API reference

This interactive reference is generated directly from the control plane's OpenAPI 3.1 specification (apps/control-plane/openapi.json) — the same spec served at runtime from GET /api/v1/openapi.json and published as a release asset. It is always in sync with the implementation (a CI drift gate enforces it).

For authentication, error envelopes, and pagination conventions, read the API overview first.

v1.0.0

OpenCrane Control Plane API

Download OpenAPI Document

JSON

Download OpenAPI Document

YAML

Multi-tenant AI agent platform management API.

Authentication

• Human operators — OIDC browser flow via GET /auth/login → /auth/callback. Session cookie is set server-side.
• CLI operators — Device authorization grant via POST /auth/device. The CLI opens the returned verificationUri in the operator's browser, polls GET /auth/device/token, and persists the issued token in ~/.config/opencrane/credentials.json.
• Automation / CI — Bearer token via the OPENCRANE_TOKEN environment variable, validated against the OPENCRANE_API_TOKEN server-side env var.
• Endpoints tagged Auth and Meta (/auth/*, /openapi.json) require no credentials.

Servers

/api/v1Versioned API prefix

---

Platform DNS

Operations

GET/platform/dnsPUT/platform/dns

---

Show the configured platform DNS-01 issuer (ClusterIssuer or namespaced Issuer)

GET

/platform/dns

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Query Parameters

issuerName

Type

string

Responses

Current issuer status.

Content-Type

application/json

{

  

"configured": true,

  

"issuerName": "string",

  

"issuerKind": "string",

  

"issuerNamespace": "string",

  

"provider": "string",

  

"email": "string",

  

"server": "string"

}

GET

/platform/dns

Playground

Authorization

bearerAuth

Variables

Key

Value

issuerName

Samples

---

Configure the platform DNS-01 issuer for wildcard TLS (ClusterIssuer or namespaced Issuer)

PUT

/platform/dns

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

  

"provider": "string",

  

"zone": "string",

  

"email": "string",

  

"server": "string",

  

"issuerName": "string",

  

"apiToken": "string",

  

"solverConfig": {

  

  

"additionalProperties": "string"

  

}

}

Responses

Issuer configured.

Content-Type

application/json

{

  

"status": "string",

  

"issuerName": "string",

  

"issuerKind": "string",

  

"issuerNamespace": "string",

  

"provider": "string",

  

"zone": "string",

  

"secretName": "string"

}

PUT

/platform/dns

Playground

Authorization

bearerAuth

Body

Samples

---

Awareness Rollout

Operations

GET/awareness/rolloutPUT/awareness/rolloutPOST/awareness/rollout/promotePOST/awareness/rollout/rollbackGET/awareness/rollout/resolve/{tenant}GET/awareness/participation

---

Show the fleet awareness contract rollout state

GET

/awareness/rollout

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Current rollout state.

Content-Type

application/json

{

  

"targetVersion": "string",

  

"stableVersion": "string",

  

"waves": [

  

  

"string"

  

],

  

"promotedWaves": [

  

  

"string"

  

],

  

"shadowMode": true,

  

"nextWave": "string"

}

GET

/awareness/rollout

Playground

Authorization

bearerAuth

Samples

---

Define (or redefine) the awareness rollout; resets the frontier

PUT

/awareness/rollout

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

  

"targetVersion": "string",

  

"stableVersion": "string",

  

"waves": [

  

  

"string"

  

],

  

"shadowMode": true

}

Responses

Rollout defined.

Content-Type

application/json

{

  

"targetVersion": "string",

  

"stableVersion": "string",

  

"waves": [

  

  

"string"

  

],

  

"promotedWaves": [

  

  

"string"

  

],

  

"shadowMode": true,

  

"nextWave": "string"

}

PUT

/awareness/rollout

Playground

Authorization

bearerAuth

Body

Samples

---

Advance the rollout frontier (one wave, or up to a named wave)

POST

/awareness/rollout/promote

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

  

"wave": "string"

}

Responses

Frontier advanced.

Content-Type

application/json

{

  

"targetVersion": "string",

  

"stableVersion": "string",

  

"waves": [

  

  

"string"

  

],

  

"promotedWaves": [

  

  

"string"

  

],

  

"shadowMode": true,

  

"nextWave": "string"

}

POST

/awareness/rollout/promote

Playground

Authorization

bearerAuth

Body

Samples

---

One-step rollback: return every wave to the stable version

POST

/awareness/rollout/rollback

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Rolled back.

Content-Type

application/json

{

  

"targetVersion": "string",

  

"stableVersion": "string",

  

"waves": [

  

  

"string"

  

],

  

"promotedWaves": [

  

  

"string"

  

],

  

"shadowMode": true,

  

"nextWave": "string"

}

POST

/awareness/rollout/rollback

Playground

Authorization

bearerAuth

Samples

---

Resolve the awareness contract version a tenant runs

GET

/awareness/rollout/resolve/{tenant}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

tenant*

Type

string

Required

Responses

Resolved version.

Content-Type

application/json

{

  

"tenant": "string",

  

"version": "string",

  

"promoted": true,

  

"shadow": true,

  

"wave": "string"

}

GET

/awareness/rollout/resolve/{tenant}

Playground

Authorization

bearerAuth

Variables

Key

Value

tenant*

Samples

---

Fleet participation, drift, and policy-violation monitoring

GET

/awareness/participation

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Query Parameters

severity

Type

string

Valid values

"critical""warning"

Responses

Fleet participation report.

