| title | Admin API Reference |
|---|---|
| sidebar_position | 1 |
The admin API runs on a separate port (default 8081) and exposes health checks, feature status, metrics, and configuration management endpoints.
admin:
enabled: true
port: 8081
metrics:
enabled: true
path: "/metrics"
readiness:
min_healthy_backends: 1
require_redis: falseReturns gateway health status with dependency checks.
curl http://localhost:8081/healthResponse (200 OK):
{
"status": "ok",
"timestamp": "2026-01-15T10:30:00Z",
"uptime": "24h15m30s",
"checks": {
"backends": {
"status": "ok",
"total_routes": 5,
"healthy_routes": 5
},
"redis": {
"status": "ok"
},
"tracing": {
"status": "ok"
},
"tls_certificates": {
"status": "ok",
"listeners": {
"https": {
"days_remaining": 65
}
}
}
}
}Returns 503 with "status": "degraded" when any check fails (e.g., all backends unhealthy). The redis check is only included when Redis is configured, tracing only when tracing is enabled, and tls_certificates only when at least one listener has TLS enabled. The tls_certificates check reports "ok" when all certificates have more than 7 days until expiry and "degraded" when any certificate has 7 or fewer days remaining.
Returns readiness status based on configured thresholds.
curl http://localhost:8081/readyResponse (200 OK):
{
"status": "ready",
"routes": 5,
"healthy_routes": 5,
"listeners": 2
}Returns 503 with a reasons array when not ready:
{
"status": "not_ready",
"routes": 5,
"healthy_routes": 0,
"listeners": 2,
"reasons": ["need 1 healthy routes, have 0"]
}Readiness fails when healthy routes are below min_healthy_backends (default 1), or when require_redis: true and Redis is unreachable.
All feature endpoints return JSON with per-route status and metrics.
| Endpoint | Description |
|---|---|
GET /stats |
Overall gateway statistics (route/backend/listener counts) |
GET /listeners |
Active listeners with protocol, address, HTTP/3 status, and acme boolean indicating ACME certificate management |
GET /certificates |
Per-listener TLS certificate status (mode acme or manual, domains, expiry, issuer) |
GET /routes |
All routes with matchers (path, methods, domains, headers, query). Echo routes include "echo": true. |
GET /registry |
Configured registry type |
GET /backends |
Backend health status with latency, last check time, and health check config |
GET /circuit-breakers |
Circuit breaker state per route (closed/open/half-open). Includes mode field (local or distributed). |
POST /circuit-breakers/{route}/open |
Force circuit breaker open (reject all requests) |
POST /circuit-breakers/{route}/close |
Force circuit breaker closed (allow all requests) |
POST /circuit-breakers/{route}/reset |
Reset to automatic state management |
GET /cache |
Cache statistics (hits, misses, size, evictions). For distributed mode, size is Redis key count; hits/misses are local per-instance counters. |
GET /retries |
Retry metrics per route (attempts, budget exhaustion, hedged requests) |
GET /rules |
Rules engine status (global + per-route rules and metrics) |
GET /protocol-translators |
Protocol translator statistics (http_to_grpc, http_to_thrift, grpc_to_rest) |
GET /traffic-shaping |
Throttle, bandwidth, priority, fault injection, and adaptive concurrency stats |
GET /adaptive-concurrency |
Adaptive concurrency limiter stats (limit, in-flight, EWMA, rejections) |
GET /mirrors |
Mirror metrics (counts, latencies, comparisons) |
GET /mirrors/{route}/mismatches |
Detailed mismatch entries for a route (requires detailed_diff) |
DELETE /mirrors/{route}/mismatches |
Clear stored mismatches for a route |
GET /traffic-splits |
Traffic split distribution per route |
GET /rate-limits |
Rate limiter mode and algorithm per route |
GET /tracing |
Tracing/OTEL status |
GET /waf |
WAF statistics (blocks, detections) |
GET /graphql |
GraphQL parser statistics (depth/complexity checks, APQ cache, batch metrics) |
GET /deprecation |
Per-route deprecation status (request counts, blocked counts, sunset status) |
GET /slo |
Per-route SLO stats (target, error rate, budget remaining, shed count) |
GET /coalesce |
Request coalescing stats (groups, coalesced requests, timeouts) |
