200, payload)
+}
+
+func (o *GetGiteaEndpointOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/endpoints/{name}][%d] getGiteaEndpointOK %s", 200, payload)
+}
+
+func (o *GetGiteaEndpointOK) GetPayload() garm_params.ForgeEndpoint {
+	return o.Payload
+}
+
+func (o *GetGiteaEndpointOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewGetGiteaEndpointDefault creates a GetGiteaEndpointDefault with default headers values
+func NewGetGiteaEndpointDefault(code int) *GetGiteaEndpointDefault {
+	return &GetGiteaEndpointDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+GetGiteaEndpointDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type GetGiteaEndpointDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this get gitea endpoint default response has a 2xx status code
+func (o *GetGiteaEndpointDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this get gitea endpoint default response has a 3xx status code
+func (o *GetGiteaEndpointDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this get gitea endpoint default response has a 4xx status code
+func (o *GetGiteaEndpointDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this get gitea endpoint default response has a 5xx status code
+func (o *GetGiteaEndpointDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this get gitea endpoint default response a status code equal to that given
+func (o *GetGiteaEndpointDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the get gitea endpoint default response
+func (o *GetGiteaEndpointDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *GetGiteaEndpointDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/endpoints/{name}][%d] GetGiteaEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *GetGiteaEndpointDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/endpoints/{name}][%d] GetGiteaEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *GetGiteaEndpointDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *GetGiteaEndpointDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/get_github_endpoint_parameters.go
+++ b/client/endpoints/get_github_endpoint_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewGetGithubEndpointParams creates a new GetGithubEndpointParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewGetGithubEndpointParams() *GetGithubEndpointParams {
+	return &GetGithubEndpointParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewGetGithubEndpointParamsWithTimeout creates a new GetGithubEndpointParams object
+// with the ability to set a timeout on a request.
+func NewGetGithubEndpointParamsWithTimeout(timeout time.Duration) *GetGithubEndpointParams {
+	return &GetGithubEndpointParams{
+		timeout: timeout,
+	}
+}
+
+// NewGetGithubEndpointParamsWithContext creates a new GetGithubEndpointParams object
+// with the ability to set a context for a request.
+func NewGetGithubEndpointParamsWithContext(ctx context.Context) *GetGithubEndpointParams {
+	return &GetGithubEndpointParams{
+		Context: ctx,
+	}
+}
+
+// NewGetGithubEndpointParamsWithHTTPClient creates a new GetGithubEndpointParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewGetGithubEndpointParamsWithHTTPClient(client *http.Client) *GetGithubEndpointParams {
+	return &GetGithubEndpointParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+GetGithubEndpointParams contains all the parameters to send to the API endpoint
+
+	for the get github endpoint operation.
+
+	Typically these are written to a http.Request.
+*/
+type GetGithubEndpointParams struct {
+
+	/* Name.
+
+	   The name of the GitHub endpoint.
+	*/
+	Name string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the get github endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *GetGithubEndpointParams) WithDefaults() *GetGithubEndpointParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the get github endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *GetGithubEndpointParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the get github endpoint params
+func (o *GetGithubEndpointParams) WithTimeout(timeout time.Duration) *GetGithubEndpointParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the get github endpoint params
+func (o *GetGithubEndpointParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the get github endpoint params
+func (o *GetGithubEndpointParams) WithContext(ctx context.Context) *GetGithubEndpointParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the get github endpoint params
+func (o *GetGithubEndpointParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the get github endpoint params
+func (o *GetGithubEndpointParams) WithHTTPClient(client *http.Client) *GetGithubEndpointParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the get github endpoint params
+func (o *GetGithubEndpointParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithName adds the name to the get github endpoint params
+func (o *GetGithubEndpointParams) WithName(name string) *GetGithubEndpointParams {
+	o.SetName(name)
+	return o
+}
+
+// SetName adds the name to the get github endpoint params
+func (o *GetGithubEndpointParams) SetName(name string) {
+	o.Name = name
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *GetGithubEndpointParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param name
+	if err := r.SetPathParam("name", o.Name); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/get_github_endpoint_responses.go
+++ b/client/endpoints/get_github_endpoint_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// GetGithubEndpointReader is a Reader for the GetGithubEndpoint structure.
+type GetGithubEndpointReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *GetGithubEndpointReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewGetGithubEndpointOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewGetGithubEndpointDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewGetGithubEndpointOK creates a GetGithubEndpointOK with default headers values
+func NewGetGithubEndpointOK() *GetGithubEndpointOK {
+	return &GetGithubEndpointOK{}
+}
+
+/*
+GetGithubEndpointOK describes a response with status code 200, with default header values.
+
+ForgeEndpoint
+*/
+type GetGithubEndpointOK struct {
+	Payload garm_params.ForgeEndpoint
+}
+
+// IsSuccess returns true when this get github endpoint o k response has a 2xx status code
+func (o *GetGithubEndpointOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this get github endpoint o k response has a 3xx status code
+func (o *GetGithubEndpointOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this get github endpoint o k response has a 4xx status code
+func (o *GetGithubEndpointOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this get github endpoint o k response has a 5xx status code
+func (o *GetGithubEndpointOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this get github endpoint o k response a status code equal to that given
+func (o *GetGithubEndpointOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the get github endpoint o k response
+func (o *GetGithubEndpointOK) Code() int {
+	return 200
+}
+
+func (o *GetGithubEndpointOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/endpoints/{name}][%d] getGithubEndpointOK %s", 200, payload)
+}
+
+func (o *GetGithubEndpointOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/endpoints/{name}][%d] getGithubEndpointOK %s", 200, payload)
+}
+
+func (o *GetGithubEndpointOK) GetPayload() garm_params.ForgeEndpoint {
+	return o.Payload
+}
+
+func (o *GetGithubEndpointOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewGetGithubEndpointDefault creates a GetGithubEndpointDefault with default headers values
+func NewGetGithubEndpointDefault(code int) *GetGithubEndpointDefault {
+	return &GetGithubEndpointDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+GetGithubEndpointDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type GetGithubEndpointDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this get github endpoint default response has a 2xx status code
+func (o *GetGithubEndpointDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this get github endpoint default response has a 3xx status code
+func (o *GetGithubEndpointDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this get github endpoint default response has a 4xx status code
+func (o *GetGithubEndpointDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this get github endpoint default response has a 5xx status code
+func (o *GetGithubEndpointDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this get github endpoint default response a status code equal to that given
+func (o *GetGithubEndpointDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the get github endpoint default response
+func (o *GetGithubEndpointDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *GetGithubEndpointDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/endpoints/{name}][%d] GetGithubEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *GetGithubEndpointDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/endpoints/{name}][%d] GetGithubEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *GetGithubEndpointDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *GetGithubEndpointDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/list_gitea_endpoints_parameters.go
+++ b/client/endpoints/list_gitea_endpoints_parameters.go
@ -0,0 +1,128 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewListGiteaEndpointsParams creates a new ListGiteaEndpointsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewListGiteaEndpointsParams() *ListGiteaEndpointsParams {
+	return &ListGiteaEndpointsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewListGiteaEndpointsParamsWithTimeout creates a new ListGiteaEndpointsParams object
+// with the ability to set a timeout on a request.