Content-Type

application/json

{

  

"total": 0,

  

"participating": 0,

  

"drifted": 0,

  

"critical": 0,

  

"warning": 0,

  

"tenants": [

  

  

{

  

  

  

"tenant": "string",

  

  

  

"lastSeenAt": "string",

  

  

  

"runningContractVersion": "string",

  

  

  

"expectedContractVersion": "string",

  

  

  

"participating": true,

  

  

  

"drifted": true,

  

  

  

"policyViolations": 0,

  

  

  

"severity": "string"

  

  

}

  

]

}

GET

/awareness/participation

Playground

Authorization

bearerAuth

Variables

Key

Value

severity

Samples

---

Sessions

Operations

GET/sessions/{sessionKey}/scopePUT/sessions/{sessionKey}/scopeDELETE/sessions/{sessionKey}/scope

---

Inspect a chat-window session's awareness scope binding

GET

/sessions/{sessionKey}/scope

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

sessionKey*

Type

string

Required

Responses

Current session scope binding.

Content-Type

application/json

{

  

"sessionKey": "string",

  

"principal": "string",

  

"scopes": [

  

  

{

  

  

  

"scope": "string",

  

  

  

"payloadId": "string"

  

  

}

  

],

  

"createdAt": "string",

  

"updatedAt": "string"

}

GET

/sessions/{sessionKey}/scope

Playground

Authorization

bearerAuth

Variables

Key

Value

sessionKey*

Samples

---

Bind a session scope (CP intersects with the principal's entitlements)

PUT

/sessions/{sessionKey}/scope

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

sessionKey*

Type

string

Required

Request Body

application/json

{

  

"principal": "string",

  

"scopes": [

  

  

{

  

  

  

"scope": "string",

  

  

  

"payloadId": "string"

  

  

}

  

]

}

Responses

Authorised binding; rejected lists any over-scope dropped.

Content-Type

application/json

{

  

"sessionKey": "string",

  

"principal": "string",

  

"scopes": [

  

  

{

  

  

  

"scope": "string",

  

  

  

"payloadId": "string"

  

  

}

  

],

  

"createdAt": "string",

  

"updatedAt": "string",

  

"rejected": [

  

  

{

  

  

  

"scope": "string",

  

  

  

"payloadId": "string"

  

  

}

  

]

}

PUT

/sessions/{sessionKey}/scope

Playground

Authorization

bearerAuth

Variables

Key

Value

sessionKey*

Body

Samples

---

Clear a session's scope binding

DELETE

/sessions/{sessionKey}/scope

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

sessionKey*

Type

string

Required

Responses

Binding cleared.

Content-Type

application/json

{

  

"sessionKey": "string",

  

"cleared": true

}

DELETE

/sessions/{sessionKey}/scope

Playground

Authorization

bearerAuth

Variables

Key

Value

sessionKey*

Samples

---

Tenants

Operations

GET/tenantsPOST/tenantsGET/tenants/driftPOST/tenants/repairGET/tenants/{name}PUT/tenants/{name}DELETE/tenants/{name}POST/tenants/{name}/suspendPOST/tenants/{name}/resumeGET/tenants/{name}/datasetsPUT/tenants/{name}/datasetsGET/tenants/{name}/effective-contract

---

List all tenants

GET

/tenants

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Tenant list.

Content-Type

application/json

[

  

{

  

  

"name": "string",

  

  

"displayName": "string",

  

  

"email": "string",

  

  

"team": "string",

  

  

"phase": "string",

  

  

"ingressHost": "string",

  

  

"createdAt": "string"

  

}

]

GET

/tenants

Playground

Authorization

bearerAuth

Samples

---

Create a new tenant (dual-write: K8s CRD + database)

POST

/tenants

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

  

"name": "string",

  

"displayName": "string",

  

"email": "string",

  

"team": "string",

  

"monthlyBudgetUsd": 0,

  

"resources": {

  

},

  

"skillAllowlist": [

  

  

"string"

  

],

  

"policyRef": "string"

}

Responses

Tenant created.

Content-Type

application/json

{

  

"name": "string",

  

"status": "string"

}

POST

/tenants

Playground

Authorization

bearerAuth

Body

Samples

---

Detect drift between Tenant CRDs and PostgreSQL projection rows

GET

/tenants/drift

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Drift report.

Content-Type

application/json

{

}

GET

/tenants/drift

Playground

Authorization

bearerAuth

Samples

---

Repair Tenant projection rows from CRD source of truth

POST

/tenants/repair

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Query Parameters

dryRun

When true (default), report planned changes without applying them.

Type

boolean

Default

true

Responses

Repair report.

Content-Type

application/json

{

}

POST

/tenants/repair

Playground

Authorization

bearerAuth

Variables

Key

Value

dryRun

Samples

---

Get a single tenant by name

GET

/tenants/{name}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Tenant detail.

Content-Type

application/json

{

  

"name": "string",

  

"displayName": "string",

  

"email": "string",

  

"team": "string",

  

"phase": "string",

  

"ingressHost": "string",

  

"createdAt": "string"

}

GET

/tenants/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Update a tenant (dual-write: K8s CRD + database)

PUT

/tenants/{name}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Request Body

application/json

{

  

"displayName": "string",

  

"email": "string",

  

"team": "string",

  

"monthlyBudgetUsd": 0,

  

"resources": {

  

},

  

"skillAllowlist": [

  

  

"string"

  

],

  

"policyRef": "string"

}

Responses

Tenant updated.

