API Reference

infrastrActure exposes a REST API on port 7500 and a built-in MCP endpoint on /mcp.

  • Interactive OpenAPI UI: /api-docs
  • Raw OpenAPI JSON: /openapi.json

Surface Map

Authentication Rules

SurfaceAuthNotes
/healthnoneLiveness only
/api/auth/callbacknoneOAuth return path
most /api/* routesAPI keyAuthorization: Bearer <key> or X-API-Key
/mcpAPI keykey tier controls what tools are exposed
/api/infra/ssh/*admin API key onlyalso requires X-User-Id

Common Headers

Authorization: Bearer <api-key>
Content-Type: application/json
X-User-Id: <user-id>
X-Request-Id: <optional-request-id>

Core Endpoints

Health

MethodPathPurpose
GET/healthsimple liveness check
GET/statusservice, Docker, DB, storage status

API Keys and OAuth

MethodPathPurpose
POST/api/auth/keys/generatemint API key
GET/api/auth/keyslist keys
DELETE/api/auth/keys/:idrevoke key
GET/api/auth/callbackcomplete shared-tool OAuth flow

Marketplace and Registry

MethodPathPurpose
GET/api/marketplace/toolssearch catalog
GET/api/marketplace/tools/:idget tool details
POST/api/marketplace/tools/:id/installinitiate install flow
GET/api/registrylist registry-backed tool definitions
GET/api/registry/:idget one registry tool
POST/api/marketplace/refreshrefresh catalog

Installations and Containers

MethodPathPurpose
GET/api/installationslist tenant/user installations
GET/api/installations/:idinspect installation
PATCH/api/installations/:idmutate installation config
DELETE/api/installations/:idremove installation
GET/api/installations/:id/toolslist tools exposed by one installation
POST/api/installations/:id/tools/callcall a tool
POST/api/installations/:id/filesupload file payloads
GET/api/containerslist managed containers
POST/api/containers/:id/:actionstart / stop / restart / remove

Shared Tools

MethodPathPurpose
POST/api/shared-tools/:toolId/oauth/statecreate per-user OAuth state
GET/api/shared-tools/:toolId/oauth/statusget per-user auth status
GET/api/shared-tools/:toolId/oauth/user-emailread linked email

Sandboxes and Runtime Proxy

MethodPathPurpose
GET/api/sandboxeslist sandboxes
POST/api/sandboxescreate sandbox
GET/api/sandboxes/:idinspect sandbox
PATCH/api/sandboxes/:idupdate sandbox
DELETE/api/sandboxes/:iddestroy sandbox
POST/api/sandboxes/:id/:actionlifecycle action
GET/api/runtime/config/:sandboxIdsandbox runtime config
GET/api/runtime/proxy-auth/:sandboxIdruntime proxy auth payload
ALL/api/runtime/proxy/:sandboxId/*proxy to sandbox runtime

Infra SSH

See Infra SSH for the dedicated operational model and security notes.

MethodPathPurpose
GET/api/infra/ssh/hostslist audited host inventory
GET/api/infra/ssh/actionslist named actions
GET/api/infra/ssh/admin-sessioninspect approval lease
POST/api/infra/ssh/admin-sessionbegin approval lease
DELETE/api/infra/ssh/admin-sessionrevoke approval lease

Integration Endpoints

The canonical surface is /api/integrations/client. A small number of named-instance aliases exist for convenience and historical reasons.

MethodPathPurpose
GET/api/integrations/clientcanonical MCP config for clients
POST/api/integrations/client/syncsync notification
GET/api/integrations/tessaractnamed alias for the TessarAct instance
POST/api/integrations/tessaract/syncsync trigger for the TessarAct instance

New clients should use /api/integrations/client with the appropriate instanceId query parameter rather than registering a new named alias.

Built-in MCP Tools

The built-in MCP server currently exposes 27 tools in these families:

FamilyCountExamples
containers3list_containers, container_action
marketplace2search_marketplace, get_tool_details
installations3list_installations, install_tool
shared tools1list_shared_tools
sandboxes4create_sandbox, sandbox_action
service1service_status
infra SSH13infra_ssh_list_hosts, infra_ssh_open_forward

Error Shape

Most REST failures return:

{
  "success": false,
  "error": "Human-readable message"
}

Infra SSH errors also distinguish:

  • validation failure
  • approval required
  • denied
  • failed remote execution

That distinction is preserved in audit records.