+func NewListGiteaEndpointsParamsWithTimeout(timeout time.Duration) *ListGiteaEndpointsParams {
+	return &ListGiteaEndpointsParams{
+		timeout: timeout,
+	}
+}
+
+// NewListGiteaEndpointsParamsWithContext creates a new ListGiteaEndpointsParams object
+// with the ability to set a context for a request.
+func NewListGiteaEndpointsParamsWithContext(ctx context.Context) *ListGiteaEndpointsParams {
+	return &ListGiteaEndpointsParams{
+		Context: ctx,
+	}
+}
+
+// NewListGiteaEndpointsParamsWithHTTPClient creates a new ListGiteaEndpointsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewListGiteaEndpointsParamsWithHTTPClient(client *http.Client) *ListGiteaEndpointsParams {
+	return &ListGiteaEndpointsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+ListGiteaEndpointsParams contains all the parameters to send to the API endpoint
+
+	for the list gitea endpoints operation.
+
+	Typically these are written to a http.Request.
+*/
+type ListGiteaEndpointsParams struct {
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the list gitea endpoints params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListGiteaEndpointsParams) WithDefaults() *ListGiteaEndpointsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the list gitea endpoints params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListGiteaEndpointsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the list gitea endpoints params
+func (o *ListGiteaEndpointsParams) WithTimeout(timeout time.Duration) *ListGiteaEndpointsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the list gitea endpoints params
+func (o *ListGiteaEndpointsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the list gitea endpoints params
+func (o *ListGiteaEndpointsParams) WithContext(ctx context.Context) *ListGiteaEndpointsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the list gitea endpoints params
+func (o *ListGiteaEndpointsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the list gitea endpoints params
+func (o *ListGiteaEndpointsParams) WithHTTPClient(client *http.Client) *ListGiteaEndpointsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the list gitea endpoints params
+func (o *ListGiteaEndpointsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *ListGiteaEndpointsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/list_gitea_endpoints_responses.go
+++ b/client/endpoints/list_gitea_endpoints_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// ListGiteaEndpointsReader is a Reader for the ListGiteaEndpoints structure.
+type ListGiteaEndpointsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *ListGiteaEndpointsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewListGiteaEndpointsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewListGiteaEndpointsDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewListGiteaEndpointsOK creates a ListGiteaEndpointsOK with default headers values
+func NewListGiteaEndpointsOK() *ListGiteaEndpointsOK {
+	return &ListGiteaEndpointsOK{}
+}
+
+/*
+ListGiteaEndpointsOK describes a response with status code 200, with default header values.
+
+ForgeEndpoints
+*/
+type ListGiteaEndpointsOK struct {
+	Payload garm_params.ForgeEndpoints
+}
+
+// IsSuccess returns true when this list gitea endpoints o k response has a 2xx status code
+func (o *ListGiteaEndpointsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this list gitea endpoints o k response has a 3xx status code
+func (o *ListGiteaEndpointsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list gitea endpoints o k response has a 4xx status code
+func (o *ListGiteaEndpointsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this list gitea endpoints o k response has a 5xx status code
+func (o *ListGiteaEndpointsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list gitea endpoints o k response a status code equal to that given
+func (o *ListGiteaEndpointsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the list gitea endpoints o k response
+func (o *ListGiteaEndpointsOK) Code() int {
+	return 200
+}
+
+func (o *ListGiteaEndpointsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/endpoints][%d] listGiteaEndpointsOK %s", 200, payload)
+}
+
+func (o *ListGiteaEndpointsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/endpoints][%d] listGiteaEndpointsOK %s", 200, payload)
+}
+
+func (o *ListGiteaEndpointsOK) GetPayload() garm_params.ForgeEndpoints {
+	return o.Payload
+}
+
+func (o *ListGiteaEndpointsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewListGiteaEndpointsDefault creates a ListGiteaEndpointsDefault with default headers values
+func NewListGiteaEndpointsDefault(code int) *ListGiteaEndpointsDefault {
+	return &ListGiteaEndpointsDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+ListGiteaEndpointsDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type ListGiteaEndpointsDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this list gitea endpoints default response has a 2xx status code
+func (o *ListGiteaEndpointsDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this list gitea endpoints default response has a 3xx status code
+func (o *ListGiteaEndpointsDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this list gitea endpoints default response has a 4xx status code
+func (o *ListGiteaEndpointsDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this list gitea endpoints default response has a 5xx status code
+func (o *ListGiteaEndpointsDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this list gitea endpoints default response a status code equal to that given
+func (o *ListGiteaEndpointsDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the list gitea endpoints default response
+func (o *ListGiteaEndpointsDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *ListGiteaEndpointsDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/endpoints][%d] ListGiteaEndpoints default %s", o._statusCode, payload)
+}
+
+func (o *ListGiteaEndpointsDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /gitea/endpoints][%d] ListGiteaEndpoints default %s", o._statusCode, payload)
+}
+
+func (o *ListGiteaEndpointsDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *ListGiteaEndpointsDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/list_github_endpoints_parameters.go
+++ b/client/endpoints/list_github_endpoints_parameters.go
@ -0,0 +1,128 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewListGithubEndpointsParams creates a new ListGithubEndpointsParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewListGithubEndpointsParams() *ListGithubEndpointsParams {
+	return &ListGithubEndpointsParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewListGithubEndpointsParamsWithTimeout creates a new ListGithubEndpointsParams object
+// with the ability to set a timeout on a request.
+func NewListGithubEndpointsParamsWithTimeout(timeout time.Duration) *ListGithubEndpointsParams {
+	return &ListGithubEndpointsParams{
+		timeout: timeout,
+	}
+}
+
+// NewListGithubEndpointsParamsWithContext creates a new ListGithubEndpointsParams object
+// with the ability to set a context for a request.
+func NewListGithubEndpointsParamsWithContext(ctx context.Context) *ListGithubEndpointsParams {
+	return &ListGithubEndpointsParams{
+		Context: ctx,
+	}
+}
+
+// NewListGithubEndpointsParamsWithHTTPClient creates a new ListGithubEndpointsParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewListGithubEndpointsParamsWithHTTPClient(client *http.Client) *ListGithubEndpointsParams {
+	return &ListGithubEndpointsParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+ListGithubEndpointsParams contains all the parameters to send to the API endpoint
+
+	for the list github endpoints operation.
+
+	Typically these are written to a http.Request.