Content-Type

application/json

{

  

"name": "string",

  

"status": "string"

}

PUT

/tenants/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Body

Samples

---

Delete a tenant (dual-write: K8s CRD + database)

DELETE

/tenants/{name}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Tenant deleted.

Content-Type

application/json

{

  

"name": "string",

  

"status": "string"

}

DELETE

/tenants/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Suspend a tenant (scale deployment to zero)

POST

/tenants/{name}/suspend

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Tenant suspended.

Content-Type

application/json

{

  

"name": "string",

  

"status": "string"

}

POST

/tenants/{name}/suspend

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Resume a suspended tenant

POST

/tenants/{name}/resume

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Tenant resumed.

Content-Type

application/json

{

  

"name": "string",

  

"status": "string"

}

POST

/tenants/{name}/resume

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Get dataset memberships for a tenant

GET

/tenants/{name}/datasets

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Dataset memberships.

Content-Type

application/json

{

  

"org": [

  

  

"string"

  

],

  

"team": [

  

  

"string"

  

],

  

"project": [

  

  

"string"

  

],

  

"personal": [

  

  

"string"

  

]

}

GET

/tenants/{name}/datasets

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Update dataset memberships for a tenant

PUT

/tenants/{name}/datasets

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Request Body

application/json

{

  

"org": [

  

  

"string"

  

],

  

"team": [

  

  

"string"

  

],

  

"project": [

  

  

"string"

  

],

  

"personal": [

  

  

"string"

  

]

}

Responses

Dataset memberships updated.

Content-Type

application/json

{

  

"org": [

  

  

"string"

  

],

  

"team": [

  

  

"string"

  

],

  

"project": [

  

  

"string"

  

],

  

"personal": [

  

  

"string"

  

]

}

PUT

/tenants/{name}/datasets

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Body

Samples

---

Compile the effective awareness, MCP, and skill contract for a tenant

GET

/tenants/{name}/effective-contract

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Effective contract.

Content-Type

application/json

{

  

"contractId": "string",

  

"contractVersion": "string",

  

"tenant": {

  

},

  

"awareness": {

  

},

  

"mcp": {

  

},

  

"skills": {

  

}

}

GET

/tenants/{name}/effective-contract

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Policies

Operations

GET/policiesPOST/policiesGET/policies/driftPOST/policies/repairGET/policies/{name}PUT/policies/{name}DELETE/policies/{name}

---

List all access policies

GET

/policies

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Policy list.

Content-Type

application/json

[

  

{

  

  

"name": "string",

  

  

"namespace": "string",

  

  

"tenantSelector": {

  

  

},

  

  

"domains": [

  

  

  

"string"

  

  

],

  

  

"egressRules": [

  

  

  

{

  

  

  

}

  

  

],

  

  

"mcpServers": {

  

  

},

  

  

"createdAt": "string"

  

}

]

GET

/policies

Playground

Authorization

bearerAuth

Samples

---

Create an access policy (dual-write: K8s CRD + database)

POST

/policies

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

}

Responses

Policy created.

Content-Type

application/json

{

  

"name": "string",

  

"status": "string"

}

POST

/policies

Playground

Authorization

bearerAuth

Body

Samples

---

Detect drift between AccessPolicy CRDs and PostgreSQL projection rows

GET

/policies/drift

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Drift report.

Content-Type

application/json

{

}

GET

/policies/drift

Playground

Authorization

bearerAuth

Samples

---

Repair AccessPolicy projection rows from CRD source of truth

POST

/policies/repair

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Query Parameters

dryRun

Type

boolean

Default

true

Responses

Repair report.

Content-Type

application/json

{

}

POST

/policies/repair

Playground

Authorization

bearerAuth

Variables

Key

Value

dryRun

Samples

---

Get a single access policy by name

GET

/policies/{name}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Policy detail.

Content-Type

application/json

{

  

"name": "string",

  

"namespace": "string",

  

"tenantSelector": {

  

},

  

"domains": [

  

  

"string"

  

],

  

"egressRules": [

  

  

{

  

  

}

  

],

  

"mcpServers": {

  

},

  

"createdAt": "string"

}

GET

/policies/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Update an access policy

PUT

/policies/{name}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Request Body

application/json

{

}

Responses

Policy updated.

Content-Type

application/json

{

}

PUT

/policies/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Body

Samples

---

Delete an access policy

DELETE

/policies/{name}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Policy deleted.

Content-Type

application/json

{

  

"name": "string",

  

"status": "string"

}

DELETE

/policies/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Cluster Tenants

Operations

GET/cluster-tenantsPOST/cluster-tenantsGET/cluster-tenants/{name}PUT/cluster-tenants/{name}DELETE/cluster-tenants/{name}GET/cluster-tenants/{name}/status

---

List all cluster tenants

GET

/cluster-tenants

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Cluster tenant list.

