Skip to content

Latest commit

 

History

History
2652 lines (2061 loc) · 54.6 KB

File metadata and controls

2652 lines (2061 loc) · 54.6 KB
title Admin API Reference
sidebar_position 1

The admin API runs on a separate port (default 8081) and exposes health checks, feature status, metrics, and configuration management endpoints.

admin:
  enabled: true
  port: 8081
  metrics:
    enabled: true
    path: "/metrics"
  readiness:
    min_healthy_backends: 1
    require_redis: false

Health & Readiness

GET /health (alias: /healthz)

Returns gateway health status with dependency checks.

curl http://localhost:8081/health

Response (200 OK):

{
  "status": "ok",
  "timestamp": "2026-01-15T10:30:00Z",
  "uptime": "24h15m30s",
  "checks": {
    "backends": {
      "status": "ok",
      "total_routes": 5,
      "healthy_routes": 5
    },
    "redis": {
      "status": "ok"
    },
    "tracing": {
      "status": "ok"
    },
    "tls_certificates": {
      "status": "ok",
      "listeners": {
        "https": {
          "days_remaining": 65
        }
      }
    }
  }
}

Returns 503 with "status": "degraded" when any check fails (e.g., all backends unhealthy). The redis check is only included when Redis is configured, tracing only when tracing is enabled, and tls_certificates only when at least one listener has TLS enabled. The tls_certificates check reports "ok" when all certificates have more than 7 days until expiry and "degraded" when any certificate has 7 or fewer days remaining.

GET /ready (alias: /readyz)

Returns readiness status based on configured thresholds.

curl http://localhost:8081/ready

Response (200 OK):

{
  "status": "ready",
  "routes": 5,
  "healthy_routes": 5,
  "listeners": 2
}

Returns 503 with a reasons array when not ready:

{
  "status": "not_ready",
  "routes": 5,
  "healthy_routes": 0,
  "listeners": 2,
  "reasons": ["need 1 healthy routes, have 0"]
}

Readiness fails when healthy routes are below min_healthy_backends (default 1), or when require_redis: true and Redis is unreachable.

Feature Status Endpoints

All feature endpoints return JSON with per-route status and metrics.