+*/
+type ListGithubEndpointsParams struct {
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the list github endpoints params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListGithubEndpointsParams) WithDefaults() *ListGithubEndpointsParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the list github endpoints params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *ListGithubEndpointsParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the list github endpoints params
+func (o *ListGithubEndpointsParams) WithTimeout(timeout time.Duration) *ListGithubEndpointsParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the list github endpoints params
+func (o *ListGithubEndpointsParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the list github endpoints params
+func (o *ListGithubEndpointsParams) WithContext(ctx context.Context) *ListGithubEndpointsParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the list github endpoints params
+func (o *ListGithubEndpointsParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the list github endpoints params
+func (o *ListGithubEndpointsParams) WithHTTPClient(client *http.Client) *ListGithubEndpointsParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the list github endpoints params
+func (o *ListGithubEndpointsParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *ListGithubEndpointsParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/list_github_endpoints_responses.go
+++ b/client/endpoints/list_github_endpoints_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// ListGithubEndpointsReader is a Reader for the ListGithubEndpoints structure.
+type ListGithubEndpointsReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *ListGithubEndpointsReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewListGithubEndpointsOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewListGithubEndpointsDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewListGithubEndpointsOK creates a ListGithubEndpointsOK with default headers values
+func NewListGithubEndpointsOK() *ListGithubEndpointsOK {
+	return &ListGithubEndpointsOK{}
+}
+
+/*
+ListGithubEndpointsOK describes a response with status code 200, with default header values.
+
+ForgeEndpoints
+*/
+type ListGithubEndpointsOK struct {
+	Payload garm_params.ForgeEndpoints
+}
+
+// IsSuccess returns true when this list github endpoints o k response has a 2xx status code
+func (o *ListGithubEndpointsOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this list github endpoints o k response has a 3xx status code
+func (o *ListGithubEndpointsOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this list github endpoints o k response has a 4xx status code
+func (o *ListGithubEndpointsOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this list github endpoints o k response has a 5xx status code
+func (o *ListGithubEndpointsOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this list github endpoints o k response a status code equal to that given
+func (o *ListGithubEndpointsOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the list github endpoints o k response
+func (o *ListGithubEndpointsOK) Code() int {
+	return 200
+}
+
+func (o *ListGithubEndpointsOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/endpoints][%d] listGithubEndpointsOK %s", 200, payload)
+}
+
+func (o *ListGithubEndpointsOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/endpoints][%d] listGithubEndpointsOK %s", 200, payload)
+}
+
+func (o *ListGithubEndpointsOK) GetPayload() garm_params.ForgeEndpoints {
+	return o.Payload
+}
+
+func (o *ListGithubEndpointsOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewListGithubEndpointsDefault creates a ListGithubEndpointsDefault with default headers values
+func NewListGithubEndpointsDefault(code int) *ListGithubEndpointsDefault {
+	return &ListGithubEndpointsDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+ListGithubEndpointsDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type ListGithubEndpointsDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this list github endpoints default response has a 2xx status code
+func (o *ListGithubEndpointsDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this list github endpoints default response has a 3xx status code
+func (o *ListGithubEndpointsDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this list github endpoints default response has a 4xx status code
+func (o *ListGithubEndpointsDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this list github endpoints default response has a 5xx status code
+func (o *ListGithubEndpointsDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this list github endpoints default response a status code equal to that given
+func (o *ListGithubEndpointsDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the list github endpoints default response
+func (o *ListGithubEndpointsDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *ListGithubEndpointsDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/endpoints][%d] ListGithubEndpoints default %s", o._statusCode, payload)
+}
+
+func (o *ListGithubEndpointsDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[GET /github/endpoints][%d] ListGithubEndpoints default %s", o._statusCode, payload)
+}
+
+func (o *ListGithubEndpointsDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *ListGithubEndpointsDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/update_gitea_endpoint_parameters.go
+++ b/client/endpoints/update_gitea_endpoint_parameters.go
@ -0,0 +1,173 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewUpdateGiteaEndpointParams creates a new UpdateGiteaEndpointParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewUpdateGiteaEndpointParams() *UpdateGiteaEndpointParams {
+	return &UpdateGiteaEndpointParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewUpdateGiteaEndpointParamsWithTimeout creates a new UpdateGiteaEndpointParams object
+// with the ability to set a timeout on a request.
+func NewUpdateGiteaEndpointParamsWithTimeout(timeout time.Duration) *UpdateGiteaEndpointParams {
+	return &UpdateGiteaEndpointParams{
+		timeout: timeout,
+	}
+}
+
+// NewUpdateGiteaEndpointParamsWithContext creates a new UpdateGiteaEndpointParams object
+// with the ability to set a context for a request.
+func NewUpdateGiteaEndpointParamsWithContext(ctx context.Context) *UpdateGiteaEndpointParams {
+	return &UpdateGiteaEndpointParams{
+		Context: ctx,
+	}
+}
+
+// NewUpdateGiteaEndpointParamsWithHTTPClient creates a new UpdateGiteaEndpointParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewUpdateGiteaEndpointParamsWithHTTPClient(client *http.Client) *UpdateGiteaEndpointParams {
+	return &UpdateGiteaEndpointParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+UpdateGiteaEndpointParams contains all the parameters to send to the API endpoint
+
+	for the update gitea endpoint operation.
+
+	Typically these are written to a http.Request.
+*/
+type UpdateGiteaEndpointParams struct {
+
+	/* Body.
+
+	   Parameters used when updating a Gitea endpoint.
+	*/
+	Body garm_params.UpdateGiteaEndpointParams
+
+	/* Name.
+
+	   The name of the Gitea endpoint.
+	*/
+	Name string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the update gitea endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateGiteaEndpointParams) WithDefaults() *UpdateGiteaEndpointParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the update gitea endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateGiteaEndpointParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) WithTimeout(timeout time.Duration) *UpdateGiteaEndpointParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) WithContext(ctx context.Context) *UpdateGiteaEndpointParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) WithHTTPClient(client *http.Client) *UpdateGiteaEndpointParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) WithBody(body garm_params.UpdateGiteaEndpointParams) *UpdateGiteaEndpointParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) SetBody(body garm_params.UpdateGiteaEndpointParams) {
+	o.Body = body
+}
+
+// WithName adds the name to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) WithName(name string) *UpdateGiteaEndpointParams {
+	o.SetName(name)
+	return o
+}
+
+// SetName adds the name to the update gitea endpoint params
+func (o *UpdateGiteaEndpointParams) SetName(name string) {
+	o.Name = name
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *UpdateGiteaEndpointParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	// path param name
+	if err := r.SetPathParam("name", o.Name); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/update_gitea_endpoint_responses.go
+++ b/client/endpoints/update_gitea_endpoint_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// UpdateGiteaEndpointReader is a Reader for the UpdateGiteaEndpoint structure.
+type UpdateGiteaEndpointReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *UpdateGiteaEndpointReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewUpdateGiteaEndpointOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewUpdateGiteaEndpointDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewUpdateGiteaEndpointOK creates a UpdateGiteaEndpointOK with default headers values
+func NewUpdateGiteaEndpointOK() *UpdateGiteaEndpointOK {
+	return &UpdateGiteaEndpointOK{}
+}
+
+/*
+UpdateGiteaEndpointOK describes a response with status code 200, with default header values.