Content-Type

application/json

[

  

{

  

  

"name": "string",

  

  

"displayName": "string",

  

  

"baseDomain": "string",

  

  

"isolationTier": "string",

  

  

"compute": {

  

  

  

"mode": "string",

  

  

  

"nodePool": "string"

  

  

},

  

  

"resources": {

  

  

  

"quota": {

  

  

  

  

"cpu": "string",

  

  

  

  

"memory": "string",

  

  

  

  

"pods": 0,

  

  

  

  

"storage": "string",

  

  

  

  

"gpu": 0

  

  

  

}

  

  

},

  

  

"status": {

  

  

  

"phase": "string",

  

  

  

"message": "string",

  

  

  

"boundNamespace": "string",

  

  

  

"provisioner": "string"

  

  

}

  

}

]

GET

/cluster-tenants

Playground

Authorization

bearerAuth

Samples

---

Create a cluster tenant (rejects an isolation tier no provisioner can serve)

POST

/cluster-tenants

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

  

"name": "string",

  

"displayName": "string",

  

"baseDomain": "string",

  

"isolationTier": "string",

  

"compute": {

  

  

"mode": "string",

  

  

"nodePool": "string"

  

},

  

"resources": {

  

  

"quota": {

  

  

  

"cpu": "string",

  

  

  

"memory": "string",

  

  

  

"pods": 0,

  

  

  

"storage": "string",

  

  

  

"gpu": 0

  

  

}

  

}

}

Responses

Cluster tenant created.

Content-Type

application/json

{

  

"name": "string",

  

"displayName": "string",

  

"baseDomain": "string",

  

"isolationTier": "string",

  

"compute": {

  

  

"mode": "string",

  

  

"nodePool": "string"

  

},

  

"resources": {

  

  

"quota": {

  

  

  

"cpu": "string",

  

  

  

"memory": "string",

  

  

  

"pods": 0,

  

  

  

"storage": "string",

  

  

  

"gpu": 0

  

  

}

  

},

  

"status": {

  

  

"phase": "string",

  

  

"message": "string",

  

  

"boundNamespace": "string",

  

  

"provisioner": "string"

  

}

}

POST

/cluster-tenants

Playground

Authorization

bearerAuth

Body

Samples

---

Get a single cluster tenant by name

GET

/cluster-tenants/{name}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Cluster tenant detail.

Content-Type

application/json

{

  

"name": "string",

  

"displayName": "string",

  

"baseDomain": "string",

  

"isolationTier": "string",

  

"compute": {

  

  

"mode": "string",

  

  

"nodePool": "string"

  

},

  

"resources": {

  

  

"quota": {

  

  

  

"cpu": "string",

  

  

  

"memory": "string",

  

  

  

"pods": 0,

  

  

  

"storage": "string",

  

  

  

"gpu": 0

  

  

}

  

},

  

"status": {

  

  

"phase": "string",

  

  

"message": "string",

  

  

"boundNamespace": "string",

  

  

"provisioner": "string"

  

}

}

GET

/cluster-tenants/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Update a cluster tenant (re-gates the isolation tier when it changes)

PUT

/cluster-tenants/{name}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Request Body

application/json

{

}

Responses

Cluster tenant updated.

Content-Type

application/json

{

  

"name": "string",

  

"displayName": "string",

  

"baseDomain": "string",

  

"isolationTier": "string",

  

"compute": {

  

  

"mode": "string",

  

  

"nodePool": "string"

  

},

  

"resources": {

  

  

"quota": {

  

  

  

"cpu": "string",

  

  

  

"memory": "string",

  

  

  

"pods": 0,

  

  

  

"storage": "string",

  

  

  

"gpu": 0

  

  

}

  

},

  

"status": {

  

  

"phase": "string",

  

  

"message": "string",

  

  

"boundNamespace": "string",

  

  

"provisioner": "string"

  

}

}

PUT

/cluster-tenants/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Body

Samples

---

Delete a cluster tenant

DELETE

/cluster-tenants/{name}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Cluster tenant deleted.

Content-Type

application/json

{

  

"name": "string",

  

"status": "string"

}

DELETE

/cluster-tenants/{name}

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

Get the observed status of a cluster tenant

GET

/cluster-tenants/{name}/status

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

name*

Type

string

Required

Responses

Cluster tenant status.

Content-Type

application/json

{

  

"phase": "string",

  

"message": "string",

  

"boundNamespace": "string",

  

"provisioner": "string"

}

GET

/cluster-tenants/{name}/status

Playground

Authorization

bearerAuth

Variables

Key

Value

name*

Samples

---

MCP Servers

Operations

GET/mcp-serversPOST/mcp-serversGET/mcp-servers/{id}PUT/mcp-servers/{id}DELETE/mcp-servers/{id}GET/mcp-servers/{id}/credentialsPOST/mcp-servers/{id}/credentialsDELETE/mcp-servers/{id}/credentials/{credentialId}

---

List all MCP servers with grants and credentials

GET

/mcp-servers

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

MCP server list.

Content-Type

application/json

[

  

{

  

  

"id": "string",

  

  

"name": "string",

  

  

"endpoint": "string",

  

  

"transport": "string",

  

  

"grants": [

  

  

  

{

  

  

  

}

  

  

],

  

  

"credentials": [

  

  

  

{

  

  

  

  

"id": "string",

  

  

  

  

"displayName": "string",

  

  

  

  

"brokeringMode": "string",

  

  

  

  

"secretRef": "string"

  

  

  

}

  

  

]

  

}

]

GET

/mcp-servers

Playground

Authorization

bearerAuth

Samples

---

Create a new MCP server

POST

/mcp-servers

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

  

"name": "string",

  

"endpoint": "string",

  

"transport": "string",

  

"grants": [

  

  

{

  

  

}

  

],

  

"credentials": [

  

  

{

  

  

}

  

]

}

Responses

MCP server created.