Endpoint Description
GET /stats Overall gateway statistics (route/backend/listener counts)
GET /listeners Active listeners with protocol, address, HTTP/3 status, and acme boolean indicating ACME certificate management
GET /certificates Per-listener TLS certificate status (mode acme or manual, domains, expiry, issuer)
GET /routes All routes with matchers (path, methods, domains, headers, query). Echo routes include "echo": true.
GET /registry Configured registry type
GET /backends Backend health status with latency, last check time, and health check config
GET /circuit-breakers Circuit breaker state per route (closed/open/half-open). Includes mode field (local or distributed).
POST /circuit-breakers/{route}/open Force circuit breaker open (reject all requests)
POST /circuit-breakers/{route}/close Force circuit breaker closed (allow all requests)
POST /circuit-breakers/{route}/reset Reset to automatic state management
GET /cache Cache statistics (hits, misses, size, evictions). For distributed mode, size is Redis key count; hits/misses are local per-instance counters.
GET /retries Retry metrics per route (attempts, budget exhaustion, hedged requests)
GET /rules Rules engine status (global + per-route rules and metrics)
GET /protocol-translators Protocol translator statistics (http_to_grpc, http_to_thrift, grpc_to_rest)
GET /traffic-shaping Throttle, bandwidth, priority, fault injection, and adaptive concurrency stats
GET /adaptive-concurrency Adaptive concurrency limiter stats (limit, in-flight, EWMA, rejections)
GET /mirrors Mirror metrics (counts, latencies, comparisons)
GET /mirrors/{route}/mismatches Detailed mismatch entries for a route (requires detailed_diff)
DELETE /mirrors/{route}/mismatches Clear stored mismatches for a route
GET /traffic-splits Traffic split distribution per route
GET /rate-limits Rate limiter mode and algorithm per route
GET /tracing Tracing/OTEL status
GET /waf WAF statistics (blocks, detections)
GET /graphql GraphQL parser statistics (depth/complexity checks, APQ cache, batch metrics)
GET /deprecation Per-route deprecation status (request counts, blocked counts, sunset status)
GET /slo Per-route SLO stats (target, error rate, budget remaining, shed count)
GET /coalesce Request coalescing stats (groups, coalesced requests, timeouts)
GET /load-balancers Load balancer info (algorithm, backend states)
GET /canary Canary deployment status per route
POST /canary/{route}/{action} Control canary (start, pause, resume, promote, rollback)
GET /ab-tests A/B test metrics per route (per-group requests, error rate, p99 latency)
POST /ab-tests/{route}/reset Reset accumulated A/B test metrics and restart timer
GET /request-queues Request queue metrics per route (depth, enqueued, timed out, avg wait)
GET /ext-auth External auth metrics (total, allowed, denied, errors, cache hits, latencies)
GET /versioning API versioning stats per route (source, default version, per-version request counts, deprecation info)
GET /access-log Per-route access log config status (enabled, format, body capture, conditions)
GET /openapi OpenAPI validation stats per route (spec, operation, request/response validation, metrics)
GET /timeouts Per-route timeout policy config and metrics (request/backend/idle/header timeouts, timeout counts)
GET /upstreams Named upstream pool definitions (backends, LB algorithm, health check config)
GET /transport Transport pool configuration (default settings, per-upstream overrides)
GET /error-pages Custom error page configuration per route (configured pages, render metrics)
GET /decompression Request decompression stats per route (total, decompressed, errors, per-algorithm counts)
GET /response-limits Response size limit stats per route (total responses, limited count, total bytes, max size, action)
GET /security-headers Security response headers stats per route (total requests, header count, header names)
GET /maintenance Maintenance mode status per route (enabled, blocked/bypassed counts)
POST /maintenance/{route}/enable Enable maintenance mode for a route at runtime
POST /maintenance/{route}/disable Disable maintenance mode for a route at runtime
GET /drain Connection drain status (draining, drain_start, drain_duration)
POST /drain Initiate drain mode — readiness checks return 503
GET /trusted-proxies Trusted proxy configuration and extraction metrics
GET /https-redirect HTTPS redirect statistics (enabled, port, redirects)
GET /allowed-hosts Allowed hosts config and rejection count
GET /claims-propagation Per-route claims propagation stats
GET /token-revocation Token revocation stats (checked, revoked, store size)
POST /token-revocation/revoke Add token/JTI to revocation blocklist
POST /token-revocation/unrevoke Remove token/JTI from revocation blocklist
GET /backend-auth Per-route OAuth2 client_credentials refresh stats
GET /status-mapping Per-route status code remapping stats
GET /static-files Per-route static file serving stats
GET /fastcgi Per-route FastCGI proxy stats
GET /service-rate-limit Global service-level rate limit stats
GET /spike-arrest Per-route spike arrest stats
GET /content-replacer Per-route content replacer stats
GET /follow-redirects Per-route redirect following stats
GET /body-generator Per-route request body generator stats
GET /sequential Per-route sequential proxy stats
GET /quotas Per-route quota enforcement stats
GET /tenants Multi-tenancy stats: per-tenant allowed/rejected/rate-limited/quota-exceeded counts + usage analytics
GET /tenants/{id} Get specific tenant config
POST /tenants/{id} Create a new tenant at runtime (JSON body)
PUT /tenants/{id} Update an existing tenant at runtime (JSON body)
DELETE /tenants/{id} Remove a tenant at runtime
GET /aggregate Per-route response aggregation stats
GET /response-body-generator Per-route response body generator stats
GET /param-forwarding Per-route parameter forwarding stats
GET /content-negotiation Per-route content negotiation format stats
GET /cdn-cache-headers Per-route CDN cache header injection stats
GET /backend-encoding Per-route backend encoding stats
GET /bot-detection Per-route bot detection block counts
GET /ai-crawl-control Per-route AI crawler detection and policy stats
GET /client-mtls Per-route client mTLS verification stats
GET /proxy-rate-limits Per-route backend-facing rate limit stats
GET /mock-responses Per-route mock response served count
GET /etag Per-route ETag generation stats
GET /streaming Per-route response streaming config status
GET /opa Per-route OPA policy evaluation stats
GET /response-signing Per-route response signing stats
GET /request-cost Per-route request cost tracking stats
GET /consumer-groups Consumer group configuration and resolution stats
GET /graphql-subscriptions Per-route GraphQL subscription connection stats
GET /connect Per-route HTTP CONNECT tunnel stats
GET /sse Per-route SSE proxy connection and event stats (includes fan-out metrics when enabled)
GET /grpc-proxy Per-route gRPC proxy stats (deadline propagation, metadata transforms, message size limits)
GET /grpc-reflection Per-route gRPC reflection proxy stats (backends, cached services, cache TTL)
GET /graphql-federation Per-route GraphQL federation stats (sources, requests, errors, introspections)
GET /catalog API catalog JSON (routes, specs, metadata) — requires admin.catalog.enabled
GET /catalog/ui HTML catalog UI — requires admin.catalog.enabled
POST /cache/purge Purge cached entries by route, key, or all (see Caching)
GET /load-shedding Load shedding status and system metrics (CPU, memory, goroutines, rejected/allowed counts)
GET /baggage Per-route baggage propagation configuration and tag definitions
GET /backpressure Per-route backend backpressure status and backed-off backends
GET /audit-log Per-route audit logging configuration, delivery metrics, and buffer status
GET /jmespath Per-route JMESPath query stats (applied count, wrap_collections)
GET /field-replacer Per-route field replacer stats (operations count, processed count)
GET /modifiers Per-route modifier chain stats (modifier count, applied count)
GET /error-handling Per-route error handling stats (mode, total, reformatted count)
GET /lua Per-route Lua script execution stats (requests run, responses run, errors)
GET /lambda Per-route AWS Lambda invocation stats (function name, requests, errors, invokes)
GET /amqp Per-route AMQP stats (url, requests, errors, published, consumed)
GET /pubsub Per-route Pub/Sub stats (urls, requests, errors, published, consumed)
GET /session-affinity Per-route session affinity status (cookie name, TTL)
GET /traffic-replay Per-route traffic replay stats (recording state, buffer usage)
GET /traffic-replay/{route}/status Recording state + replay progress for a route
POST /traffic-replay/{route}/start Start recording requests
POST /traffic-replay/{route}/stop Stop recording requests
POST /traffic-replay/{route}/replay Trigger replay (JSON body: target, concurrency, rate_per_sec)
POST /traffic-replay/{route}/cancel Cancel active replay
DELETE /traffic-replay/{route}/recordings Clear recorded requests
GET /cluster/nodes Connected DP fleet status (CP only)
GET /api/v1/config Current config YAML (CP only)
POST /api/v1/config Push new config YAML to cluster (CP only)
GET /api/v1/config/hash Config version, hash, timestamp (CP only)
GET /cluster/status DP cluster connection status (DP only)

Example: Querying Feature Endpoints

# Check overall stats
curl http://localhost:8081/stats

# Check backend health
curl http://localhost:8081/backends

# Check circuit breaker states
curl http://localhost:8081/circuit-breakers

# Check cache hit rates
curl http://localhost:8081/cache

# Check rate limiter modes and algorithms
curl http://localhost:8081/rate-limits

Dashboard

GET /dashboard

Aggregated view of all feature statistics in a single response. Includes uptime, circuit breakers, cache, retries, traffic splits, upstreams, WAF, tracing, and TCP/UDP route stats.

curl http://localhost:8081/dashboard

Prometheus Metrics

GET /metrics

Prometheus scrape endpoint (only available when admin.metrics.enabled: true). The path is configurable via admin.metrics.path.

curl http://localhost:8081/metrics

pprof Profiling

GET /debug/pprof/*

Go runtime profiling endpoints (only available when admin.pprof: true). Exposes the standard net/http/pprof handlers for CPU profiling, heap analysis, goroutine dumps, and more.

# Interactive pprof index
curl http://localhost:8081/debug/pprof/

# CPU profile (30-second default)
go tool pprof http://localhost:8081/debug/pprof/profile?seconds=30

# Heap profile
go tool pprof http://localhost:8081/debug/pprof/heap

# Goroutine dump
curl http://localhost:8081/debug/pprof/goroutine?debug=2

# Allocs profile
go tool pprof http://localhost:8081/debug/pprof/allocs

# Block profile
go tool pprof http://localhost:8081/debug/pprof/block

# Mutex profile
go tool pprof http://localhost:8081/debug/pprof/mutex

# Execution trace (5-second)
curl -o trace.out http://localhost:8081/debug/pprof/trace?seconds=5
go tool trace trace.out

Available profiles: profile (CPU), heap, goroutine, allocs, block, mutex, threadcreate, trace, cmdline, symbol.