+
+ForgeEndpoint
+*/
+type UpdateGiteaEndpointOK struct {
+	Payload garm_params.ForgeEndpoint
+}
+
+// IsSuccess returns true when this update gitea endpoint o k response has a 2xx status code
+func (o *UpdateGiteaEndpointOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this update gitea endpoint o k response has a 3xx status code
+func (o *UpdateGiteaEndpointOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this update gitea endpoint o k response has a 4xx status code
+func (o *UpdateGiteaEndpointOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this update gitea endpoint o k response has a 5xx status code
+func (o *UpdateGiteaEndpointOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this update gitea endpoint o k response a status code equal to that given
+func (o *UpdateGiteaEndpointOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the update gitea endpoint o k response
+func (o *UpdateGiteaEndpointOK) Code() int {
+	return 200
+}
+
+func (o *UpdateGiteaEndpointOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /gitea/endpoints/{name}][%d] updateGiteaEndpointOK %s", 200, payload)
+}
+
+func (o *UpdateGiteaEndpointOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /gitea/endpoints/{name}][%d] updateGiteaEndpointOK %s", 200, payload)
+}
+
+func (o *UpdateGiteaEndpointOK) GetPayload() garm_params.ForgeEndpoint {
+	return o.Payload
+}
+
+func (o *UpdateGiteaEndpointOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewUpdateGiteaEndpointDefault creates a UpdateGiteaEndpointDefault with default headers values
+func NewUpdateGiteaEndpointDefault(code int) *UpdateGiteaEndpointDefault {
+	return &UpdateGiteaEndpointDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+UpdateGiteaEndpointDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type UpdateGiteaEndpointDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this update gitea endpoint default response has a 2xx status code
+func (o *UpdateGiteaEndpointDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this update gitea endpoint default response has a 3xx status code
+func (o *UpdateGiteaEndpointDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this update gitea endpoint default response has a 4xx status code
+func (o *UpdateGiteaEndpointDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this update gitea endpoint default response has a 5xx status code
+func (o *UpdateGiteaEndpointDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this update gitea endpoint default response a status code equal to that given
+func (o *UpdateGiteaEndpointDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the update gitea endpoint default response
+func (o *UpdateGiteaEndpointDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *UpdateGiteaEndpointDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /gitea/endpoints/{name}][%d] UpdateGiteaEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *UpdateGiteaEndpointDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /gitea/endpoints/{name}][%d] UpdateGiteaEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *UpdateGiteaEndpointDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *UpdateGiteaEndpointDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/endpoints/update_github_endpoint_parameters.go
+++ b/client/endpoints/update_github_endpoint_parameters.go
@ -0,0 +1,173 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewUpdateGithubEndpointParams creates a new UpdateGithubEndpointParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewUpdateGithubEndpointParams() *UpdateGithubEndpointParams {
+	return &UpdateGithubEndpointParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewUpdateGithubEndpointParamsWithTimeout creates a new UpdateGithubEndpointParams object
+// with the ability to set a timeout on a request.
+func NewUpdateGithubEndpointParamsWithTimeout(timeout time.Duration) *UpdateGithubEndpointParams {
+	return &UpdateGithubEndpointParams{
+		timeout: timeout,
+	}
+}
+
+// NewUpdateGithubEndpointParamsWithContext creates a new UpdateGithubEndpointParams object
+// with the ability to set a context for a request.
+func NewUpdateGithubEndpointParamsWithContext(ctx context.Context) *UpdateGithubEndpointParams {
+	return &UpdateGithubEndpointParams{
+		Context: ctx,
+	}
+}
+
+// NewUpdateGithubEndpointParamsWithHTTPClient creates a new UpdateGithubEndpointParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewUpdateGithubEndpointParamsWithHTTPClient(client *http.Client) *UpdateGithubEndpointParams {
+	return &UpdateGithubEndpointParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+UpdateGithubEndpointParams contains all the parameters to send to the API endpoint
+
+	for the update github endpoint operation.
+
+	Typically these are written to a http.Request.
+*/
+type UpdateGithubEndpointParams struct {
+
+	/* Body.
+
+	   Parameters used when updating a GitHub endpoint.
+	*/
+	Body garm_params.UpdateGithubEndpointParams
+
+	/* Name.
+
+	   The name of the GitHub endpoint.
+	*/
+	Name string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the update github endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateGithubEndpointParams) WithDefaults() *UpdateGithubEndpointParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the update github endpoint params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *UpdateGithubEndpointParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the update github endpoint params
+func (o *UpdateGithubEndpointParams) WithTimeout(timeout time.Duration) *UpdateGithubEndpointParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the update github endpoint params
+func (o *UpdateGithubEndpointParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the update github endpoint params
+func (o *UpdateGithubEndpointParams) WithContext(ctx context.Context) *UpdateGithubEndpointParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the update github endpoint params
+func (o *UpdateGithubEndpointParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the update github endpoint params
+func (o *UpdateGithubEndpointParams) WithHTTPClient(client *http.Client) *UpdateGithubEndpointParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the update github endpoint params
+func (o *UpdateGithubEndpointParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the update github endpoint params
+func (o *UpdateGithubEndpointParams) WithBody(body garm_params.UpdateGithubEndpointParams) *UpdateGithubEndpointParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the update github endpoint params
+func (o *UpdateGithubEndpointParams) SetBody(body garm_params.UpdateGithubEndpointParams) {
+	o.Body = body
+}
+
+// WithName adds the name to the update github endpoint params
+func (o *UpdateGithubEndpointParams) WithName(name string) *UpdateGithubEndpointParams {
+	o.SetName(name)
+	return o
+}
+
+// SetName adds the name to the update github endpoint params
+func (o *UpdateGithubEndpointParams) SetName(name string) {
+	o.Name = name
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *UpdateGithubEndpointParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	// path param name
+	if err := r.SetPathParam("name", o.Name); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/endpoints/update_github_endpoint_responses.go
+++ b/client/endpoints/update_github_endpoint_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package endpoints
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// UpdateGithubEndpointReader is a Reader for the UpdateGithubEndpoint structure.
+type UpdateGithubEndpointReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *UpdateGithubEndpointReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewUpdateGithubEndpointOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewUpdateGithubEndpointDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewUpdateGithubEndpointOK creates a UpdateGithubEndpointOK with default headers values
+func NewUpdateGithubEndpointOK() *UpdateGithubEndpointOK {
+	return &UpdateGithubEndpointOK{}
+}
+
+/*
+UpdateGithubEndpointOK describes a response with status code 200, with default header values.