Content-Type

application/json

{

  

"id": "string",

  

"name": "string",

  

"endpoint": "string",

  

"transport": "string",

  

"grants": [

  

  

{

  

  

}

  

],

  

"credentials": [

  

  

{

  

  

  

"id": "string",

  

  

  

"displayName": "string",

  

  

  

"brokeringMode": "string",

  

  

  

"secretRef": "string"

  

  

}

  

]

}

POST

/mcp-servers

Playground

Authorization

bearerAuth

Body

Samples

---

Get a single MCP server by identifier

GET

/mcp-servers/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

MCP server detail.

Content-Type

application/json

{

  

"id": "string",

  

"name": "string",

  

"endpoint": "string",

  

"transport": "string",

  

"grants": [

  

  

{

  

  

}

  

],

  

"credentials": [

  

  

{

  

  

  

"id": "string",

  

  

  

"displayName": "string",

  

  

  

"brokeringMode": "string",

  

  

  

"secretRef": "string"

  

  

}

  

]

}

GET

/mcp-servers/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

Update an MCP server and fully replace grants and credentials

PUT

/mcp-servers/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Request Body

application/json

{

}

Responses

MCP server updated.

Content-Type

application/json

{

  

"id": "string",

  

"name": "string",

  

"endpoint": "string",

  

"transport": "string",

  

"grants": [

  

  

{

  

  

}

  

],

  

"credentials": [

  

  

{

  

  

  

"id": "string",

  

  

  

"displayName": "string",

  

  

  

"brokeringMode": "string",

  

  

  

"secretRef": "string"

  

  

}

  

]

}

PUT

/mcp-servers/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Body

Samples

---

Delete an MCP server and its linked grant rows

DELETE

/mcp-servers/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

MCP server deleted.

Content-Type

application/json

{

  

"id": "string",

  

"status": "string"

}

DELETE

/mcp-servers/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

List the brokered credentials of an MCP server

GET

/mcp-servers/{id}/credentials

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

Credential list.

Content-Type

application/json

[

  

{

  

  

"id": "string",

  

  

"displayName": "string",

  

  

"brokeringMode": "string",

  

  

"secretRef": "string"

  

}

]

GET

/mcp-servers/{id}/credentials

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

Add a brokered credential to an MCP server (does not touch grants)

POST

/mcp-servers/{id}/credentials

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Request Body

application/json

{

  

"displayName": "string",

  

"brokeringMode": "string",

  

"secretRef": "string"

}

Responses

Credential added.

Content-Type

application/json

{

  

"id": "string",

  

"displayName": "string",

  

"brokeringMode": "string",

  

"secretRef": "string"

}

POST

/mcp-servers/{id}/credentials

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Body

Samples

---

Remove a single brokered credential from an MCP server

DELETE

/mcp-servers/{id}/credentials/{credentialId}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

credentialId*

Type

string

Required

Responses

Credential deleted.

Content-Type

application/json

{

  

"id": "string",

  

"status": "string"

}

DELETE

/mcp-servers/{id}/credentials/{credentialId}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

credentialId*

Samples

---

Groups

Operations

GET/groupsPOST/groupsGET/groups/{id}PUT/groups/{id}DELETE/groups/{id}

---

List all groups with member counts and awareness grants

GET

/groups

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Group list.

Content-Type

application/json

[

  

{

  

  

"id": "string",

  

  

"name": "string",

  

  

"description": "string",

  

  

"memberCount": 0,

  

  

"awarenessGrants": [

  

  

  

{

  

  

  

}

  

  

]

  

}

]

GET

/groups

Playground

Authorization

bearerAuth

Samples

---

Create a new group and optional awareness grants

POST

/groups

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

  

"name": "string",

  

"description": "string"

}

Responses

Group created.

Content-Type

application/json

{

  

"id": "string",

  

"name": "string",

  

"description": "string",

  

"memberCount": 0,

  

"awarenessGrants": [

  

  

{

  

  

}

  

]

}

POST

/groups

Playground

Authorization

bearerAuth

Body

Samples

---

Get a single group by identifier

GET

/groups/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

Group detail.

Content-Type

application/json

{

  

"id": "string",

  

"name": "string",

  

"description": "string",

  

"memberCount": 0,

  

"awarenessGrants": [

  

  

{

  

  

}

  

]

}

GET

/groups/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

Update a group and replace awareness grants

PUT

/groups/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Request Body

application/json

{

}

Responses

Group updated.

Content-Type

application/json

{

  

"id": "string",

  

"name": "string",

  

"description": "string",

  

"memberCount": 0,

  

"awarenessGrants": [

  

  

{

  

  

}

  

]

}

PUT

/groups/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Body

Samples

---

Delete a group and its awareness grants

DELETE

/groups/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

Group deleted.

Content-Type

application/json

{

  

"id": "string",

  

"status": "string"

}

DELETE

/groups/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

Skills

Operations

GET/skills/catalogPOST/skills/catalogPOST/skills/catalog/backfillGET/skills/catalog/{id}PUT/skills/catalog/{id}DELETE/skills/catalog/{id}

---

List all skill bundles with entitlements and promotion history

GET

/skills/catalog

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Skill bundle list.

Content-Type

application/json

[

  

{

  

  

"id": "string",

  

  

"name": "string",

  

  

"description": "string",

  

  

"version": "string",

  

  

"digest": "string",

  

  

"scope": "string",

  

  

"status": "string",

  

  

"tags": [

  

  

  

"string"

  

  

],

  

  

"sourceName": "string",

  

  

"publishedAt": "string",

  

  

"grants": [

  

  

  

{

  

  

  

}

  

  

],

  

  

"promotions": [

  

  

  

{

  

  

  

}

  

  

]

  

}

]

GET

/skills/catalog

Playground

Authorization

bearerAuth

Samples

---

Create a new skill bundle

POST

/skills/catalog

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

}

Responses

Skill bundle created.

