Gateway

Route Reference

Complete endpoint reference for the Open Astra gateway. Every HTTP endpoint is listed below, organized by route group, with its method, path, and description.

17 route groups, 80+ endpoints. Public routes require no auth. Most routes require a JWT Bearer token. Admin, autonomous, and diagnostics routes use an internal API key via the X-Api-Key header.

Auth conventions

LabelMeaning
PublicNo authentication required
JWTAuthorization: Bearer <token> — validated by jwtAuth() middleware
JWT + workspaceJWT plus X-Workspace-Id header — membership validated by workspaceResolver()
JWT + budgetJWT plus per-user token budget enforcement via tokenBudget()
Internal API keyX-Api-Key: <INTERNAL_API_KEY> — for admin, autonomous, and diagnostics

1. Auth

Public endpoints for user registration, login, token rotation, and logout. No authentication required.

MethodPathDescription
POST/auth/registerCreate user (email + password). Returns { user, accessToken, refreshToken }
POST/auth/loginAuthenticate. Returns { user, accessToken, refreshToken }
POST/auth/refreshRotate refresh token. Returns { accessToken, refreshToken }
POST/auth/logoutRevoke all tokens for the calling user
bash
curl -X POST http://localhost:8080/auth/register \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "password": "s3cret!"}'

# Response
{
  "user": { "id": "usr_abc", "email": "user@example.com" },
  "accessToken": "eyJhbG...",
  "refreshToken": "eyJhbG..."
}

2. Agent Chat

Core conversation endpoints. Middleware chain: JWT + tokenBudget + workspace + rateLimiter + userRateLimit + timeout.

MethodPathDescription
POST/agent/chatSend message. Supports X-Idempotency-Key (5-min TTL). Returns { content, sessionId, toolsUsed, usage }
POST/agent/chat/streamSSE streaming. Emits session_resolved, content, tool_call, tool_call_complete, tool_result, done, error events
POST/agent/resetManually reset session for agent + surface + surfaceId
GET/agent/presenceActive agent states for the calling user
GET/agent/healthSimple { status: "ok" } check

Request body

Both /agent/chat and /agent/chat/stream accept the same body shape.

json
{
  "message": "Summarize my calendar for today",   // 1-10 000 chars, required
  "agentId": "chad",                               // default "chad"
  "surface": "chat",                               // "chat" | "prop" | "group"
  "surfaceId": "main",                             // default "main"
  "webhookUrl": "https://example.com/hook"          // optional, non-streaming only
}
FieldTypeRequiredNotes
messagestringYes1 -- 10 000 characters
agentIdstringNoDefault "chad"
surfacestringNo"chat" | "prop" | "group"
surfaceIdstringNoDefault "main"
webhookUrlstringNoNon-streaming only. Receives the final response as a POST

Response (non-streaming)

json
{
  "content": "You have 3 meetings today...",
  "sessionId": "ses_abc123",
  "toolsUsed": ["google_calendar"],
  "usage": {
    "promptTokens": 1240,
    "completionTokens": 310,
    "totalTokens": 1550
  }
}

SSE events (streaming)

text
event: session_resolved
data: { "sessionId": "ses_abc", "isNew": true }

event: content
data: { "content": "Here's what I found..." }

event: tool_call
data: { "index": 0, "name": "web_search", "toolCallId": "tc_1" }

event: tool_call_complete
data: { "index": 0, "name": "web_search", "arguments": "{...}" }

event: tool_result
data: { "name": "web_search", "durationMs": 320 }

event: done
data: { "content": "...", "sessionId": "ses_abc", "usage": {...}, "toolsUsed": [...] }

event: error
data: { "message": "Rate limit exceeded", "code": "RATE_LIMIT" }
Idempotency. POST /agent/chat accepts an X-Idempotency-Key header. Responses are cached in-process for 5 minutes -- duplicate requests return the cached response without running the agent again.

3. Memory

User long-term memory management. Middleware chain: JWT + tokenBudget + workspace + rateLimiter.