+
+ForgeEndpoint
+*/
+type UpdateGithubEndpointOK struct {
+	Payload garm_params.ForgeEndpoint
+}
+
+// IsSuccess returns true when this update github endpoint o k response has a 2xx status code
+func (o *UpdateGithubEndpointOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this update github endpoint o k response has a 3xx status code
+func (o *UpdateGithubEndpointOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this update github endpoint o k response has a 4xx status code
+func (o *UpdateGithubEndpointOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this update github endpoint o k response has a 5xx status code
+func (o *UpdateGithubEndpointOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this update github endpoint o k response a status code equal to that given
+func (o *UpdateGithubEndpointOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the update github endpoint o k response
+func (o *UpdateGithubEndpointOK) Code() int {
+	return 200
+}
+
+func (o *UpdateGithubEndpointOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /github/endpoints/{name}][%d] updateGithubEndpointOK %s", 200, payload)
+}
+
+func (o *UpdateGithubEndpointOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /github/endpoints/{name}][%d] updateGithubEndpointOK %s", 200, payload)
+}
+
+func (o *UpdateGithubEndpointOK) GetPayload() garm_params.ForgeEndpoint {
+	return o.Payload
+}
+
+func (o *UpdateGithubEndpointOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewUpdateGithubEndpointDefault creates a UpdateGithubEndpointDefault with default headers values
+func NewUpdateGithubEndpointDefault(code int) *UpdateGithubEndpointDefault {
+	return &UpdateGithubEndpointDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+UpdateGithubEndpointDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type UpdateGithubEndpointDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this update github endpoint default response has a 2xx status code
+func (o *UpdateGithubEndpointDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this update github endpoint default response has a 3xx status code
+func (o *UpdateGithubEndpointDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this update github endpoint default response has a 4xx status code
+func (o *UpdateGithubEndpointDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this update github endpoint default response has a 5xx status code
+func (o *UpdateGithubEndpointDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this update github endpoint default response a status code equal to that given
+func (o *UpdateGithubEndpointDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the update github endpoint default response
+func (o *UpdateGithubEndpointDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *UpdateGithubEndpointDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /github/endpoints/{name}][%d] UpdateGithubEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *UpdateGithubEndpointDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[PUT /github/endpoints/{name}][%d] UpdateGithubEndpoint default %s", o._statusCode, payload)
+}
+
+func (o *UpdateGithubEndpointDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *UpdateGithubEndpointDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/enterprises/create_enterprise_parameters.go
+++ b/client/enterprises/create_enterprise_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package enterprises
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewCreateEnterpriseParams creates a new CreateEnterpriseParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewCreateEnterpriseParams() *CreateEnterpriseParams {
+	return &CreateEnterpriseParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewCreateEnterpriseParamsWithTimeout creates a new CreateEnterpriseParams object
+// with the ability to set a timeout on a request.
+func NewCreateEnterpriseParamsWithTimeout(timeout time.Duration) *CreateEnterpriseParams {
+	return &CreateEnterpriseParams{
+		timeout: timeout,
+	}
+}
+
+// NewCreateEnterpriseParamsWithContext creates a new CreateEnterpriseParams object
+// with the ability to set a context for a request.
+func NewCreateEnterpriseParamsWithContext(ctx context.Context) *CreateEnterpriseParams {
+	return &CreateEnterpriseParams{
+		Context: ctx,
+	}
+}
+
+// NewCreateEnterpriseParamsWithHTTPClient creates a new CreateEnterpriseParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewCreateEnterpriseParamsWithHTTPClient(client *http.Client) *CreateEnterpriseParams {
+	return &CreateEnterpriseParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+CreateEnterpriseParams contains all the parameters to send to the API endpoint
+
+	for the create enterprise operation.
+
+	Typically these are written to a http.Request.
+*/
+type CreateEnterpriseParams struct {
+
+	/* Body.
+
+	   Parameters used to create the enterprise.
+	*/
+	Body garm_params.CreateEnterpriseParams
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the create enterprise params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateEnterpriseParams) WithDefaults() *CreateEnterpriseParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the create enterprise params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateEnterpriseParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the create enterprise params
+func (o *CreateEnterpriseParams) WithTimeout(timeout time.Duration) *CreateEnterpriseParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the create enterprise params
+func (o *CreateEnterpriseParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the create enterprise params
+func (o *CreateEnterpriseParams) WithContext(ctx context.Context) *CreateEnterpriseParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the create enterprise params
+func (o *CreateEnterpriseParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the create enterprise params
+func (o *CreateEnterpriseParams) WithHTTPClient(client *http.Client) *CreateEnterpriseParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the create enterprise params
+func (o *CreateEnterpriseParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the create enterprise params
+func (o *CreateEnterpriseParams) WithBody(body garm_params.CreateEnterpriseParams) *CreateEnterpriseParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the create enterprise params
+func (o *CreateEnterpriseParams) SetBody(body garm_params.CreateEnterpriseParams) {
+	o.Body = body
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *CreateEnterpriseParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/enterprises/create_enterprise_pool_parameters.go
+++ b/client/enterprises/create_enterprise_pool_parameters.go
@ -0,0 +1,173 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package enterprises
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewCreateEnterprisePoolParams creates a new CreateEnterprisePoolParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewCreateEnterprisePoolParams() *CreateEnterprisePoolParams {
+	return &CreateEnterprisePoolParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewCreateEnterprisePoolParamsWithTimeout creates a new CreateEnterprisePoolParams object
+// with the ability to set a timeout on a request.
+func NewCreateEnterprisePoolParamsWithTimeout(timeout time.Duration) *CreateEnterprisePoolParams {
+	return &CreateEnterprisePoolParams{
+		timeout: timeout,
+	}
+}
+
+// NewCreateEnterprisePoolParamsWithContext creates a new CreateEnterprisePoolParams object
+// with the ability to set a context for a request.
+func NewCreateEnterprisePoolParamsWithContext(ctx context.Context) *CreateEnterprisePoolParams {
+	return &CreateEnterprisePoolParams{
+		Context: ctx,
+	}
+}
+
+// NewCreateEnterprisePoolParamsWithHTTPClient creates a new CreateEnterprisePoolParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewCreateEnterprisePoolParamsWithHTTPClient(client *http.Client) *CreateEnterprisePoolParams {
+	return &CreateEnterprisePoolParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+CreateEnterprisePoolParams contains all the parameters to send to the API endpoint
+
+	for the create enterprise pool operation.
+
+	Typically these are written to a http.Request.
+*/
+type CreateEnterprisePoolParams struct {
+
+	/* Body.
+
+	   Parameters used when creating the enterprise pool.
+	*/
+	Body garm_params.CreatePoolParams
+
+	/* EnterpriseID.
+
+	   Enterprise ID.
+	*/
+	EnterpriseID string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the create enterprise pool params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateEnterprisePoolParams) WithDefaults() *CreateEnterprisePoolParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the create enterprise pool params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateEnterprisePoolParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) WithTimeout(timeout time.Duration) *CreateEnterprisePoolParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) WithContext(ctx context.Context) *CreateEnterprisePoolParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) WithHTTPClient(client *http.Client) *CreateEnterprisePoolParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) WithBody(body garm_params.CreatePoolParams) *CreateEnterprisePoolParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) SetBody(body garm_params.CreatePoolParams) {
+	o.Body = body
+}
+
+// WithEnterpriseID adds the enterpriseID to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) WithEnterpriseID(enterpriseID string) *CreateEnterprisePoolParams {
+	o.SetEnterpriseID(enterpriseID)
+	return o
+}
+
+// SetEnterpriseID adds the enterpriseId to the create enterprise pool params
+func (o *CreateEnterprisePoolParams) SetEnterpriseID(enterpriseID string) {
+	o.EnterpriseID = enterpriseID
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *CreateEnterprisePoolParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	// path param enterpriseID
+	if err := r.SetPathParam("enterpriseID", o.EnterpriseID); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/enterprises/create_enterprise_pool_responses.go
+++ b/client/enterprises/create_enterprise_pool_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package enterprises
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// CreateEnterprisePoolReader is a Reader for the CreateEnterprisePool structure.