Content-Type

application/json

{

  

"id": "string",

  

"status": "string"

}

POST

/skills/catalog

Playground

Authorization

bearerAuth

Body

Samples

---

Backfill all published bundles' content into the OCI store (P4D.2)

POST

/skills/catalog/backfill

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Backfill summary with per-bundle outcomes.

Content-Type

application/json

{

  

"total": 0,

  

"pushed": 0,

  

"skipped": 0,

  

"failed": 0,

  

"results": [

  

  

{

  

  

  

"id": "string",

  

  

  

"name": "string",

  

  

  

"digest": "string",

  

  

  

"outcome": "string",

  

  

  

"reason": "string"

  

  

}

  

]

}

POST

/skills/catalog/backfill

Playground

Authorization

bearerAuth

Samples

---

Get a single skill bundle by identifier

GET

/skills/catalog/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

Skill bundle detail.

Content-Type

application/json

{

  

"id": "string",

  

"name": "string",

  

"description": "string",

  

"version": "string",

  

"digest": "string",

  

"scope": "string",

  

"status": "string",

  

"tags": [

  

  

"string"

  

],

  

"sourceName": "string",

  

"publishedAt": "string",

  

"grants": [

  

  

{

  

  

}

  

],

  

"promotions": [

  

  

{

  

  

}

  

]

}

GET

/skills/catalog/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

Update a skill bundle and fully replace entitlements and promotions

PUT

/skills/catalog/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Request Body

application/json

{

}

Responses

Skill bundle updated.

Content-Type

application/json

{

  

"id": "string",

  

"status": "string"

}

PUT

/skills/catalog/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Body

Samples

---

Delete a skill bundle and its linked entitlement grants

DELETE

/skills/catalog/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

Skill bundle deleted.

Content-Type

application/json

{

  

"id": "string",

  

"status": "string"

}

DELETE

/skills/catalog/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

Third-party Sources

Operations

GET/third-party-sourcesPOST/third-party-sourcesGET/third-party-sources/{id}PUT/third-party-sources/{id}DELETE/third-party-sources/{id}

---

List all third-party sources

GET

/third-party-sources

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Third-party source list.

Content-Type

application/json

[

  

{

  

  

"id": "string",

  

  

"name": "string",

  

  

"type": "string",

  

  

"url": "string",

  

  

"syncStatus": "string",

  

  

"lastSyncedAt": "string"

  

}

]

GET

/third-party-sources

Playground

Authorization

bearerAuth

Samples

---

Register a new third-party source

POST

/third-party-sources

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

}

Responses

Source registered.

Content-Type

application/json

{

}

POST

/third-party-sources

Playground

Authorization

bearerAuth

Body

Samples

---

Get a single third-party source

GET

/third-party-sources/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

Source detail.

Content-Type

application/json

{

  

"id": "string",

  

"name": "string",

  

"type": "string",

  

"url": "string",

  

"syncStatus": "string",

  

"lastSyncedAt": "string"

}

GET

/third-party-sources/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

Update a third-party source

PUT

/third-party-sources/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Request Body

application/json

{

}

Responses

Source updated.

Content-Type

application/json

{

}

PUT

/third-party-sources/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Body

Samples

---

Delete a third-party source and its linked items

DELETE

/third-party-sources/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

Source deleted.

Content-Type

application/json

{

}

DELETE

/third-party-sources/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

Access Tokens

Operations

GET/access-tokensPOST/access-tokensDELETE/access-tokens/{id}

---

List all issued access tokens (hashes only, never plaintext)

GET

/access-tokens

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Token list.

Content-Type

application/json

[

  

{

  

  

"id": "string",

  

  

"name": "string",

  

  

"owner": "string",

  

  

"createdAt": "string",

  

  

"expiresAt": "string",

  

  

"lastUsedAt": "string"

  

}

]

GET

/access-tokens

Playground

Authorization

bearerAuth

Samples

---

Create a new access token. Returns plaintext token once — store it securely.

POST

/access-tokens

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

  

"name": "string",

  

"owner": "string",

  

"expiresAt": "string"

}

Responses

Token created. The plainTextToken field will not be returned again.

Content-Type

application/json

{

  

"id": "string",

  

"plainTextToken": "string"

}

POST

/access-tokens

Playground

Authorization

bearerAuth

Body

Samples

---

Revoke and delete an access token

DELETE

/access-tokens/{id}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

id*

Type

string

Required

Responses

Token deleted.

DELETE

/access-tokens/{id}

Playground

Authorization

bearerAuth

Variables

Key

Value

id*

Samples

---

Provider Keys

Operations

GET/providers/keysPUT/providers/keys/{provider}DELETE/providers/keys/{provider}

---

List configured provider API keys (configured status only, never the key value)

GET

/providers/keys

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Provider key status list.

Content-Type

application/json

[

  

{

  

  

"provider": "string",

  

  

"configured": true,

  

  

"updatedAt": "string"

  

}

]

GET

/providers/keys

Playground

Authorization

bearerAuth

Samples

---

Create or update a provider API key

PUT

/providers/keys/{provider}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

provider*

Type

string

Required

Request Body

application/json

{

  

"apiKey": "string"

}

Responses

Key updated.