Admin UI

GET /ui/*

Serves the admin UI single-page application (only available when admin.ui.enabled: true). All paths under /ui/ serve the embedded React SPA with client-side routing fallback — unknown paths return index.html.

admin:
  enabled: true
  port: 8081
  ui:
    enabled: true

Once enabled, open http://localhost:8081/ui/ in a browser.

Configuration Reload

POST /reload

Trigger a hot configuration reload from disk. Equivalent to sending SIGHUP.

curl -X POST http://localhost:8081/reload

Response:

{
  "Success": true,
  "Timestamp": "2026-01-15T10:30:00Z",
  "Changes": ["route:api-v2 added", "route:old-api removed"]
}

On failure:

{
  "Success": false,
  "Timestamp": "2026-01-15T10:30:00Z",
  "Error": "validation error: route 'bad' missing backends"
}

Returns 405 Method Not Allowed for non-POST requests.

GET /reload/status

Returns the last 50 reload results (most recent first).

curl http://localhost:8081/reload/status

API Key Management

/admin/keys

Only available when API key authentication is configured. Allows runtime management of API keys without config reload.

List Keys

curl http://localhost:8081/admin/keys

Returns a map of masked keys to their metadata. Keys are partially masked (first 4 and last 4 characters visible):

{
  "abc1****xyz9": {
    "client_id": "client-1",
    "name": "Production Client",
    "roles": ["admin"]
  }
}

Create Key

curl -X POST http://localhost:8081/admin/keys \
  -H "Content-Type: application/json" \
  -d '{
    "key": "new-secret-key-value",
    "client_id": "client-3",
    "name": "New Client",
    "expires_at": "2027-01-01T00:00:00Z",
    "roles": ["read"]
  }'

Response (201 Created):

{"status": "created"}

The key and client_id fields are required. name, expires_at (RFC3339), and roles are optional.

Revoke Key

curl -X DELETE http://localhost:8081/admin/keys \
  -H "Content-Type: application/json" \
  -d '{"key": "new-secret-key-value"}'

Response:

{"status": "deleted"}

Managed Key Operations

When API key management is enabled, additional endpoints are available:

Generate Key

curl -X POST http://localhost:8081/api-keys/generate \
  -H "Content-Type: application/json" \
  -d '{"client_id": "partner-1", "name": "Partner API Key", "roles": ["read"], "ttl": "720h"}'

Response (201):

{"key": "gw_a1b2c3d4e5f6..."}

The raw key is returned only once. Store it securely.

Rotate Key

curl -X POST http://localhost:8081/api-keys/gw_a1b2c/rotate \
  -H "Content-Type: application/json" \
  -d '{"grace_period": "24h"}'

Response:

{"key": "gw_f7e8d9c0b1a2..."}

Both old and new keys work during the grace period.

Revoke/Unrevoke Key

curl -X POST http://localhost:8081/api-keys/gw_a1b2c/revoke
curl -X POST http://localhost:8081/api-keys/gw_a1b2c/unrevoke

Revoked keys return 403 (Forbidden), not 401. This distinction tells clients the key is known but blocked.

Delete Managed Key

curl -X DELETE http://localhost:8081/api-keys/gw_a1b2c/delete

Management Stats

curl http://localhost:8081/api-keys/stats

Response:

{"total_keys": 5, "generated": 10, "rotated": 3, "revoked": 1, "rate_limited": 42}

Error Pages

GET /error-pages

Returns custom error page configuration and render metrics per route.

curl http://localhost:8081/error-pages

Response:

{
  "my-api": {
    "pages": ["404", "5xx", "default"],
    "metrics": {
      "total_rendered": 15
    }
  }
}

Nonces (Replay Prevention)

GET /nonces

Returns nonce checker configuration and metrics per route.

curl http://localhost:8081/nonces

Response:

{
  "payments": {
    "header": "X-Nonce",
    "mode": "local",
    "scope": "per_client",
    "ttl": "5m0s",
    "required": true,
    "metrics": {
      "total_checked": 1500,
      "rejected": 3,
      "missing_nonce": 12,
      "stale_timestamp": 0,
      "store_size": 847
    }
  }
}

CSRF Protection

GET /csrf

Returns per-route CSRF protection status and metrics.

curl http://localhost:8081/csrf

Response:

{
  "web-app": {
    "cookie_name": "_csrf",
    "header_name": "X-CSRF-Token",
    "token_ttl": "1h0m0s",
    "shadow_mode": false,
    "inject_token": true,
    "total_requests": 5000,
    "token_generated": 2000,
    "validation_success": 2900,
    "validation_failed": 100,
    "origin_check_failed": 5,
    "missing_token": 80,
    "expired_token": 10,
    "invalid_signature": 5
  }
}

Outlier Detection

GET /outlier-detection

Returns per-route outlier detection status including per-backend stats, ejected backends, and aggregate counters.

curl http://localhost:8081/outlier-detection

Response:

{
  "api": {
    "route_id": "api",
    "backend_stats": {
      "http://backend-1:8080": {
        "total_requests": 150,
        "total_errors": 2,
        "error_rate": 0.013,
        "p50": "5ms",
        "p99": "45ms"
      },
      "http://backend-2:8080": {
        "total_requests": 148,
        "total_errors": 75,
        "error_rate": 0.507,
        "p50": "120ms",
        "p99": "500ms"
      }
    },
    "ejected_backends": {
      "http://backend-2:8080": {
        "ejected_at": "2025-01-15T10:30:00Z",
        "duration": "30s",
        "count": 1,
        "reason": "error_rate"
      }
    },
    "total_ejections": 3,
    "total_recoveries": 2
  }
}

Geo Filtering

GET /geo

Returns per-route geo filtering status including configured allow/deny lists and metrics.

curl http://localhost:8081/geo

Response:

{
  "api": {
    "route_id": "api",
    "enabled": true,
    "allow_countries": ["US", "CA"],
    "deny_countries": [],
    "order": "deny_first",
    "shadow_mode": false,
    "inject_headers": true,
    "metrics": {
      "total_requests": 500,
      "allowed": 480,
      "denied": 15,
      "lookup_errors": 5
    }
  }
}

Idempotency

GET /idempotency

Returns per-route idempotency key statistics including cache hit rates and in-flight deduplication counts.

curl http://localhost:8081/idempotency

Response:

{
  "payments": {
    "header_name": "Idempotency-Key",
    "ttl": "24h0m0s",
    "enforce": true,
    "key_scope": "per_client",
    "mode": "local",
    "total_requests": 1500,
    "cache_hits": 45,
    "cache_misses": 1455,
    "in_flight_waits": 3,
    "enforced": 12,
    "invalid_key": 0,
    "store_errors": 0,
    "responses_stored": 1455
  }
}

Backend Signing

GET /signing

Returns per-route backend request signing statistics.

curl http://localhost:8081/signing

Response:

{
  "payments": {
    "route_id": "payments",
    "algorithm": "hmac-sha256",
    "key_id": "runway-key-1",
    "header_prefix": "X-Runway-",
    "include_body": true,
    "total_requests": 5000,
    "signed": 5000,
    "errors": 0,
    "body_hashed": 4200
  }
}

Compression

GET /compression

Returns per-route compression statistics with per-algorithm metrics (bytes in/out, request count).

curl http://localhost:8081/compression

Response:

{
  "api": {
    "algorithms": {
      "br": {
        "bytes_in": 524288,
        "bytes_out": 98304,
        "count": 150
      },
      "gzip": {
        "bytes_in": 262144,
        "bytes_out": 65536,
        "count": 80
      },
      "zstd": {
        "bytes_in": 131072,
        "bytes_out": 32768,
        "count": 40
      }
    }
  }
}

Request Decompression

GET /decompression

Returns per-route request decompression statistics including per-algorithm counts.

curl http://localhost:8081/decompression

Response:

{
  "api": {
    "total_requests": 500,
    "decompressed": 120,
    "errors": 2,
    "algorithm_count": {
      "gzip": 80,
      "br": 30,
      "zstd": 10
    }
  }
}

Response Size Limiting

GET /response-limits

Returns per-route response size limit statistics.

curl http://localhost:8081/response-limits

Response:

{
  "api": {
    "total_responses": 10000,
    "limited": 15,
    "total_bytes": 52428800,
    "max_size": 1048576,
    "action": "reject"
  },
  "uploads": {
    "total_responses": 500,
    "limited": 3,
    "total_bytes": 25000000,
    "max_size": 5242880,
    "action": "truncate"
  }
}

Maintenance Mode

GET /maintenance

Returns per-route maintenance mode status and metrics.

curl http://localhost:8081/maintenance

Response:

{
  "api": {
    "enabled": true,
    "status_code": 503,
    "retry_after": "3600",
    "exclude_paths": ["/health"],
    "total_blocked": 150,
    "total_bypassed": 25
  }
}

POST /maintenance/{route}/enable

Enable maintenance mode for a route at runtime.

curl -X POST http://localhost:8081/maintenance/api/enable

Response:

{"route": "api", "status": "enabled"}

POST /maintenance/{route}/disable

Disable maintenance mode for a route at runtime.

curl -X POST http://localhost:8081/maintenance/api/disable

Response:

{"route": "api", "status": "disabled"}

Trusted Proxies

GET /trusted-proxies

Returns trusted proxy configuration and real IP extraction metrics.

curl http://localhost:8081/trusted-proxies

Response (configured):

{
  "total_requests": 15000,
  "extracted": 14500,
  "trusted_cidrs": 3,
  "headers": ["X-Forwarded-For", "X-Real-IP"],
  "max_hops": 0
}

Response (not configured):

{"enabled": false}

Connection Draining

GET /drain

Returns current drain status.

curl http://localhost:8081/drain

Response (not draining):

{"draining": false}

Response (draining):

{
  "draining": true,
  "drain_start": "2026-01-15T10:30:00Z",
  "drain_duration": "5m30s"
}

POST /drain

Initiate drain mode. Readiness checks (/ready, /readyz) will immediately begin returning 503.

curl -X POST http://localhost:8081/drain

Response:

{"status": "draining", "message": "drain mode activated, readiness checks will return 503"}

Already draining:

{"status": "already_draining", "message": "server is already in drain mode"}

Security Response Headers

GET /security-headers

Returns per-route security headers configuration and request counts.

curl http://localhost:8081/security-headers

Response:

{
  "api": {
    "total_requests": 1500,
    "header_count": 5,
    "headers": [
      "X-Content-Type-Options",
      "Strict-Transport-Security",
      "X-Frame-Options",
      "Referrer-Policy",
      "Permissions-Policy"
    ]
  }
}

Webhooks

GET /webhooks

Returns webhook dispatcher status, queue usage, delivery metrics, and recent events. Returns {"enabled": false} when webhooks are not configured.

curl http://localhost:8081/webhooks

Response:

{
  "enabled": true,
  "endpoints": 2,
  "queue_size": 1000,
  "queue_used": 0,
  "metrics": {
    "total_emitted": 42,
    "total_delivered": 40,
    "total_failed": 1,
    "total_dropped": 0,
    "total_retries": 3
  },
  "recent_events": []
}

GET /https-redirect

Returns HTTPS redirect statistics. Returns {"enabled": false} when not configured.

curl http://localhost:8081/https-redirect

Response:

{
  "enabled": true,
  "port": 443,
  "permanent": true,
  "redirects": 847
}

GET /allowed-hosts

Returns allowed hosts configuration and rejection count. Returns {"enabled": false} when not configured.

curl http://localhost:8081/allowed-hosts

Response:

{
  "enabled": true,
  "hosts": ["api.example.com", "*.internal.example.com"],
  "rejected": 23
}

GET /claims-propagation

Returns per-route claims propagation statistics.

curl http://localhost:8081/claims-propagation

Response:

{
  "route-id": {
    "claims": {"sub": "X-User-ID", "email": "X-User-Email"},
    "propagated": 3200
  }
}

GET /token-revocation

Returns token revocation statistics (checked, revoked, store size). Returns {"enabled": false} when not configured.

curl http://localhost:8081/token-revocation

Response:

{
  "checked": 15000,
  "revoked": 42,
  "store_size": 38
}

POST /token-revocation/revoke

Adds a token or JTI to the revocation blocklist.

curl -X POST http://localhost:8081/token-revocation/revoke \
  -d '{"token":"eyJ...","ttl":"2h"}'
# or
curl -X POST http://localhost:8081/token-revocation/revoke \
  -d '{"jti":"abc-123","ttl":"1h"}'

POST /token-revocation/unrevoke

Removes a token or JTI from the revocation blocklist.

curl -X POST http://localhost:8081/token-revocation/unrevoke \
  -d '{"jti":"abc-123"}'

GET /backend-auth

Returns per-route backend auth (OAuth2 client_credentials) stats including refresh counts and errors.