GET /load-balancers |
Load balancer info (algorithm, backend states) |
GET /canary |
Canary deployment status per route |
POST /canary/{route}/{action} |
Control canary (start, pause, resume, promote, rollback) |
GET /ab-tests |
A/B test metrics per route (per-group requests, error rate, p99 latency) |
POST /ab-tests/{route}/reset |
Reset accumulated A/B test metrics and restart timer |
GET /request-queues |
Request queue metrics per route (depth, enqueued, timed out, avg wait) |
GET /ext-auth |
External auth metrics (total, allowed, denied, errors, cache hits, latencies) |
GET /versioning |
API versioning stats per route (source, default version, per-version request counts, deprecation info) |
GET /access-log |
Per-route access log config status (enabled, format, body capture, conditions) |
GET /openapi |
OpenAPI validation stats per route (spec, operation, request/response validation, metrics) |
GET /timeouts |
Per-route timeout policy config and metrics (request/backend/idle/header timeouts, timeout counts) |
GET /upstreams |
Named upstream pool definitions (backends, LB algorithm, health check config) |
GET /transport |
Transport pool configuration (default settings, per-upstream overrides) |
GET /error-pages |
Custom error page configuration per route (configured pages, render metrics) |
GET /decompression |
Request decompression stats per route (total, decompressed, errors, per-algorithm counts) |
GET /response-limits |
Response size limit stats per route (total responses, limited count, total bytes, max size, action) |
GET /security-headers |
Security response headers stats per route (total requests, header count, header names) |
GET /maintenance |
Maintenance mode status per route (enabled, blocked/bypassed counts) |
POST /maintenance/{route}/enable |
Enable maintenance mode for a route at runtime |
POST /maintenance/{route}/disable |
Disable maintenance mode for a route at runtime |
GET /drain |
Connection drain status (draining, drain_start, drain_duration) |
POST /drain |
Initiate drain mode — readiness checks return 503 |
GET /trusted-proxies |
Trusted proxy configuration and extraction metrics |
GET /https-redirect |
HTTPS redirect statistics (enabled, port, redirects) |
GET /allowed-hosts |
Allowed hosts config and rejection count |
GET /claims-propagation |
Per-route claims propagation stats |
GET /token-revocation |
Token revocation stats (checked, revoked, store size) |
POST /token-revocation/revoke |
Add token/JTI to revocation blocklist |
POST /token-revocation/unrevoke |
Remove token/JTI from revocation blocklist |
GET /backend-auth |
Per-route OAuth2 client_credentials refresh stats |
GET /status-mapping |
Per-route status code remapping stats |
GET /static-files |
Per-route static file serving stats |
GET /fastcgi |
Per-route FastCGI proxy stats |
GET /service-rate-limit |
Global service-level rate limit stats |
GET /spike-arrest |
Per-route spike arrest stats |
GET /content-replacer |
Per-route content replacer stats |
GET /follow-redirects |
Per-route redirect following stats |
GET /body-generator |
Per-route request body generator stats |
GET /sequential |
Per-route sequential proxy stats |
GET /quotas |
Per-route quota enforcement stats |
GET /tenants |
Multi-tenancy stats: per-tenant allowed/rejected/rate-limited/quota-exceeded counts + usage analytics |
GET /tenants/{id} |
Get specific tenant config |
POST /tenants/{id} |
Create a new tenant at runtime (JSON body) |
PUT /tenants/{id} |
Update an existing tenant at runtime (JSON body) |
DELETE /tenants/{id} |
Remove a tenant at runtime |
GET /aggregate |
Per-route response aggregation stats |
GET /response-body-generator |
Per-route response body generator stats |
GET /param-forwarding |
Per-route parameter forwarding stats |
GET /content-negotiation |
Per-route content negotiation format stats |
GET /cdn-cache-headers |
Per-route CDN cache header injection stats |
GET /backend-encoding |
Per-route backend encoding stats |
GET /bot-detection |
Per-route bot detection block counts |
GET /ai-crawl-control |
Per-route AI crawler detection and policy stats |
GET /client-mtls |