MethodPathDescription
GET/agent/memory/profileLoad user long-term profile
PUT/agent/memory/profileUpdate profile
GET/agent/memory/dailyRecent daily memory entries
GET/agent/memory/daily/:dateDaily memory for a specific date
DELETE/agent/memory/daily/:date/:entryIndexDelete a single daily entry
POST/agent/memory/notesAdd a strategic note
DELETE/agent/memory/notes/:indexDelete a strategic note
GET/agent/memory/searchSemantic memory search (Typesense). Query params: q, topK
Memory tiers. The /agent/memory/* routes interact with the three-tier memory system. See Memory Overview for details on profile, daily, and strategic note storage.

4. Agents

CRUD for agent configurations with versioning and rollback. Middleware: JWT + workspaceResolver. List and detail endpoints return ETag headers (30s cache).

MethodPathDescription
POST/agentsCreate agent config
GET/agentsList agents for workspace (ETag cached, 30s)
GET/agents/:idGet agent config (ETag cached)
GET/agents/:id/capabilitiesEffective tool list after skill expansion
PUT/agents/:idUpdate agent config (auto-versions)
DELETE/agents/:idDelete agent
GET/agents/:id/versionsList config versions
GET/agents/:id/versions/:versionGet historical version
POST/agents/:id/versions/:version/rollbackRestore historical version
PATCH/agents/:id/versions/:versionUpdate version label
Auto-versioning. Every PUT /agents/:id saves a snapshot of the previous config. Use the versioning endpoints to list, inspect, or roll back to any prior state.

5. Workspaces

Workspace management, member invitations, usage stats, cross-workspace grants, and provider restrictions. Middleware: JWT only.

MethodPathDescription
POST/workspacesCreate workspace
GET/workspacesList user's workspaces
GET/workspaces/:idGet workspace + yourRole
PUT/workspaces/:id/settingsUpdate settings (owner/admin)
POST/workspaces/:id/membersInvite member (owner/admin)
DELETE/workspaces/:id/members/:uidRemove member
GET/workspaces/:id/statsUsage dashboard. Query param: ?days=30 (default 30, max 365)
POST/workspaces/:id/grantsGrant cross-workspace agent access
DELETE/workspaces/:id/grantsRevoke grant
PUT/workspaces/:id/restrictionsSet allowed providers/models
Cross-workspace grants. Use POST /workspaces/:id/grants to let another workspace use one of your agents. See Agent Grants for the full grant lifecycle.

6. Sessions

Session listing, detail retrieval, full-text search, and agent handoff. Middleware: JWT only.

MethodPathDescription
GET/sessionsPaginated session list. Query params: status, limit, offset
GET/sessions/:idSession detail + messages. Query param: limit
GET/sessions/search/messagesFull-text search across messages. Query params: q, limit
POST/sessions/:id/handoffTransfer session to a different agent

7. Webhooks

Register webhook URLs to receive events. Middleware: JWT only.

MethodPathDescription
POST/webhooksRegister webhook (url, events, description)
GET/webhooksList webhooks (secret omitted)
GET/webhooks/:idGet webhook
PUT/webhooks/:idUpdate webhook
DELETE/webhooks/:idDelete webhook
GET/webhooks/:id/deliveriesRecent delivery history
POST/webhooks/:id/testSend test event

8. Costs

Workspace cost tracking and breakdowns. Middleware: JWT + workspace.

MethodPathDescription
GET/costsWorkspace cost summary. Query param: ?months=3
GET/costs/breakdownDetailed breakdown. Query params: months, startDate, endDate

9. Heartbeat

Scheduled monitoring configs for RSS feeds and HTTP endpoints. Middleware: JWT + workspace.

MethodPathDescription
GET/heartbeatList configs with last run status
POST/heartbeatCreate config (rss | http, 5 min -- 1 week interval)
GET/heartbeat/:id/runsPaginated run history. Query params: limit, offset
PATCH/heartbeat/:idEnable/disable
DELETE/heartbeat/:idDelete config

10. Skills

Skill registry and cache management. List and detail endpoints are public. Cache management requires JWT.

