Skip to content

Host Control REST API Guide

The Host Control REST API is the HTTP API exposed by the control backend.

Use it for operator tools, automation, monitoring, deployment checks, Web Console integration, package management, and configuration workflows. Do not use it from native subsystem hot paths. Subsystems should use the Subsystem SDK API.

This page explains how to use the REST API. For the table-oriented route catalog, see Host Control REST Routes.

Base Origin

The API is served from the control backend origin.

http://<host>:<control.api_port>

The stable product-facing prefix is this.

http://<host>:<control.api_port>/api/v1

The /api/v1 prefix is required for Host Control REST and WebSocket routes. Unprefixed API routes were retired before the 1.0 release and return HTTP 404 instead of falling through to the system frontend.

The same origin can also serve the bundled Web Console, a custom static product frontend, or no system frontend at all. Managed package frontend assets are separate from the system Console and are served under /api/v1/packages/<package-id>/ui/.

Security

When security is enabled, requests must pass two gates.

  • network admission through configured CIDR ranges
  • identity through a Web Console session cookie or API key

External clients should send one of.

Authorization: Bearer <api-key>
X-Librux-API-Key: <api-key>

Browser clients normally authenticate through /api/v1/auth/login and use the issued session cookie. See Web and API Security.

Authenticated identities carry one of three standard roles.

Role Intended use
viewer read-only status, specs, events, and monitoring
operator viewer access plus runtime operation such as Control WebSocket and app start/stop
admin operator access plus config, package installation/removal, security, and service apply actions

Health And Readiness

Method Path Purpose
GET /api/v1/health Lightweight process health and shared-memory manager connectivity
GET /api/v1/ready Runtime readiness with HTTP 200 when accepted and 503 when not ready

/api/v1/health and /api/v1/ready may be unauthenticated when security.health.unauthenticated=true. Network admission still applies.

Runtime Status

/api/v1/control/status is the main operator snapshot. It includes subsystem inventory, Event runtime state, timed exchange runtime state, federation state, time-sync state, resource state, managed package instances, and WebSocket bridge health.

managed_instances is keyed by active resource lease ID. Each value identifies the installed package and instance that owns that lease, plus its instance UI route when a frontend is available. Stopped instances are omitted. Runtime clients can therefore resolve managed actions from the same live snapshot as subsystem_status without polling the package catalog separately.

{
  "managed_instances": {
    "package-instance-lease-id": {
      "package_id": "vendor.package",
      "package_name": "Vendor Package",
      "instance_id": "robot.instance",
      "frontend": {
        "available": true,
        "url": "/api/v1/packages/vendor.package/ui/?instance=robot.instance&context=/api/v1/packages/vendor.package/instances/robot.instance/context"
      }
    }
  }
}

Use /api/v1/control/specs when building a spec dictionary browser, and /api/v1/control/bindings when inspecting or changing runtime binding overrides. Every product-facing API route is available under /api/v1, for example /api/v1/control/status and /api/v1/control/bindings.

For the full table, see Host Control REST Routes.

Subsystem Lifecycle

Request body example.

{
  "transition": "pause",
  "reason": "operator request",
  "session_id": "optional-current-session-id"
}

Valid transition names are start, pause, resume, stop, reset, fault, and degrade. The endpoint validates the current subsystem lifecycle state, session activity, and notify endpoint before accepting the request. Completion is observed through /api/v1/control/status or Runtime Graph after the next subsystem heartbeat.

Managed process action request body example.

{
  "action": "terminate",
  "session_id": "optional-current-session-id"
}

Valid process actions are terminate and kill. They require the subsystem to have a managed resource lease. terminate sends SIGTERM with a grace window and may escalate to SIGKILL; kill sends SIGKILL immediately.

For the full route table, see Host Control REST Routes.

Configuration

Prefer /api/v1/control/config/fields for ordinary UI or automation changes. Use raw override YAML only for advanced fields that do not yet have a structured form. Configuration writes require an admin identity when security is enabled.

/api/v1/control/runtime/apply is the safe apply path for managed runtime changes. OS policy changes, unmanaged subsystem processes, and low-level device policy may still require manual service restart or host reboot.

For the full route table, see Host Control REST Routes.

Security Management

API key secret values are returned once at creation time and are hidden afterwards. Security management requires an admin identity when security is enabled.

For the full route table, see Host Control REST Routes.

Managed Packages

Managed package endpoints operate on installable packages. A package declares one subsystem entrypoint, its role, frontend assets, environment, package parameters, and resource claims in package.yaml. Packages may contain role: gateway, role: component, role: compound, or role: app subsystems. role: app means an application subsystem. It is not the install unit name.

POST /api/v1/control/packages/install accepts the archive fields filename, content_base64, and replace. Installation registers one package record by package name. POST /api/v1/control/packages/{package_id}/start may include instance_id, params, and runtime_dir to create a concrete runtime instance from that installed package. If instance_id is omitted, the package id is used. Starting fails when the same instance id is already running. Starting with a different instance id creates another managed runtime instance, subject to resource-policy conflicts. stop and restart accept instance_id to target a specific instance. A stopped, terminated, or killed runtime instance is removed from the active package-instance registry. Reusing its instance id on a later start creates a new active instance with that id. Package installation/removal requires admin. Lifecycle operations require operator or admin when security is enabled.

For the full route table, see Host Control REST Routes.

Package Frontend Assets

The /ui/ paths are static frontend delivery paths. Instance-scoped context and proxy paths are for browser GUI communication. They are not native subsystem transport APIs and should be backed by frontend.context.api or frontend.context.ws in the installed package manifest. During launch, those context endpoints become managed loopback listener grants. The package backend opens the listener through the resource broker; the browser only calls the same-origin proxy path.

For product frontends, configure control.frontend.mode=custom and point control.frontend.root at the static SPA bundle. For headless/API-only hosts, use control.frontend.mode=disabled.

For the full route table, see Host Control REST Routes.

Stability Rule

Treat these REST routes as host-control and operator integration APIs. Internal UDP messages, shared-memory layout, relay sockets, and codec FFI names are not part of this REST API surface.