GUI Backend API¶
Base URL:
http://<host>:<port>
Versioned API prefix:
/api/v1/
Public endpoints (no auth)¶
Method |
Path |
Description |
|---|---|---|
|
|
Liveness probe |
|
|
Public server config ( |
Auth endpoints¶
Method |
Path |
Description |
|---|---|---|
|
|
Dev-mode token exchange (404 when dev mode disabled) |
|
|
Returns authenticated user + role |
Fleet / node / telemetry endpoints¶
Method |
Path |
Required permission |
|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Release endpoints¶
Method |
Path |
Required permission |
|---|---|---|
|
|
|
|
|
|
|
|
|
Tooling endpoints (compute-and-return)¶
Method |
Path |
Required permission |
|---|---|---|
|
|
|
|
|
|
These endpoints are designed as compute-and-return operations, not persistence operations.
Error and versioning behavior¶
Requests to legacy
/api/*paths (outside/api/v1/*) return410 Gonefor authenticated callers.Unauthenticated requests to protected API paths return
401.Permission mismatch returns
403.Mutating methods on read-only API surfaces are rejected with
405.
Example requests¶
curl -sS http://127.0.0.1:8090/healthz
curl -sS http://127.0.0.1:8090/api/v1/config
TOKEN="$(curl -sS -X POST http://127.0.0.1:8090/api/v1/auth/token \
-H 'Content-Type: application/json' -d '{"role":"auditor"}' \
| python3 -c 'import json,sys;print(json.load(sys.stdin)[\"token\"])')"
curl -sS http://127.0.0.1:8090/api/v1/fleet -H "Authorization: Bearer $TOKEN"
curl -i http://127.0.0.1:8090/api/fleet -H "Authorization: Bearer $TOKEN"
Not implemented / no evidence¶
WebSocket API endpoints: not implemented in GUI backend route registration.
/metricsendpoint on GUI server: not implemented; explicitly blocked.
Evidence¶
gui/internal/api/gateway.go(NewGateway)gui/internal/api/enforce.go(EnforceReadOnly,BlockAdminPaths, security middleware)gui/internal/auth/middleware.gogui/internal/auth/rbac.gogui/internal/api/versioning_test.gogui/internal/api/tooling_test.gogui/internal/api/config_test.godocs/_generated/test-outputs/gui-startup.txt