98e40dac97
CLI Smoke Test / smoke-test-linux (20) (push) Waiting to run
CLI Smoke Test / smoke-test-linux (24) (push) Waiting to run
CLI Smoke Test / smoke-test-windows (20) (push) Waiting to run
CLI Smoke Test / smoke-test-windows (24) (push) Waiting to run
Expo App TypeScript typecheck / typecheck (push) Waiting to run
3.4 KiB
3.4 KiB
API
This document covers the HTTP API surface and authentication flows. For WebSocket updates and event payloads, see protocol.md. For encryption boundaries and encoding details, see encryption.md.
Method conventions
- GET is used for reads.
- POST is used for mutations or actions, even when the operation doesn't map cleanly to a single entity.
- DELETE is used when intent is unambiguous (e.g., removing a token or deleting a session/artifact).
We intentionally avoid the full REST verb palette because many operations span multiple entities or have non-CRUD semantics.
Authentication
Most endpoints require Authorization: Bearer <token>.
Auth flows:
-
POST /v1/auth- Body:
{ publicKey, challenge, signature }(base64 strings) - Verifies signature using the provided public key.
- Upserts account by public key and returns
{ success, token }.
- Body:
-
POST /v1/auth/request- Body:
{ publicKey, supportsV2? } - Creates or returns a terminal auth request.
- Response:
{ state: "requested" }or{ state: "authorized", token, response }.
- Body:
-
GET /v1/auth/request/status?publicKey=...- Response:
{ status: "not_found" | "pending" | "authorized", supportsV2 }.
- Response:
-
POST /v1/auth/response- Body:
{ response, publicKey }(requires Bearer auth) - Approves a terminal auth request.
- Body:
-
POST /v1/auth/account/request- Body:
{ publicKey } - Similar to terminal auth, but for account linking.
- Body:
-
POST /v1/auth/account/response- Body:
{ response, publicKey }(requires Bearer auth)
- Body:
Endpoint catalog
Sessions
GET /v1/sessionsGET /v2/sessions/active?limit=...GET /v2/sessions?cursor=cursor_v1_<id>&limit=...&changedSince=...POST /v1/sessions(create or load bytag)GET /v1/sessions/:sessionId/messagesDELETE /v1/sessions/:sessionId
Machines
POST /v1/machines(create or load by id)GET /v1/machinesGET /v1/machines/:id
Artifacts
GET /v1/artifactsGET /v1/artifacts/:idPOST /v1/artifactsPOST /v1/artifacts/:id(versioned update)DELETE /v1/artifacts/:id
Access keys
GET /v1/access-keys/:sessionId/:machineIdPOST /v1/access-keys/:sessionId/:machineIdPUT /v1/access-keys/:sessionId/:machineId
Key-value store
GET /v1/kv/:keyGET /v1/kv?prefix=...&limit=...POST /v1/kv/bulkPOST /v1/kv(batch mutate)
Account and usage
GET /v1/account/profileGET /v1/account/settingsPOST /v1/account/settingsPOST /v1/usage/query
Push tokens
POST /v1/push-tokensDELETE /v1/push-tokens/:tokenGET /v1/push-tokens
Connect (GitHub + vendor tokens)
GET /v1/connect/github/paramsGET /v1/connect/github/callbackPOST /v1/connect/github/webhookDELETE /v1/connect/githubPOST /v1/connect/:vendor/register(vendorinopenai | anthropic | gemini)GET /v1/connect/:vendor/tokenDELETE /v1/connect/:vendorGET /v1/connect/tokens
Users, friends, feed
GET /v1/user/:idGET /v1/user/search?query=...POST /v1/friends/addPOST /v1/friends/removeGET /v1/friendsGET /v1/feed
Version and voice
POST /v1/versionPOST /v1/voice/token
Dev-only
POST /logs-combined-from-cli-and-mobile-for-simple-ai-debugging(only if enabled)
Implementation references
- API routes:
packages/happy-server/sources/app/api/routes - Auth module:
packages/happy-server/sources/app/auth/auth.ts