curl http://localhost:8081/backend-auth

Response:

{
  "protected-api": {
    "refreshes": 12,
    "errors": 0,
    "last_refresh_at": "2026-02-20T08:30:00Z"
  }
}

GET /status-mapping

Returns per-route status code mapping stats including total requests and remapped count.

curl http://localhost:8081/status-mapping

Response:

{
  "api-route": {
    "total": 1000,
    "remapped": 42,
    "mappings": {"404": 200, "500": 503}
  }
}

GET /static-files

Returns per-route static file serving stats including root directory and served count.

curl http://localhost:8081/static-files

Response:

{
  "docs": {
    "root": "/var/www/docs",
    "served": 5200,
    "browse": false
  }
}

GET /service-rate-limit

Returns service-level rate limit stats (global throughput cap).

curl http://localhost:8081/service-rate-limit

Response:

{
  "enabled": true,
  "allowed": 150000,
  "rejected": 42
}

GET /spike-arrest

Returns per-route spike arrest stats.

curl http://localhost:8081/spike-arrest

Response:

{
  "api": {
    "allowed": 5000,
    "rejected": 120,
    "per_ip": true,
    "tracked_ips": 45
  }
}

GET /content-replacer

Returns per-route content replacer stats.

curl http://localhost:8081/content-replacer

Response:

{
  "api": {
    "total": 1000,
    "replaced": 342,
    "rules": 3
  }
}

GET /follow-redirects

Returns per-route follow redirect stats.

curl http://localhost:8081/follow-redirects

Response:

{
  "legacy-api": {
    "redirects_followed": 150,
    "max_exceeded": 2,
    "max_redirects": 5
  }
}

GET /body-generator

Returns per-route body generator stats.

curl http://localhost:8081/body-generator

Response:

{
  "search": {
    "generated": 5000,
    "content_type": "application/json"
  }
}

GET /sequential

Returns per-route sequential proxy stats.

curl http://localhost:8081/sequential

Response:

{
  "user-enriched": {
    "total_requests": 1000,
    "total_errors": 5,
    "steps": [
      {"errors": 2, "total_latency_us": 500000},
      {"errors": 3, "total_latency_us": 1200000}
    ]
  }
}

GET /quotas

Returns per-route quota enforcement stats.

curl http://localhost:8081/quotas

Response:

{
  "api": {
    "limit": 10000,
    "period": "daily",
    "allowed": 8500,
    "rejected": 42,
    "redis": false
  }
}

GET /aggregate

Returns per-route response aggregation stats.

curl http://localhost:8081/aggregate

Response:

{
  "user-profile": {
    "total_requests": 1500,
    "total_errors": 3,
    "fail_strategy": "partial",
    "backends": [
      {"name": "user", "errors": 0, "total_latency_us": 45000},
      {"name": "orders", "errors": 3, "total_latency_us": 120000}
    ]
  }
}

GET /response-body-generator

Returns per-route response body generator stats.

curl http://localhost:8081/response-body-generator

Response:

{
  "api-wrapper": {
    "generated": 1500,
    "content_type": "application/json"
  }
}

GET /param-forwarding

Returns per-route parameter forwarding stats.

curl http://localhost:8081/param-forwarding

Response:

{
  "secure-api": {
    "stripped": 340,
    "allowed_headers": 3,
    "allowed_query": 3,
    "allowed_cookies": 1
  }
}

GET /content-negotiation

Returns per-route content negotiation stats.

curl http://localhost:8081/content-negotiation

Response:

{
  "api-flexible": {
    "json_count": 1200,
    "xml_count": 150,
    "yaml_count": 50,
    "not_acceptable": 5
  }
}

GET /cdn-cache-headers

Returns per-route CDN cache header injection stats.

curl http://localhost:8081/cdn-cache-headers

Response:

{
  "public-api": {
    "applied": 1500,
    "cache_control": "public, max-age=3600, s-maxage=86400",
    "vary": "Accept, Accept-Encoding",
    "surrogate_control": "max-age=86400",
    "override": true
  }
}

GET /backend-encoding

Returns per-route backend encoding stats.

curl http://localhost:8081/backend-encoding

Response:

{
  "legacy-xml-api": {
    "encoding": "xml",
    "encoded": 1500,
    "errors": 3
  }
}

GET /bot-detection

Returns per-route bot detection block counts.

curl http://localhost:8081/bot-detection

Response:

{
  "api": {
    "blocked": 42
  }
}

GET /ai-crawl-control

Returns per-route AI crawler detection statistics including per-crawler metrics.

curl http://localhost:8081/ai-crawl-control

Response:

{
  "api": {
    "total_detected": 150,
    "total_blocked": 100,
    "total_allowed": 30,
    "total_monitored": 20,
    "crawlers": {
      "GPTBot": {
        "requests": 80,
        "blocked": 80,
        "allowed": 0,
        "monitored": 0,
        "last_seen": "2026-02-25T10:30:00Z",
        "action": "block"
      },
      "ClaudeBot": {
        "requests": 30,
        "blocked": 0,
        "allowed": 30,
        "monitored": 0,
        "last_seen": "2026-02-25T10:28:00Z",
        "action": "allow"
      }
    }
  }
}

GET /client-mtls

Returns per-route client mTLS verification and rejection counts.

curl http://localhost:8081/client-mtls

Response:

{
  "payments": {
    "verified": 1500,
    "rejected": 23
  },
  "internal": {
    "verified": 800,
    "rejected": 2
  }
}

GET /proxy-rate-limits

Returns per-route backend-facing rate limit stats.

curl http://localhost:8081/proxy-rate-limits

Response:

{
  "api": {
    "allowed": 5000,
    "rejected": 120
  }
}

GET /mock-responses

Returns per-route mock response served count.

curl http://localhost:8081/mock-responses

Response:

{
  "mock-api": {
    "served": 156
  }
}

GET /retry-budget-pools

Returns stats for all named retry budget pools.

{
  "critical_pool": {
    "ratio": 0.2,
    "min_retries": 10,
    "window": "10s",
    "total_reqs": 5000,
    "total_retries": 120,
    "utilization": 0.024
  }
}

GET /inbound-signing

Returns per-route inbound signature verification status.

{
  "api-route": {
    "route_id": "api-route",
    "algorithm": "hmac-sha256",
    "key_id": "key-1",
    "header_prefix": "X-Runway-",
    "include_body": true,
    "max_age": "5m0s",
    "shadow_mode": false,
    "total_requests": 1000,
    "verified": 995,
    "rejected": 3,
    "expired": 2,
    "errors": 0
  }
}

GET /pii-redaction

Returns per-route PII redaction metrics.