+type CreateEnterprisePoolReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *CreateEnterprisePoolReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewCreateEnterprisePoolOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewCreateEnterprisePoolDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewCreateEnterprisePoolOK creates a CreateEnterprisePoolOK with default headers values
+func NewCreateEnterprisePoolOK() *CreateEnterprisePoolOK {
+	return &CreateEnterprisePoolOK{}
+}
+
+/*
+CreateEnterprisePoolOK describes a response with status code 200, with default header values.
+
+Pool
+*/
+type CreateEnterprisePoolOK struct {
+	Payload garm_params.Pool
+}
+
+// IsSuccess returns true when this create enterprise pool o k response has a 2xx status code
+func (o *CreateEnterprisePoolOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this create enterprise pool o k response has a 3xx status code
+func (o *CreateEnterprisePoolOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this create enterprise pool o k response has a 4xx status code
+func (o *CreateEnterprisePoolOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this create enterprise pool o k response has a 5xx status code
+func (o *CreateEnterprisePoolOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this create enterprise pool o k response a status code equal to that given
+func (o *CreateEnterprisePoolOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the create enterprise pool o k response
+func (o *CreateEnterprisePoolOK) Code() int {
+	return 200
+}
+
+func (o *CreateEnterprisePoolOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises/{enterpriseID}/pools][%d] createEnterprisePoolOK %s", 200, payload)
+}
+
+func (o *CreateEnterprisePoolOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises/{enterpriseID}/pools][%d] createEnterprisePoolOK %s", 200, payload)
+}
+
+func (o *CreateEnterprisePoolOK) GetPayload() garm_params.Pool {
+	return o.Payload
+}
+
+func (o *CreateEnterprisePoolOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewCreateEnterprisePoolDefault creates a CreateEnterprisePoolDefault with default headers values
+func NewCreateEnterprisePoolDefault(code int) *CreateEnterprisePoolDefault {
+	return &CreateEnterprisePoolDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+CreateEnterprisePoolDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type CreateEnterprisePoolDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this create enterprise pool default response has a 2xx status code
+func (o *CreateEnterprisePoolDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this create enterprise pool default response has a 3xx status code
+func (o *CreateEnterprisePoolDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this create enterprise pool default response has a 4xx status code
+func (o *CreateEnterprisePoolDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this create enterprise pool default response has a 5xx status code
+func (o *CreateEnterprisePoolDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this create enterprise pool default response a status code equal to that given
+func (o *CreateEnterprisePoolDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the create enterprise pool default response
+func (o *CreateEnterprisePoolDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *CreateEnterprisePoolDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises/{enterpriseID}/pools][%d] CreateEnterprisePool default %s", o._statusCode, payload)
+}
+
+func (o *CreateEnterprisePoolDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises/{enterpriseID}/pools][%d] CreateEnterprisePool default %s", o._statusCode, payload)
+}
+
+func (o *CreateEnterprisePoolDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *CreateEnterprisePoolDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/enterprises/create_enterprise_responses.go
+++ b/client/enterprises/create_enterprise_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package enterprises
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// CreateEnterpriseReader is a Reader for the CreateEnterprise structure.
+type CreateEnterpriseReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *CreateEnterpriseReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewCreateEnterpriseOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewCreateEnterpriseDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewCreateEnterpriseOK creates a CreateEnterpriseOK with default headers values
+func NewCreateEnterpriseOK() *CreateEnterpriseOK {
+	return &CreateEnterpriseOK{}
+}
+
+/*
+CreateEnterpriseOK describes a response with status code 200, with default header values.
+
+Enterprise
+*/
+type CreateEnterpriseOK struct {
+	Payload garm_params.Enterprise
+}
+
+// IsSuccess returns true when this create enterprise o k response has a 2xx status code
+func (o *CreateEnterpriseOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this create enterprise o k response has a 3xx status code
+func (o *CreateEnterpriseOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this create enterprise o k response has a 4xx status code
+func (o *CreateEnterpriseOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this create enterprise o k response has a 5xx status code
+func (o *CreateEnterpriseOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this create enterprise o k response a status code equal to that given
+func (o *CreateEnterpriseOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the create enterprise o k response
+func (o *CreateEnterpriseOK) Code() int {
+	return 200
+}
+
+func (o *CreateEnterpriseOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises][%d] createEnterpriseOK %s", 200, payload)
+}
+
+func (o *CreateEnterpriseOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises][%d] createEnterpriseOK %s", 200, payload)
+}
+
+func (o *CreateEnterpriseOK) GetPayload() garm_params.Enterprise {
+	return o.Payload
+}
+
+func (o *CreateEnterpriseOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewCreateEnterpriseDefault creates a CreateEnterpriseDefault with default headers values
+func NewCreateEnterpriseDefault(code int) *CreateEnterpriseDefault {
+	return &CreateEnterpriseDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+CreateEnterpriseDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type CreateEnterpriseDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this create enterprise default response has a 2xx status code
+func (o *CreateEnterpriseDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this create enterprise default response has a 3xx status code
+func (o *CreateEnterpriseDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this create enterprise default response has a 4xx status code
+func (o *CreateEnterpriseDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this create enterprise default response has a 5xx status code
+func (o *CreateEnterpriseDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this create enterprise default response a status code equal to that given
+func (o *CreateEnterpriseDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the create enterprise default response
+func (o *CreateEnterpriseDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *CreateEnterpriseDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises][%d] CreateEnterprise default %s", o._statusCode, payload)
+}
+
+func (o *CreateEnterpriseDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises][%d] CreateEnterprise default %s", o._statusCode, payload)
+}
+
+func (o *CreateEnterpriseDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *CreateEnterpriseDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/enterprises/create_enterprise_scale_set_parameters.go
+++ b/client/enterprises/create_enterprise_scale_set_parameters.go
@ -0,0 +1,173 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package enterprises
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// NewCreateEnterpriseScaleSetParams creates a new CreateEnterpriseScaleSetParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewCreateEnterpriseScaleSetParams() *CreateEnterpriseScaleSetParams {
+	return &CreateEnterpriseScaleSetParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewCreateEnterpriseScaleSetParamsWithTimeout creates a new CreateEnterpriseScaleSetParams object
+// with the ability to set a timeout on a request.
+func NewCreateEnterpriseScaleSetParamsWithTimeout(timeout time.Duration) *CreateEnterpriseScaleSetParams {
+	return &CreateEnterpriseScaleSetParams{
+		timeout: timeout,
+	}
+}
+
+// NewCreateEnterpriseScaleSetParamsWithContext creates a new CreateEnterpriseScaleSetParams object
+// with the ability to set a context for a request.