Content-Type

application/json

{

  

"provider": "string",

  

"configured": true,

  

"updatedAt": "string"

}

PUT

/providers/keys/{provider}

Playground

Authorization

bearerAuth

Variables

Key

Value

provider*

Body

Samples

---

Delete a configured provider API key

DELETE

/providers/keys/{provider}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

provider*

Type

string

Required

Responses

Key deleted.

DELETE

/providers/keys/{provider}

Playground

Authorization

bearerAuth

Variables

Key

Value

provider*

Samples

---

AI Budget

Operations

GET/ai-budget/globalPUT/ai-budget/globalGET/ai-budget/accountsPUT/ai-budget/accounts/{userId}DELETE/ai-budget/accounts/{userId}GET/ai-budget/{tenantName}/spendGET/ai-budget/{tenantName}/litellm-keyPOST/ai-budget/{tenantName}/litellm-key/revoke

---

Get global monthly spend ceiling

GET

/ai-budget/global

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Global budget.

Content-Type

application/json

{

  

"monthlyLimitUsd": 0,

  

"currentSpendUsd": 0,

  

"budgetAlertState": "string"

}

GET

/ai-budget/global

Playground

Authorization

bearerAuth

Samples

---

Update the global monthly spend ceiling

PUT

/ai-budget/global

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Request Body

application/json

{

  

"monthlyLimitUsd": 0

}

Responses

Global budget updated.

Content-Type

application/json

{

  

"monthlyLimitUsd": 0,

  

"currentSpendUsd": 0,

  

"budgetAlertState": "string"

}

PUT

/ai-budget/global

Playground

Authorization

bearerAuth

Body

Samples

---

List all per-account monthly spend ceilings

GET

/ai-budget/accounts

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Account budgets.

Content-Type

application/json

[

  

{

  

  

"monthlyLimitUsd": 0,

  

  

"currentSpendUsd": 0,

  

  

"budgetAlertState": "string"

  

}

]

GET

/ai-budget/accounts

Playground

Authorization

bearerAuth

Samples

---

Create or update the budget ceiling for a specific account

PUT

/ai-budget/accounts/{userId}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

userId*

Type

string

Required

Request Body

application/json

{

  

"monthlyLimitUsd": 0

}

Responses

Account budget updated.

Content-Type

application/json

{

  

"monthlyLimitUsd": 0,

  

"currentSpendUsd": 0,

  

"budgetAlertState": "string"

}

PUT

/ai-budget/accounts/{userId}

Playground

Authorization

bearerAuth

Variables

Key

Value

userId*

Body

Samples

---

Remove the per-account budget ceiling

DELETE

/ai-budget/accounts/{userId}

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

userId*

Type

string

Required

Responses

Budget removed.

Content-Type

application/json

{

}

DELETE

/ai-budget/accounts/{userId}

Playground

Authorization

bearerAuth

Variables

Key

Value

userId*

Samples

---

Get current spend and budget state for a tenant

GET

/ai-budget/{tenantName}/spend

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

tenantName*

Type

string

Required

Responses

Spend data.

Content-Type

application/json

{

  

"monthlyLimitUsd": 0,

  

"currentSpendUsd": 0,

  

"budgetAlertState": "string"

}

GET

/ai-budget/{tenantName}/spend

Playground

Authorization

bearerAuth

Variables

Key

Value

tenantName*

Samples

---

Get LiteLLM virtual key metadata for a tenant (never the key value)

GET

/ai-budget/{tenantName}/litellm-key

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

tenantName*

Type

string

Required

Responses

LiteLLM key metadata.

Content-Type

application/json

{

}

GET

/ai-budget/{tenantName}/litellm-key

Playground

Authorization

bearerAuth

Variables

Key

Value

tenantName*

Samples

---

Revoke the LiteLLM virtual key for a tenant

POST

/ai-budget/{tenantName}/litellm-key/revoke

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Path Parameters

tenantName*

Type

string

Required

Responses

Key revoked.

Content-Type

application/json

{

}

POST

/ai-budget/{tenantName}/litellm-key/revoke

Playground

Authorization

bearerAuth

Variables

Key

Value

tenantName*

Samples

---

Audit

Operations

GET/audit

---

Query audit log entries with optional tenant filter and cursor pagination

GET

/audit

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Query Parameters

tenant

Filter to a specific tenant.

Type

string

limit

Maximum entries to return.

Type

integer

Default

100

Minimum

1

Maximum

1000

cursor

Opaque cursor from a previous response for keyset pagination.

Type

string

Responses

Paginated audit entries.

Content-Type

application/json

{

  

"data": [

  

  

{

  

  

  

"timestamp": "string",

  

  

  

"tenant": "string",

  

  

  

"action": "string",

  

  

  

"resource": "string",

  

  

  

"message": "string"

  

  

}

  

],

  

"pagination": {

  

  

"limit": 0,

  

  

"nextCursor": "string",

  

  

"hasMore": true

  

}

}

GET

/audit

Playground

Authorization

bearerAuth

Variables

Key

Value

tenant

limit

cursor

Samples

---

Token Usage

Operations

GET/token-usage

---

List token usage records

GET

/token-usage

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Parameters

Query Parameters

tenant

Type

string

limit

Type

integer

Default

100

Responses

Token usage records.

Content-Type

application/json

[

  

{

  

  

"tenant": "string",

  

  

"model": "string",

  

  

"inputTokens": 0,

  

  

"outputTokens": 0,

  

  

"totalCostUsd": 0,

  

  

"recordedAt": "string"

  

}

]

GET

/token-usage

Playground

Authorization

bearerAuth

Variables

Key

Value

tenant

limit

Samples

---

Metrics

Operations

GET/metrics/serverGET/metrics/projection-drift

---

Get latest server utilisation snapshot (CPU, memory, storage, active tenants)

GET

/metrics/server

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Server utilisation snapshot.

