Documentation
API reference
The gateway is the canonical HTTP surface for Cordum. Route registration incore/controlplane/gatewayis the source of truth; the generated OpenAPI output is still a useful subset, but not the full route inventory.
Authentication
- Protected REST routes expect
X-API-KeyorAuthorization: Bearer .... - Protected
/api/*routes also requireX-Tenant-ID. - Public routes include
GET /api/v1/auth/config,POST /api/v1/auth/login, andGET /health.
Idempotency
Job and workflow submission flows acceptIdempotency-Key,X-Idempotency-Key, or the equivalent query parameters. The common error body is{"error":"...","status":400}.
curl — submit a job
curl -sS -X POST https://localhost:8081/api/v1/jobs --cacert ./certs/ca/ca.crt -H "X-API-Key: $CORDUM_API_KEY" -H "X-Tenant-ID: default" -H "Content-Type: application/json" -d '{
"topic": "job.hello-pack.echo",
"input": {"message": "hello from the gateway"}
}'Route groups
Auth and users
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/auth/config | Public auth capability discovery. |
| POST | /api/v1/auth/login | Public login for user/password or API-key backed sessions. |
| GET | /api/v1/auth/session | Validate the active session or token. |
| POST | /api/v1/auth/logout | Invalidate the active session. |
| POST | /api/v1/auth/password | Change the current user password. |
| GET | /api/v1/auth/keys | List API keys. |
Jobs, workflows, and approvals
| Method | Path | Description |
|---|---|---|
| POST | /api/v1/jobs | Submit a job. |
| GET | /api/v1/jobs/{id} | Get job state, result pointers, safety, and output-safety metadata. |
| POST | /api/v1/jobs/{id}/cancel | Cancel a running job. |
| POST | /api/v1/jobs/{id}/remediate | Apply a remediation and resubmit. |
| POST | /api/v1/workflows | Create a workflow. |
| POST | /api/v1/workflows/{id}/runs | Start a workflow run. |
| GET | /api/v1/workflow-runs/{id}/timeline | Read the append-only run timeline. |
| POST | /api/v1/workflow-runs/{id}/rerun | Rerun a workflow from a prior point. |
| POST | /api/v1/approvals/{job_id}/approve | Resolve an approval-held job. |
| POST | /api/v1/approvals/{job_id}/repair | Repair a failed approval-held job and resubmit. |
Config and policy
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/config | Read a config document by scope and scope_id. |
| PUT | /api/v1/config | Write or update a config document. |
| GET | /api/v1/config/effective | Read merged config across scope hierarchy. |
| POST | /api/v1/policy/evaluate | Evaluate the active policy against a request. |
| POST | /api/v1/policy/simulate | Simulate policy behavior without applying changes. |
| POST | /api/v1/policy/explain | Return matched rules and reasoning. |
| GET | /api/v1/policy/bundles | List bundle documents used by Policy Studio. |
| POST | /api/v1/policy/publish | Capture and publish bundle snapshots. |
Pools, workers, packs, schemas, and status
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/workers | List workers and current health snapshots. |
| GET | /api/v1/pools | List worker pools and routing state. |
| PUT | /api/v1/pools/{name} | Create a pool. |
| PATCH | /api/v1/pools/{name} | Update pool configuration. |
| POST | /api/v1/pools/{name}/drain | Drain a pool. |
| GET | /api/v1/packs | List installed packs. |
| GET | /api/v1/marketplace/packs | Read merged pack catalogs with install state. |
| GET | /api/v1/schemas | List registered schemas. |
| GET | /api/v1/dlq | List DLQ entries. |
| GET | /api/v1/status | Gateway status plus NATS and Redis connectivity. |
Licensing
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/license | Read the active license tier and entitlements. |
| GET | /api/v1/license/usage | Read current usage against tier limits (workers, RPS). |
| POST | /api/v1/license/reload | Hot-reload the license from disk or token without restarting. |
Telemetry
| Method | Path | Description |
|---|---|---|
| GET | /api/v1/telemetry/status | Read the current telemetry mode and consent state. |
| GET | /api/v1/telemetry/inspect | Inspect what telemetry data would be collected. |
| GET | /api/v1/telemetry/export | Export collected telemetry data. |
| GET | /api/v1/telemetry/usage | Read aggregate usage metrics. |
| POST | /api/v1/telemetry/consent | Update the telemetry consent mode. |
MCP and realtime streaming
| Method | Path | Description |
|---|---|---|
| GET | /mcp/sse | Open an MCP SSE session. |
| POST | /mcp/message | Send JSON-RPC requests and notifications. |
| GET | /mcp/status | Inspect MCP runtime status. |
| GET | /api/v1/mcp/sse | Authenticated API-prefixed alias for the SSE route. |
WebSocket stream auth
const encoded = base64url(apiKey); const ws = new WebSocket( "wss://localhost:8081/api/v1/stream", ["cordum-api-key", encoded], );
Notes
- The dashboard derives its websocket URL from the API base URL and listens on
/api/v1/stream. - MCP HTTP mode uses
/mcp/sseand/mcp/messagewith the same auth context. - The generated Swagger UI in
/docs/api/openapiis helpful, but the gateway code currently exposes more routes than the generated subset.
Source of truth:docs/api-reference.md