Skip to content

Platform APIs

This page enumerates the HTTP endpoints the platform Host's system-gateway-http runtime exposes. HTTP is not the substrate's authority — the bus is. Per P1.43, HTTP endpoints exist only at boundaries that cannot be bus-native. Inventory, state, and command surfaces (apps, devices, runtimes, mounts, packages, AI providers, agent state) live as bus actors with declared accepts ops; substrate consumers (the platform shell, Edge, the CLI, agents, federation peers) query the bus, not HTTP.

The closed list of HTTP boundaries below is normative. Anything else is either a documented read-only projection for non-bus-aware external clients (CI smoke checks, third-party monitors) or a bug.

The closed-list HTTP boundaries

1. Browser-bootstrap credential issuance

EndpointMethodPurpose
/api/identity/bootstrapGETReturns the browser bootstrap payload (root, addressRoot, routeKey, publicNamespace, spaceId, authorityRoot, authenticated, principal, transportPlan). The browser cannot use the bus before it has credentials; this endpoint is the boundary that gives it credentials.
/api/identity/nats-credsGETMints a NATS user JWT for the calling session. With ?purpose=probe, returns authorization-only (no token).

2. OAuth redirects and callbacks

EndpointMethodPurpose
/api/auth/login/googleGETStart Google OIDC; redirects to provider.
/api/auth/callback/googleGETGoogle OIDC callback. Sets mx_session cookie, redirects.
/api/auth/logoutPOSTRevoke session, clear cookie.

OAuth providers redirect to HTTP URLs by protocol; this is unavoidable. Anthropic / Codex / GitHub providers follow the same shape.

3. Static asset serving

/apps/<appName>/<assetPath>

The browser fetches HTML/JS/CSS bundles over HTTP. Per package-authoring conventions, every webapp's matrix.json declares its appName and routePrefix; the gateway routes /apps/<appName>/<assetPath> to the runtime that owns the asset endpoint actor (system.gateway.http resolves through system.runtimes and system.registry).

Public Space-scoped form:

/<spacePath>/<appName>/<assetPath>

The gateway resolves spacePath via auth.namespace.resolve and serves the same asset bundle scoped to that Space's authority root. See Spaces.

4. NATS WebSocket upgrade

/nats-ws

Same-origin WebSocket. Browser connects with a NATS user JWT from /api/identity/nats-creds. NATS NKey challenge-response over the WebSocket. Once upgraded the browser is on the bus; this endpoint exists only for the upgrade.

5. Health endpoint

EndpointMethodPurpose
/healthzGETLiveness probe. Returns { ok: true, ... }. For external HTTP-only monitors (load balancers, uptime services, Caddy probes). External monitors cannot speak NATS; this endpoint exists for them.

6. Webhooks from external providers

/webhooks/<provider>

Third-party services (Stripe, GitHub, OAuth providers) post over HTTP. Unavoidable.

7. Federation handshake (target state)

Status: target state — ships in v2. Cross-Space discovery and leafnode setup will need HTTP boundaries; spec'd separately under WORKSTREAMS/runtime-environment-multi-instance/.

8. Pairing (Device side)

EndpointMethodPurpose
/api/devices/enroll/startPOSTStart device enrollment. Backed by auth.device.start / auth.pair.start.
/api/devices/enroll/completePOSTComplete enrollment from a signed-in browser. Backed by auth.device.approve / auth.pair.approve.
/api/devices/redeemPOSTDevice redeems an approved enrollment. Backed by auth.device.exchange / auth.pair.exchange.
/auth/linkGETBrowser-side device link UI entry.

Pairing is conceptually an OAuth-shaped boundary: a Device that is not yet on the bus must obtain credentials through HTTP, and HiveCast must redirect through a browser to authenticate the user. The auth.device.* and auth.pair.* ops are the bus-side authority; these HTTP endpoints are the entry points before the Device has bus credentials. After pairing, the Device speaks NATS.

EndpointMethodPurpose
/_auth/host-link/heartbeatPOSTHeartbeat from a paired Device. Validates token, updates lastRefreshedAt. Bearer token.
/_auth/host-link/credentials/refreshPOSTIssue fresh device-scoped NATS JWT, revoke prior keys. Bearer token.

A Device's host.control posts these from the Device side to keep the platform's system.devices view fresh and rotate credentials. The Device may also speak directly to system.devices over its leafnode connection; the HTTP path remains for boundary cases (Device behind strict NAT with no NATS WebSocket reach).

What is NOT on the closed list (and where to find the bus authority)

These HTTP endpoints exist today as projections of bus authority. Substrate consumers (the platform shell, Edge, the CLI, agents) MUST use the bus. External non-bus-aware clients may continue to call the projection.

HTTP projectionBus authorityBus call
/api/appssystem.catalogmatrix invoke system.catalog list '{}'
/api/devicessystem.devicesmatrix invoke system.devices devices.list '{"includeOffline":true}'
/api/devices/:idsystem.devicesmatrix invoke system.devices devices.get '{"deviceId":"<slug>"}'
/api/devices/:id/revokesystem.authmatrix invoke system.auth auth.hostLink.revoke '{"hostLinkId":"<id>"}'
/api/identity/runtime-summary (the runtime-data half)system.runtimesmatrix invoke system.runtimes runtimes.list '{}'
/api/auth/mesystem.authmatrix invoke system.auth auth.session.validate '{}'

Migration is in flight per P1.43. Each of the above HTTP endpoints either retires entirely once internal consumers migrate, or remains marked in code as "projection, not authority — internal substrate consumers MUST use the bus."

App routing summary

Public app routes:

/<spacePath>/<appName>/<assetPath>          ← linked-Space route (Space-scoped)
/apps/<appName>/<assetPath>                 ← current-host route

The gateway resolves these to runtime asset endpoints via system.runtimes and system.registry. Per P1.22d, the dashboard exposes route-plan diagnostics for each route — fetched directly over the bus.

Caddyfile

The production deployment fronts the gateway with Caddy. See projects/deploy-cloud/Caddyfile.bare for the live routing config. Caddy terminates TLS and reverse-proxies the closed-list endpoints listed above.

See also

Source: projects/matrix-3/packages/system-gateway-http/src/host-platform-http-surface.ts for the route handlers. projects/matrix-3/packages/system-gateway-http/src/http-routing.ts for the routing layer. WORKSTREAMS/loose-ends/items/P1.43-http-api-reduction-bus-is-authority.md is the SSOT for the closed list of allowed HTTP boundaries.