HTTP API reference

Every endpoint, grouped. Use with an API key.

This is a high-level index. Each endpoint accepts standard JSON unless noted. Auth is Authorization: Bearer kf_… for API-key access or session cookie for browser access.

Auth

MethodPathPurpose
POST/auth/loginLogin with email + password.
POST/auth/registerCreate account.
GET/auth/verify?token=…Verify email.
POST/auth/forgotRequest password reset.
POST/auth/resetSubmit new password.
POST/auth/logoutLog out current session.
POST/api/auth/mfa-setupInitiate TOTP setup.
POST/api/auth/mfa-verifyConfirm TOTP.

Account

MethodPathPurpose
GET/api/account/sessionsList active sessions.
POST/api/account/sessions/<sid>/revokeRevoke a session.
POST/api/account/change-passwordChange password.
POST/api/account/update-profileUpdate name/email/avatar.
POST/api/account/request-deleteInitiate 30-day deletion.
POST/api/account/cancel-deleteCancel pending deletion.
GET/api/account/export-dataGenerate full data export.
GET/api/account/audit-listRead audit log.
GET/api/account/api-keysList API keys.
POST/api/account/api-keysCreate API key.
DELETE/api/account/api-keys/<id>Revoke API key.

Project

MethodPathPurpose
POST/api/project/loadOpen a project.
POST/api/project/rescanRescan repo + symbols + findings.
GET/api/project/treeFile tree (lazy-load on expand).
GET/api/project/file?path=…Read file contents.
GET/api/project/symbols?q=…Symbol lookup.
GET/api/project/search?q=…Full-text search.
GET/api/project/recentRecently opened projects.

Agent

MethodPathPurpose
POST/api/agent/runRun an agent task (SSE).
GET/api/agent/follow?cursor=NReattach to an in-flight run.
POST/api/agent/cancel/<run_id>Cancel a run.
POST/api/agent/rollbackRoll back a snapshot.
GET/api/agent/historyRun history for the workspace.
GET/api/agent/prefsRead user prefs.
POST/api/agent/prefsUpdate user prefs.

Budget

MethodPathPurpose
POST/api/budget/estimatePre-run cost estimate.
GET/api/budget/ledger?ws_id=…Per-day cost history.

Receipts

MethodPathPurpose
GET/api/receipts/chain-head?ws_id=…Latest receipt hash.
POST/api/receipts/<run_id>/verifyVerify chain integrity.
POST/api/receipts/<run_id>/regroundRe-check findings against current state.

Shell

MethodPathPurpose
POST/api/shell/runStream a shell command.
POST/api/shell/testRun the project's tests.
POST/api/shell/suggestLLM command suggestion.
GET/api/shell/jobsList in-flight jobs.
POST/api/shell/cancel/<job_id>Cancel a job.
GET/api/shell/recentRecent commands.
GET/api/shell/ssh-hostsSSH hosts from ~/.ssh/config.
POST/api/shell/ssh-runRun a remote command.
POST/api/shell/ssh-pullPull a remote file.

PTY

MethodPathPurpose
POST/api/pty/spawnSpawn a PTY.
_ws_/api/pty/<id>/streamTTY stream (WebSocket).

MCP / Browser

MethodPathPurpose
GET/api/mcpTool registry.
POST/api/mcpInvoke a tool.
GET/api/mcp/tokensList MCP tokens.
POST/api/mcp/tokensSet MCP token.
POST/api/browser/runBrowser smoke/flow/marketing.
GET/api/browser/allowlistRead allowlist.
PUT/api/browser/allowlistUpdate allowlist.

Secrets

MethodPathPurpose
GET/api/secretsList secret names.
GET/api/secrets/<name>Reveal a secret.
POST/api/secrets/<name>Set a secret.
DELETE/api/secrets/<name>Delete a secret.
POST/api/secrets/rotate-masterRotate master key.

Notebook

MethodPathPurpose
POST/api/notebook/run/<nb_id>/<cell_id>Execute a notebook cell.

Collab (alpha)

MethodPathPurpose
GET/api/collab/activity?ws_id=…Activity feed.
GET/api/collab/notificationsUnread notifications.
POST/api/collab/notifications/<nid>/readMark read.
POST/api/collab/inviteInvite a member.
POST/api/collab/request-reviewRequest review.
POST/api/collab/share-linkCreate share link.

Conventions

  • All endpoints return JSON unless they're SSE streams.
  • Errors are { "error": { "code": "…", "message": "…" } } with HTTP 4xx/5xx.
  • Timestamps are ISO 8601 UTC.
  • IDs are opaque strings — don't parse them.
  • Pagination via ?cursor=…&limit=… where applicable.

Total route count

The full app.py registers 436 routes as of this build. scripts/ci.sh job app-import reports the live count.