{
  "api-route": {
    "total": 500,
    "redacted": 42,
    "patterns": 3,
    "scope": "response"
  }
}

GET /field-encryption

Returns per-route field encryption metrics.

{
  "api-route": {
    "total": 1000,
    "encrypted": 450,
    "decrypted": 550,
    "errors": 0,
    "encrypt_fields": 2,
    "decrypt_fields": 1
  }
}

GET /blue-green

Returns per-route blue-green deployment status.

{
  "api-route": {
    "route_id": "api-route",
    "state": "active",
    "active_group": "blue",
    "inactive_group": "green",
    "error_threshold": 0.05,
    "rollback_on_error": true,
    "groups": {
      "green": {
        "requests": 5000,
        "errors": 12,
        "error_rate": 0.0024,
        "avg_latency_ms": 45.2
      }
    }
  }
}

POST /blue-green/{route}/promote

Triggers promotion of the inactive group to active. Returns 409 if state does not allow promotion.

POST /blue-green/{route}/rollback

Triggers rollback to original weights. Returns 409 if state does not allow rollback.

GET /blue-green/{route}/status

Returns detailed snapshot for a specific route's blue-green deployment.


A/B Testing

GET /ab-tests

Returns per-route A/B test metrics including per-group request counts, error rates, and p99 latency.

curl http://localhost:8081/ab-tests

POST /ab-tests/{route}/reset

Resets accumulated metrics for a running A/B test experiment and restarts the timer.

curl -X POST http://localhost:8081/ab-tests/homepage/reset

Session Affinity

GET /session-affinity

Returns per-route session affinity configuration (cookie name, TTL) for all routes with session affinity enabled.

curl http://localhost:8081/session-affinity

Traffic Replay

GET /traffic-replay

Returns per-route traffic replay stats (recording state, buffer size/usage, replay progress).

curl http://localhost:8081/traffic-replay

GET /traffic-replay/{route}/status

Returns detailed recording and replay state for a specific route.

curl http://localhost:8081/traffic-replay/api/status

POST /traffic-replay/{route}/start

Start recording incoming requests on this route.

curl -X POST http://localhost:8081/traffic-replay/api/start

POST /traffic-replay/{route}/stop

Stop recording incoming requests.

curl -X POST http://localhost:8081/traffic-replay/api/stop

POST /traffic-replay/{route}/replay

Replay recorded requests against a target backend.

curl -X POST http://localhost:8081/traffic-replay/api/replay \
  -H "Content-Type: application/json" \
  -d '{"target": "http://new-backend:8080", "concurrency": 10, "rate_per_sec": 50}'

POST /traffic-replay/{route}/cancel

Cancel an active replay operation.

curl -X POST http://localhost:8081/traffic-replay/api/cancel

DELETE /traffic-replay/{route}/recordings

Clear all recorded requests from the ring buffer.

curl -X DELETE http://localhost:8081/traffic-replay/api/recordings

See Traffic Replay for full documentation.


Request Queuing

GET /request-queues

Returns per-route request queue metrics including current depth, enqueued/dequeued counts, timeouts, and average wait time.

curl http://localhost:8081/request-queues

SSRF Protection

GET /ssrf-protection

Returns SSRF protection status and blocked request count.

curl http://localhost:8081/ssrf-protection

Response (200 OK):

{
  "enabled": true,
  "blocked_ranges": 9,
  "allowed_ranges": 2,
  "blocked_requests": 15
}

Request Deduplication

GET /request-dedup

Returns dedup configuration and status for all routes.

curl http://localhost:8081/request-dedup

Response (200 OK):

{
  "webhook-receiver": {
    "enabled": true,
    "mode": "local",
    "ttl": "1m0s",
    "include_headers": ["X-Webhook-ID"],
    "include_body": true,
    "max_body_size": 1048576
  }
}

IP Blocklist

GET /ip-blocklist

Returns IP blocklist status for all routes.

curl http://localhost:8081/ip-blocklist

Response (200 OK):

{
  "api": {
    "enabled": true,
    "action": "block",
    "static_entries": 3,
    "feed_count": 2,
    "total_blocked_ips": 1250,
    "blocked_requests": 42
  }
}

POST /ip-blocklist/refresh

Forces an immediate refresh of all threat feeds (global and per-route).

curl -X POST http://localhost:8081/ip-blocklist/refresh

Response (200 OK):

{
  "status": "ok",
  "refreshed": 3
}

SSE Proxy

GET /sse

Returns per-route SSE proxy statistics. When fan-out mode is enabled, includes hub and client metrics.

curl http://localhost:8081/sse

Response (standard mode):

{
  "events-api": {
    "active_connections": 5,
    "total_connections": 142,
    "total_events": 8923,
    "heartbeats_sent": 456
  }
}

Response (fan-out mode):

{
  "live-feed": {
    "active_connections": 150,
    "total_connections": 500,
    "total_events": 0,
    "heartbeats_sent": 0,
    "fanout": {
      "hub_connected": true,
      "clients": 150,
      "buffer_used": 256,
      "reconnects": 2,
      "dropped_events": 15,
      "last_event_id": "evt-12000"
    }
  }
}

gRPC Proxy

GET /grpc-proxy

Returns per-route gRPC proxy configuration and statistics.

curl http://localhost:8081/grpc-proxy

Response:

{
  "grpc-api": {
    "enabled": true,
    "deadline_propagation": true,
    "requests": 15000,
    "deadlines_set": 12000,
    "max_recv_msg_size": 4194304,
    "max_send_msg_size": 4194304,
    "authority": "grpc-backend.svc",
    "health_check": true
  }
}

gRPC Reflection

GET /grpc-reflection

Returns per-route gRPC reflection proxy statistics.

curl http://localhost:8081/grpc-reflection

Response:

{
  "grpc-api": {
    "backends": 2,
    "services": 5,
    "cache_ttl": "5m0s",
    "requests": 150,
    "errors": 0
  }
}

See gRPC Proxy — Reflection for configuration.


GraphQL Federation

GET /graphql-federation

Returns per-route GraphQL federation statistics.

curl http://localhost:8081/graphql-federation

Response:

{
  "unified-graphql": {
    "sources": 2,
    "requests": 5000,
    "errors": 12,
    "introspections": 45,
    "refresh_interval": "5m0s",
    "fields": 5
  }
}

See GraphQL Federation for configuration.