MethodPathAuthDescription
GET/skillsNoneAll registered skills (ETag cached, 60s)
GET/skills/:idNoneSkill detail + instructions
GET/skills/:id/metricsNonePerformance metrics (30 days)
GET/skills/cache/statsJWTTool result cache stats
POST/skills/cache/clearJWTClear tool cache. Query param: ?tool=

11. Traces

Agent execution traces for debugging and observability. Middleware: JWT + workspace.

MethodPathDescription
GET/tracesPaginated agent traces. Query params: agentId, limit, offset
GET/traces/:idFull trace detail

12. Jobs

Background job queue. Middleware: JWT + workspace.

MethodPathDescription
POST/jobsEnqueue job (type, payload, maxRetries, timeoutSeconds)
GET/jobsList jobs. Query params: status, limit
GET/jobs/:idGet job
DELETE/jobs/:idCancel pending job

13. Memory Profiles

Reusable memory profile templates that can be assigned to agents. Middleware: JWT + workspace.

MethodPathDescription
POST/memory-profilesCreate profile
GET/memory-profilesList profiles
GET/memory-profiles/:idGet profile
PUT/memory-profiles/:idUpdate profile
DELETE/memory-profiles/:idDelete profile
PUT/memory-profiles/agents/:agentId/memory-profileAssign profile to agent
GET/memory-profiles/agents/:agentId/memory-profileGet agent's assigned profile

14. Onboarding

First-run setup endpoint. Middleware: JWT only.

MethodPathDescription
POST/onboarding/setupCreate initial workspace + seed agents in one call

15. Autonomous

Run agent tasks programmatically from backend services. Auth: internal API key via X-Api-Key. Rate limited to 60 requests per minute.

MethodPathDescription
POST/autonomous/runRun agent for a specific uid. Body: { uid, agentId, taskMessage }
POST/autonomous/batchRun for multiple uids. Returns 207 on partial failure
bash
curl -X POST http://localhost:8080/autonomous/run \
  -H "X-Api-Key: ${INTERNAL_API_KEY}" \
  -H "Content-Type: application/json" \
  -d '{
    "uid": "usr_abc",
    "agentId": "chad",
    "taskMessage": "Summarize overnight alerts"
  }'
Internal use only. Autonomous endpoints are intended for server-to-server calls (cron jobs, background workers, CI/CD). Never expose your INTERNAL_API_KEY to client-side code.

16. Admin

Operational visibility into the running gateway. Auth: internal API key via X-Api-Key.

MethodPathDescription
GET/admin/healthMemory usage, uptime, active sessions, tool count
GET/admin/agentsAll registered agent configs
GET/admin/usage/:uidMonthly billing usage for a user
GET/admin/sessions/:uidActive sessions for a user
GET/admin/audit/:uidLast 50 audit entries for a user

17. Diagnostics

System diagnostics and circuit breaker inspection. Auth: internal API key via X-Api-Key.

MethodPathDescription
GET/diagnosticsFull diagnostic run
GET/diagnostics/quickConnectivity checks only
GET/diagnostics/historyLast 10 diagnostic runs
GET/diagnostics/circuit-breakersInference provider circuit breaker states

Health & Metrics

Public system endpoints. No authentication required.

MethodPathDescription
GET/healthDeep health check (Typesense + Postgres + WS count). Returns 503 if any check fails
GET/readinessKubernetes readiness probe. Returns 503 if unavailable
GET/metricsOperational metrics (uptime, connections, tools, skills, sessions, messages, billing, cache)
GET/openapi.jsonFull OpenAPI 3.1 spec
json
// GET /health
{
  "status": "ok",
  "checks": { "typesense": true, "postgres": true },
  "wsConnections": 42,
  "timestamp": "2026-02-27T12:00:00.000Z"
}

// GET /readiness — 200 or 503
{ "ready": true }

// GET /metrics
{
  "uptime": 86400,
  "wsConnections": 42,
  "tools": 106,
  "skills": 48,
  "sessions": { "active": 15, "total": 1240 },
  "messages": 28400,
  "billing": { "month": "2026-02", "totalCost": 12.40 },
  "cache": { "hits": 9820, "misses": 1430 }
}

See also