Content-Type

application/json

{

  

"cpuPercent": 0,

  

"memoryUsedBytes": 0,

  

"memoryTotalBytes": 0,

  

"storageUsedBytes": 0,

  

"storageTotalBytes": 0,

  

"activeTenants": 0,

  

"sampledAt": "string"

}

GET

/metrics/server

Playground

Authorization

bearerAuth

Samples

---

Get projection drift metrics with threshold evaluation and alert state

GET

/metrics/projection-drift

Authorizations

bearerAuth

Static bearer token. Pass as Authorization: Bearer .

Type

HTTP (bearer)

Responses

Projection drift metrics.

Content-Type

application/json

{

  

"tenant": {

  

},

  

"accessPolicy": {

  

},

  

"evaluatedAt": "string",

  

"alertFired": true

}

GET

/metrics/projection-drift

Playground

Authorization

bearerAuth

Samples

---

Auth

Operations

GET/auth/mePOST/auth/pod-tokenGET/auth/loginGET/auth/callbackPOST/auth/logoutPOST/auth/deviceGET/auth/device/activateGET/auth/device/token

---

Return current auth mode and authenticated user identity (if any)

GET

/auth/me

No authentication required. Returns 200 with the current session or an anonymous identity when no session is established.

Responses

Auth status.

Content-Type

application/json

{

  

"mode": "string",

  

"authenticated": true,

  

"user": {

  

  

"sub": "string",

  

  

"email": "string",

  

  

"name": "string"

  

}

}

GET

/auth/me

Playground

Samples

---

Exchange the current OIDC session for a short-lived token to the caller's OpenClaw pod

POST

/auth/pod-token

Single sign-on across the control plane and the tenant pod: requires an established OIDC session (cookie) and returns a short-lived, audience-bound token minted via the Kubernetes TokenRequest API for the caller's tenant. The token targets the OpenClaw pod's session audience (reachable at ingressHost) — it is NOT an obot-gateway token; Obot is called only from inside the pod. The tenant is resolved solely from the session's verified email, so a caller cannot obtain a token for another user's pod. Re-call before expiresAt; re-login only when the session itself expires. Returns 401 without a session, 403 when no tenant matches the session email, 409 when the pod has no ingress host yet or when the email maps to more than one tenant.

Responses

Short-lived pod access token.

Content-Type

application/json

{

  

"token": "string",

  

"expiresAt": "string",

  

"tenant": "string",

  

"ingressHost": "string",

  

"audience": "string"

}

POST

/auth/pod-token

Playground

Samples

---

Redirect the browser to the configured OIDC identity provider to start login

GET

/auth/login

Browser redirect — not intended for programmatic use. Returns 503 when OIDC is not configured.

Parameters

Query Parameters

returnTo

Path to redirect back to after a successful login.

Type

string

Responses

Redirect to identity provider.

GET

/auth/login

Playground

Variables

Key

Value

returnTo

Samples

---

OIDC authorization callback — validates the response and establishes a session

GET

/auth/callback

Called by the identity provider after a successful login. Redirects back to the SPA.

Parameters

Query Parameters

code

Type

string

state

Type

string

Responses

Redirect back into the application.

GET

/auth/callback

Playground

Variables

Key

Value

code

state

Samples

---

Destroy the current session

POST

/auth/logout

Invalidates the server-side session. Does not perform IdP-side logout (RP-initiated logout is out of scope for Phase 5).

Responses

Session destroyed.

POST

/auth/logout

Playground

Samples

---

Initiate a CLI device authorization grant

POST

/auth/device

Returns a device code and short user code. The CLI prints the verificationUri for the operator to open in a browser. No credentials required.

Responses

Device grant created.

Content-Type

application/json

{

  

"deviceCode": "string",

  

"userCode": "string",

  

"verificationUri": "string",

  

"expiresIn": 0,

  

"interval": 0

}

POST

/auth/device

Playground

Samples

---

Activate a device grant in the browser (requires OIDC session)

GET

/auth/device/activate

The operator opens this URL after a CLI login prompt. If no OIDC session is present the user is redirected to the identity provider first. On success an access token is created and the CLI poll endpoint unblocks.

Parameters

Query Parameters

userCode*

Short user code from the CLI prompt (e.g. ABCD-1234).

Type

string

Required

Responses

Grant activated. HTML confirmation page returned.

GET

/auth/device/activate

Playground

Variables

Key

Value

userCode*

Samples

---

Poll for the access token after browser activation

GET

/auth/device/token

Returns 202 while pending, 200 with token when authorized, 410 when the grant has expired. The token is delivered exactly once.

Parameters

Query Parameters

deviceCode*

Secret device code returned by POST /auth/device.

Type

string

Required

Responses

Grant authorized — token ready.

Content-Type

application/json

{

  

"status": "string",

  

"token": "string"

}

GET

/auth/device/token

Playground

Variables

Key

Value

deviceCode*

Samples

---

Meta

Operations

GET/openapi.json

---

Retrieve the OpenAPI 3.1 specification for this API

GET

/openapi.json

Responses

OpenAPI 3.1 document.

Content-Type

application/json

{

}

GET

/openapi.json

Playground

Samples

---

Powered by VitePress OpenAPI