API Deprecation

GET /deprecation

Returns per-route deprecation status including request counts, blocked counts, and sunset status.

curl http://localhost:8081/deprecation

Response:

{
  "legacy-api": {
    "requests_total": 5000,
    "blocked": 120,
    "message": "Use /api/v2 instead",
    "sunset_date": "2025-06-01T00:00:00Z",
    "past_sunset": true
  }
}

See API Deprecation Lifecycle for configuration.


SLI/SLO Enforcement

GET /slo

Returns per-route SLO stats including target, total requests, errors, error rate, budget remaining, and shed count.

curl http://localhost:8081/slo

Response:

{
  "critical-api": {
    "target": 0.999,
    "total": 100000,
    "errors": 50,
    "error_rate": 0.0005,
    "budget_remaining": 0.5,
    "shed_count": 0
  }
}

See SLI/SLO Enforcement for configuration.


API Catalog

GET /catalog

Returns the full API catalog as JSON. Requires admin.catalog.enabled: true.

curl http://localhost:8081/catalog

Response:

{
  "title": "API Gateway",
  "stats": {
    "total_routes": 3,
    "total_specs": 1,
    "total_backends": 5
  },
  "entries": [
    {
      "id": "users-api",
      "path": "/api/users/*",
      "methods": ["GET", "POST"],
      "description": "User management API",
      "tags": ["Auth Required"],
      "backends": 2,
      "spec_id": "specs-users-yaml",
      "auth": true
    }
  ],
  "specs": [
    {
      "id": "specs-users-yaml",
      "title": "Users API",
      "version": "1.0.0",
      "route_id": "users-api"
    }
  ]
}

GET /catalog/specs

Lists all discovered OpenAPI specs as a JSON array.

curl http://localhost:8081/catalog/specs

GET /catalog/specs/{id}

Returns the raw OpenAPI spec JSON for a specific spec ID. Returns 404 if not found.

curl http://localhost:8081/catalog/specs/specs-users-yaml

GET /catalog/ui

Serves an HTML page listing all APIs with links to Redoc documentation viewers.

GET /catalog/ui/{specID}

Serves a Redoc-powered documentation viewer for the specified OpenAPI spec. Returns 404 if not found.

See Developer Portal for full documentation.


Cache Purge

POST /cache/purge

Purge cached entries by route, by specific cache key, or globally across all routes.

# Purge all entries for a route
curl -X POST http://localhost:8081/cache/purge \
  -H "Content-Type: application/json" \
  -d '{"route": "my-route"}'

# Purge a specific cache key
curl -X POST http://localhost:8081/cache/purge \
  -H "Content-Type: application/json" \
  -d '{"route": "my-route", "key": "/api/products?category=shoes"}'

# Purge all caches globally
curl -X POST http://localhost:8081/cache/purge \
  -H "Content-Type: application/json" \
  -d '{"all": true}'

Response (200 OK):

{
  "purged": true,
  "entries_removed": 42
}

Returns 400 if the request body is invalid or missing required fields. Returns 404 if the specified route does not have caching enabled.

See Caching for full documentation.


Load Shedding

GET /load-shedding

Returns load shedding status and current system metrics.

curl http://localhost:8081/load-shedding

Response (200 OK):

{
  "enabled": true,
  "shedding": false,
  "rejected": 1250,
  "allowed": 458000,
  "cpu_percent": 72.5,
  "memory_percent": 61.3,
  "goroutine_count": 1842
}

Response (not configured):

{
  "enabled": false
}

See Load Shedding for configuration and behavior details.


Baggage Propagation

GET /baggage

Returns per-route baggage propagation configuration.

curl http://localhost:8081/baggage

Response (200 OK):

{
  "my-api": {
    "enabled": true,
    "tags": [
      {"name": "X-Tenant-ID", "source": "jwt_claim:tenant_id"},
      {"name": "X-Request-Source", "source": "header:X-Source"},
      {"name": "X-Environment", "source": "static:production"}
    ]
  }
}

See Baggage Propagation for configuration and source types.


Backend Backpressure

GET /backpressure

Returns per-route backpressure status including currently backed-off backends.

curl http://localhost:8081/backpressure

Response (200 OK):

{
  "my-api": {
    "enabled": true,
    "status_codes": [429, 503],
    "max_retry_after": "1m0s",
    "default_delay": "5s",
    "backed_off_backends": {
      "http://backend-2:9000": {
        "until": "2026-02-20T10:35:30Z",
        "remaining": "25s",
        "reason": 429
      }
    },
    "total_backoffs": 12,
    "active_backoffs": 1
  }
}

See Backend Backpressure for configuration and behavior details.


Audit Logging

GET /audit-log

Returns per-route audit logging configuration and delivery metrics.

curl http://localhost:8081/audit-log

Response (200 OK):

{
  "payments": {
    "enabled": true,
    "webhook_url": "https://audit.example.com/events",
    "sample_rate": 1.0,
    "include_body": true,
    "max_body_size": 16384,
    "buffer_size": 1000,
    "batch_size": 10,
    "flush_interval": "5s",
    "methods": [],
    "status_codes": [],
    "events_captured": 5200,
    "events_delivered": 5180,
    "events_dropped": 0,
    "delivery_errors": 2
  }
}

See Audit Logging for configuration, webhook payload format, and examples.


JMESPath Query

GET /jmespath

Returns per-route JMESPath query stats.

curl http://localhost:8081/jmespath

Response (200 OK):

{
  "api": {
    "applied": 1500,
    "wrap_collections": false
  }
}

See Data Manipulation for configuration.


Field Replacer

GET /field-replacer

Returns per-route field-level content replacer stats.

curl http://localhost:8081/field-replacer

Response (200 OK):

{
  "api": {
    "operations": 4,
    "processed": 850
  }
}

See Data Manipulation for configuration.


Modifiers

GET /modifiers

Returns per-route Martian-style modifier chain stats.

curl http://localhost:8081/modifiers

Response (200 OK):

{
  "api": {
    "modifier_count": 6,
    "applied": 2500
  }
}

See Data Manipulation for configuration.


Error Handling

GET /error-handling

Returns per-route error handling mode and stats.

curl http://localhost:8081/error-handling

Response (200 OK):

{
  "api": {
    "mode": "pass_status",
    "total": 5000,
    "reformatted": 42
  }
}

See Data Manipulation for configuration.