+func NewCreateEnterpriseScaleSetParamsWithContext(ctx context.Context) *CreateEnterpriseScaleSetParams {
+	return &CreateEnterpriseScaleSetParams{
+		Context: ctx,
+	}
+}
+
+// NewCreateEnterpriseScaleSetParamsWithHTTPClient creates a new CreateEnterpriseScaleSetParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewCreateEnterpriseScaleSetParamsWithHTTPClient(client *http.Client) *CreateEnterpriseScaleSetParams {
+	return &CreateEnterpriseScaleSetParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+CreateEnterpriseScaleSetParams contains all the parameters to send to the API endpoint
+
+	for the create enterprise scale set operation.
+
+	Typically these are written to a http.Request.
+*/
+type CreateEnterpriseScaleSetParams struct {
+
+	/* Body.
+
+	   Parameters used when creating the enterprise scale set.
+	*/
+	Body garm_params.CreateScaleSetParams
+
+	/* EnterpriseID.
+
+	   Enterprise ID.
+	*/
+	EnterpriseID string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the create enterprise scale set params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateEnterpriseScaleSetParams) WithDefaults() *CreateEnterpriseScaleSetParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the create enterprise scale set params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *CreateEnterpriseScaleSetParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) WithTimeout(timeout time.Duration) *CreateEnterpriseScaleSetParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) WithContext(ctx context.Context) *CreateEnterpriseScaleSetParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) WithHTTPClient(client *http.Client) *CreateEnterpriseScaleSetParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithBody adds the body to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) WithBody(body garm_params.CreateScaleSetParams) *CreateEnterpriseScaleSetParams {
+	o.SetBody(body)
+	return o
+}
+
+// SetBody adds the body to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) SetBody(body garm_params.CreateScaleSetParams) {
+	o.Body = body
+}
+
+// WithEnterpriseID adds the enterpriseID to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) WithEnterpriseID(enterpriseID string) *CreateEnterpriseScaleSetParams {
+	o.SetEnterpriseID(enterpriseID)
+	return o
+}
+
+// SetEnterpriseID adds the enterpriseId to the create enterprise scale set params
+func (o *CreateEnterpriseScaleSetParams) SetEnterpriseID(enterpriseID string) {
+	o.EnterpriseID = enterpriseID
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *CreateEnterpriseScaleSetParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+	if err := r.SetBodyParam(o.Body); err != nil {
+		return err
+	}
+
+	// path param enterpriseID
+	if err := r.SetPathParam("enterpriseID", o.EnterpriseID); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/client/enterprises/create_enterprise_scale_set_responses.go
+++ b/client/enterprises/create_enterprise_scale_set_responses.go
@ -0,0 +1,184 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package enterprises
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+
+	"github.com/go-openapi/runtime"
+	"github.com/go-openapi/strfmt"
+
+	apiserver_params "github.com/cloudbase/garm/apiserver/params"
+	garm_params "github.com/cloudbase/garm/params"
+)
+
+// CreateEnterpriseScaleSetReader is a Reader for the CreateEnterpriseScaleSet structure.
+type CreateEnterpriseScaleSetReader struct {
+	formats strfmt.Registry
+}
+
+// ReadResponse reads a server response into the received o.
+func (o *CreateEnterpriseScaleSetReader) ReadResponse(response runtime.ClientResponse, consumer runtime.Consumer) (interface{}, error) {
+	switch response.Code() {
+	case 200:
+		result := NewCreateEnterpriseScaleSetOK()
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		return result, nil
+	default:
+		result := NewCreateEnterpriseScaleSetDefault(response.Code())
+		if err := result.readResponse(response, consumer, o.formats); err != nil {
+			return nil, err
+		}
+		if response.Code()/100 == 2 {
+			return result, nil
+		}
+		return nil, result
+	}
+}
+
+// NewCreateEnterpriseScaleSetOK creates a CreateEnterpriseScaleSetOK with default headers values
+func NewCreateEnterpriseScaleSetOK() *CreateEnterpriseScaleSetOK {
+	return &CreateEnterpriseScaleSetOK{}
+}
+
+/*
+CreateEnterpriseScaleSetOK describes a response with status code 200, with default header values.
+
+ScaleSet
+*/
+type CreateEnterpriseScaleSetOK struct {
+	Payload garm_params.ScaleSet
+}
+
+// IsSuccess returns true when this create enterprise scale set o k response has a 2xx status code
+func (o *CreateEnterpriseScaleSetOK) IsSuccess() bool {
+	return true
+}
+
+// IsRedirect returns true when this create enterprise scale set o k response has a 3xx status code
+func (o *CreateEnterpriseScaleSetOK) IsRedirect() bool {
+	return false
+}
+
+// IsClientError returns true when this create enterprise scale set o k response has a 4xx status code
+func (o *CreateEnterpriseScaleSetOK) IsClientError() bool {
+	return false
+}
+
+// IsServerError returns true when this create enterprise scale set o k response has a 5xx status code
+func (o *CreateEnterpriseScaleSetOK) IsServerError() bool {
+	return false
+}
+
+// IsCode returns true when this create enterprise scale set o k response a status code equal to that given
+func (o *CreateEnterpriseScaleSetOK) IsCode(code int) bool {
+	return code == 200
+}
+
+// Code gets the status code for the create enterprise scale set o k response
+func (o *CreateEnterpriseScaleSetOK) Code() int {
+	return 200
+}
+
+func (o *CreateEnterpriseScaleSetOK) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises/{enterpriseID}/scalesets][%d] createEnterpriseScaleSetOK %s", 200, payload)
+}
+
+func (o *CreateEnterpriseScaleSetOK) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises/{enterpriseID}/scalesets][%d] createEnterpriseScaleSetOK %s", 200, payload)
+}
+
+func (o *CreateEnterpriseScaleSetOK) GetPayload() garm_params.ScaleSet {
+	return o.Payload
+}
+
+func (o *CreateEnterpriseScaleSetOK) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
+
+// NewCreateEnterpriseScaleSetDefault creates a CreateEnterpriseScaleSetDefault with default headers values
+func NewCreateEnterpriseScaleSetDefault(code int) *CreateEnterpriseScaleSetDefault {
+	return &CreateEnterpriseScaleSetDefault{
+		_statusCode: code,
+	}
+}
+
+/*
+CreateEnterpriseScaleSetDefault describes a response with status code -1, with default header values.