Lua Scripting

GET /lua

Returns per-route Lua script execution stats.

curl http://localhost:8081/lua

Response (200 OK):

{
  "api": {
    "requests_run": 5000,
    "responses_run": 5000,
    "errors": 2
  }
}

See Data Manipulation for configuration.


AWS Lambda

GET /lambda

Returns per-route AWS Lambda invocation stats.

curl http://localhost:8081/lambda

Response (200 OK):

{
  "serverless-api": {
    "function_name": "my-api-handler",
    "total_requests": 5000,
    "total_errors": 12,
    "total_invokes": 5000
  }
}

See AWS Lambda Backend for configuration.


AMQP/RabbitMQ

GET /amqp

Returns per-route AMQP handler stats.

curl http://localhost:8081/amqp

Response (200 OK):

{
  "message-publisher": {
    "url": "amqp://guest:guest@rabbitmq:5672/",
    "total_requests": 3000,
    "total_errors": 5,
    "published": 2995,
    "consumed": 0
  }
}

See AMQP/RabbitMQ Backend for configuration.


Pub/Sub

GET /pubsub

Returns per-route Pub/Sub handler stats.

curl http://localhost:8081/pubsub

Response (200 OK):

{
  "events-publish": {
    "publish_url": "gcppubsub://my-project/my-topic",
    "subscription_url": "",
    "total_requests": 2000,
    "total_errors": 3,
    "published": 1997,
    "consumed": 0
  }
}

See Go CDK Pub/Sub Backend for configuration.


WASM Plugins

GET /wasm-plugins

Returns per-route WASM plugin chain statistics including invocation counts, errors, timeouts, latency, and pool usage.

Response (200 OK):

{
  "my-api": [
    {
      "name": "auth-enricher",
      "phase": "request",
      "request_invocations": 15000,
      "response_invocations": 0,
      "errors": 2,
      "timeouts": 0,
      "total_latency_ns": 45000000,
      "pool": {
        "borrows": 15000,
        "returns": 15000,
        "pool_misses": 3,
        "pool_size": 10
      }
    }
  ]
}

See WASM Plugins for configuration.


Schema Evolution

GET /schema-evolution

Returns all schema compatibility reports.

curl http://localhost:8081/schema-evolution

Response:

{
  "specs/users.yaml": {
    "spec_id": "specs/users.yaml",
    "old_version": "1.0.0",
    "new_version": "1.1.0",
    "compatible": false,
    "breaking_changes": [
      {
        "type": "required_param_added",
        "path": "/users",
        "method": "GET",
        "description": "Required parameter added: X-Tenant-ID"
      }
    ],
    "checked_at": "2026-01-15T10:30:00Z"
  }
}

GET /schema-evolution/{specID}

Returns the compatibility report for a specific spec.

curl http://localhost:8081/schema-evolution/specs-users-yaml

Returns 404 if no report exists.

See Schema Evolution for configuration.


Key Config Fields

Field Type Description
admin.enabled bool Enable admin API
admin.port int Admin API port (default 8081)
admin.metrics.enabled bool Enable Prometheus metrics
admin.metrics.path string Metrics endpoint path (default /metrics)
admin.readiness.min_healthy_backends int Min healthy backends for ready (default 1)
admin.readiness.require_redis bool Require Redis for ready

See Configuration Reference for all fields.


AI Gateway

GET /admin/ai

Returns per-route AI gateway statistics.

Response:

{
  "route-1": {
    "provider": "openai",
    "model": "gpt-4o",
    "total_requests": 1523,
    "streaming_requests": 1200,
    "non_streaming_requests": 323,
    "total_tokens_in": 450000,
    "total_tokens_out": 230000,
    "total_errors": 12,
    "latency_sum_ms": 1282366
  }
}

Compute average latency as latency_sum_ms / total_requests.

See AI Gateway for full documentation.


Cluster Mode

Cluster endpoints are role-dependent. They only appear when cluster.role is set to control_plane or data_plane.

Control Plane Endpoints

GET /cluster/nodes

Returns the connected data plane fleet. Each entry includes the node's identity, config version, heartbeat status, and runtime status.

curl http://localhost:8081/cluster/nodes

Response (200 OK):

[
  {
    "node_id": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
    "hostname": "dp-pod-1",
    "version": "1.4.0",
    "config_version": 3,
    "config_hash": 12345678901234567,
    "last_heartbeat": "2026-02-25T10:30:05Z",
    "status": "connected",
    "node_status": {
      "runway_version": "1.4.0",
      "last_reload_error": "",
      "last_successful_version": 3
    }
  }
]

The status field is "connected" when heartbeats are arriving on time, or "stale" when no heartbeat has been received within 3x the heartbeat interval (default 30s).

GET /api/v1/config

Returns the current config YAML that the CP distributes to DPs. The response body is raw YAML (the cluster block is stripped from the distributed copy).

curl http://localhost:8081/api/v1/config

POST /api/v1/config

Push a new config. The CP validates it, applies it locally, and pushes it to all connected DPs. The request body must be valid gateway YAML. Maximum body size is 10MB.

curl -X POST http://localhost:8081/api/v1/config \
  -H "Content-Type: application/yaml" \
  --data-binary @runway.yaml

Response (200 OK):

{
  "Success": true,
  "Timestamp": "2026-02-25T10:35:00Z",
  "Changes": ["route:api-v2 added"]
}

Returns 400 for parse/validation errors, 422 when the config is valid but the reload fails.

GET /api/v1/config/hash

Returns the current config version metadata without the full YAML body.

curl http://localhost:8081/api/v1/config/hash

Response (200 OK):

{
  "version": 3,
  "hash": 12345678901234567,
  "timestamp": "2026-02-25T10:28:00Z",
  "source": "file"
}

The source field indicates how the config was last set: "file" (disk reload), "admin-api" (POST /api/v1/config), or "init" (startup).

Data Plane Endpoints

GET /cluster/status

Returns this data plane's cluster connection status.

curl http://localhost:8081/cluster/status

Response (200 OK):

{
  "role": "data_plane",
  "cp_address": "cp.example.com:9443",
  "connected": true,
  "config_version": 3,
  "config_hash": 12345678901234567,
  "node_id": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
  "has_config": true
}

When connected is false, the DP is running from its cached config. When has_config is false, the DP has not yet received or loaded any config.

Data Plane Restrictions

POST /reload

Returns 403 Forbidden when the gateway is running as a data plane. Config changes must go through the control plane.

curl -X POST http://localhost:8081/reload
# 403 Forbidden: config changes must go through control plane

See Cluster Mode for full documentation.