+
+APIErrorResponse
+*/
+type CreateEnterpriseScaleSetDefault struct {
+	_statusCode int
+
+	Payload apiserver_params.APIErrorResponse
+}
+
+// IsSuccess returns true when this create enterprise scale set default response has a 2xx status code
+func (o *CreateEnterpriseScaleSetDefault) IsSuccess() bool {
+	return o._statusCode/100 == 2
+}
+
+// IsRedirect returns true when this create enterprise scale set default response has a 3xx status code
+func (o *CreateEnterpriseScaleSetDefault) IsRedirect() bool {
+	return o._statusCode/100 == 3
+}
+
+// IsClientError returns true when this create enterprise scale set default response has a 4xx status code
+func (o *CreateEnterpriseScaleSetDefault) IsClientError() bool {
+	return o._statusCode/100 == 4
+}
+
+// IsServerError returns true when this create enterprise scale set default response has a 5xx status code
+func (o *CreateEnterpriseScaleSetDefault) IsServerError() bool {
+	return o._statusCode/100 == 5
+}
+
+// IsCode returns true when this create enterprise scale set default response a status code equal to that given
+func (o *CreateEnterpriseScaleSetDefault) IsCode(code int) bool {
+	return o._statusCode == code
+}
+
+// Code gets the status code for the create enterprise scale set default response
+func (o *CreateEnterpriseScaleSetDefault) Code() int {
+	return o._statusCode
+}
+
+func (o *CreateEnterpriseScaleSetDefault) Error() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises/{enterpriseID}/scalesets][%d] CreateEnterpriseScaleSet default %s", o._statusCode, payload)
+}
+
+func (o *CreateEnterpriseScaleSetDefault) String() string {
+	payload, _ := json.Marshal(o.Payload)
+	return fmt.Sprintf("[POST /enterprises/{enterpriseID}/scalesets][%d] CreateEnterpriseScaleSet default %s", o._statusCode, payload)
+}
+
+func (o *CreateEnterpriseScaleSetDefault) GetPayload() apiserver_params.APIErrorResponse {
+	return o.Payload
+}
+
+func (o *CreateEnterpriseScaleSetDefault) readResponse(response runtime.ClientResponse, consumer runtime.Consumer, formats strfmt.Registry) error {
+
+	// response payload
+	if err := consumer.Consume(response.Body(), &o.Payload); err != nil && err != io.EOF {
+		return err
+	}
+
+	return nil
+}
--- a/client/enterprises/delete_enterprise_parameters.go
+++ b/client/enterprises/delete_enterprise_parameters.go
@ -0,0 +1,151 @@
+// Code generated by go-swagger; DO NOT EDIT.
+
+package enterprises
+
+// This file was generated by the swagger tool.
+// Editing this file might prove futile when you re-run the swagger generate command
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"github.com/go-openapi/errors"
+	"github.com/go-openapi/runtime"
+	cr "github.com/go-openapi/runtime/client"
+	"github.com/go-openapi/strfmt"
+)
+
+// NewDeleteEnterpriseParams creates a new DeleteEnterpriseParams object,
+// with the default timeout for this client.
+//
+// Default values are not hydrated, since defaults are normally applied by the API server side.
+//
+// To enforce default values in parameter, use SetDefaults or WithDefaults.
+func NewDeleteEnterpriseParams() *DeleteEnterpriseParams {
+	return &DeleteEnterpriseParams{
+		timeout: cr.DefaultTimeout,
+	}
+}
+
+// NewDeleteEnterpriseParamsWithTimeout creates a new DeleteEnterpriseParams object
+// with the ability to set a timeout on a request.
+func NewDeleteEnterpriseParamsWithTimeout(timeout time.Duration) *DeleteEnterpriseParams {
+	return &DeleteEnterpriseParams{
+		timeout: timeout,
+	}
+}
+
+// NewDeleteEnterpriseParamsWithContext creates a new DeleteEnterpriseParams object
+// with the ability to set a context for a request.
+func NewDeleteEnterpriseParamsWithContext(ctx context.Context) *DeleteEnterpriseParams {
+	return &DeleteEnterpriseParams{
+		Context: ctx,
+	}
+}
+
+// NewDeleteEnterpriseParamsWithHTTPClient creates a new DeleteEnterpriseParams object
+// with the ability to set a custom HTTPClient for a request.
+func NewDeleteEnterpriseParamsWithHTTPClient(client *http.Client) *DeleteEnterpriseParams {
+	return &DeleteEnterpriseParams{
+		HTTPClient: client,
+	}
+}
+
+/*
+DeleteEnterpriseParams contains all the parameters to send to the API endpoint
+
+	for the delete enterprise operation.
+
+	Typically these are written to a http.Request.
+*/
+type DeleteEnterpriseParams struct {
+
+	/* EnterpriseID.
+
+	   ID of the enterprise to delete.
+	*/
+	EnterpriseID string
+
+	timeout    time.Duration
+	Context    context.Context
+	HTTPClient *http.Client
+}
+
+// WithDefaults hydrates default values in the delete enterprise params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteEnterpriseParams) WithDefaults() *DeleteEnterpriseParams {
+	o.SetDefaults()
+	return o
+}
+
+// SetDefaults hydrates default values in the delete enterprise params (not the query body).
+//
+// All values with no default are reset to their zero value.
+func (o *DeleteEnterpriseParams) SetDefaults() {
+	// no default values defined for this parameter
+}
+
+// WithTimeout adds the timeout to the delete enterprise params
+func (o *DeleteEnterpriseParams) WithTimeout(timeout time.Duration) *DeleteEnterpriseParams {
+	o.SetTimeout(timeout)
+	return o
+}
+
+// SetTimeout adds the timeout to the delete enterprise params
+func (o *DeleteEnterpriseParams) SetTimeout(timeout time.Duration) {
+	o.timeout = timeout
+}
+
+// WithContext adds the context to the delete enterprise params
+func (o *DeleteEnterpriseParams) WithContext(ctx context.Context) *DeleteEnterpriseParams {
+	o.SetContext(ctx)
+	return o
+}
+
+// SetContext adds the context to the delete enterprise params
+func (o *DeleteEnterpriseParams) SetContext(ctx context.Context) {
+	o.Context = ctx
+}
+
+// WithHTTPClient adds the HTTPClient to the delete enterprise params
+func (o *DeleteEnterpriseParams) WithHTTPClient(client *http.Client) *DeleteEnterpriseParams {
+	o.SetHTTPClient(client)
+	return o
+}
+
+// SetHTTPClient adds the HTTPClient to the delete enterprise params
+func (o *DeleteEnterpriseParams) SetHTTPClient(client *http.Client) {
+	o.HTTPClient = client
+}
+
+// WithEnterpriseID adds the enterpriseID to the delete enterprise params
+func (o *DeleteEnterpriseParams) WithEnterpriseID(enterpriseID string) *DeleteEnterpriseParams {
+	o.SetEnterpriseID(enterpriseID)
+	return o
+}
+
+// SetEnterpriseID adds the enterpriseId to the delete enterprise params
+func (o *DeleteEnterpriseParams) SetEnterpriseID(enterpriseID string) {
+	o.EnterpriseID = enterpriseID
+}
+
+// WriteToRequest writes these params to a swagger request
+func (o *DeleteEnterpriseParams) WriteToRequest(r runtime.ClientRequest, reg strfmt.Registry) error {
+
+	if err := r.SetTimeout(o.timeout); err != nil {
+		return err
+	}
+	var res []error
+
+	// path param enterpriseID
+	if err := r.SetPathParam("enterpriseID", o.EnterpriseID); err != nil {
+		return err
+	}
+
+	if len(res) > 0 {
+		return errors.CompositeValidationError(res...)
+	}
+	return nil
+}
--- a/Show more
+++ b/Show more