Per-route client mTLS verification stats |
GET /proxy-rate-limits |
Per-route backend-facing rate limit stats |
GET /mock-responses |
Per-route mock response served count |
GET /etag |
Per-route ETag generation stats |
GET /streaming |
Per-route response streaming config status |
GET /opa |
Per-route OPA policy evaluation stats |
GET /response-signing |
Per-route response signing stats |
GET /request-cost |
Per-route request cost tracking stats |
GET /consumer-groups |
Consumer group configuration and resolution stats |
GET /graphql-subscriptions |
Per-route GraphQL subscription connection stats |
GET /connect |
Per-route HTTP CONNECT tunnel stats |
GET /sse |
Per-route SSE proxy connection and event stats (includes fan-out metrics when enabled) |
GET /grpc-proxy |
Per-route gRPC proxy stats (deadline propagation, metadata transforms, message size limits) |
GET /grpc-reflection |
Per-route gRPC reflection proxy stats (backends, cached services, cache TTL) |
GET /graphql-federation |
Per-route GraphQL federation stats (sources, requests, errors, introspections) |
GET /catalog |
API catalog JSON (routes, specs, metadata) — requires admin.catalog.enabled |
GET /catalog/ui |
HTML catalog UI — requires admin.catalog.enabled |
POST /cache/purge |
Purge cached entries by route, key, or all (see Caching) |
GET /load-shedding |
Load shedding status and system metrics (CPU, memory, goroutines, rejected/allowed counts) |
GET /baggage |
Per-route baggage propagation configuration and tag definitions |
GET /backpressure |
Per-route backend backpressure status and backed-off backends |
GET /audit-log |
Per-route audit logging configuration, delivery metrics, and buffer status |
GET /jmespath |
Per-route JMESPath query stats (applied count, wrap_collections) |
GET /field-replacer |
Per-route field replacer stats (operations count, processed count) |
GET /modifiers |
Per-route modifier chain stats (modifier count, applied count) |
GET /error-handling |
Per-route error handling stats (mode, total, reformatted count) |
GET /lua |
Per-route Lua script execution stats (requests run, responses run, errors) |
GET /lambda |
Per-route AWS Lambda invocation stats (function name, requests, errors, invokes) |
GET /amqp |
Per-route AMQP stats (url, requests, errors, published, consumed) |
GET /pubsub |
Per-route Pub/Sub stats (urls, requests, errors, published, consumed) |
GET /session-affinity |
Per-route session affinity status (cookie name, TTL) |
GET /traffic-replay |
Per-route traffic replay stats (recording state, buffer usage) |
GET /traffic-replay/{route}/status |
Recording state + replay progress for a route |
POST /traffic-replay/{route}/start |
Start recording requests |
POST /traffic-replay/{route}/stop |
Stop recording requests |
POST /traffic-replay/{route}/replay |
Trigger replay (JSON body: target, concurrency, rate_per_sec) |
POST /traffic-replay/{route}/cancel |
Cancel active replay |
DELETE /traffic-replay/{route}/recordings |
Clear recorded requests |
GET /cluster/nodes |
Connected DP fleet status (CP only) |
GET /api/v1/config |
Current config YAML (CP only) |
POST /api/v1/config |
Push new config YAML to cluster (CP only) |
GET /api/v1/config/hash |
Config version, hash, timestamp (CP only) |
GET /cluster/status |
DP cluster connection status (DP only) |
# Check overall stats
curl http://localhost:8081/stats
# Check backend health
curl http://localhost:8081/backends
# Check circuit breaker states
curl http://localhost:8081/circuit-breakers
# Check cache hit rates
curl http://localhost:8081/cache
# Check rate limiter modes and algorithms
curl http://localhost:8081/rate-limitsAggregated view of all feature statistics in a single response. Includes uptime, circuit breakers, cache, retries, traffic splits, upstreams, WAF, tracing, and TCP/UDP route stats.
curl http://localhost:8081/dashboardPrometheus scrape endpoint (only available when admin.metrics.enabled: true). The path is configurable via admin.metrics.path.
curl http://localhost:8081/metricsGo runtime profiling endpoints (only available when admin.pprof: true). Exposes the standard net/http/pprof handlers for CPU profiling, heap analysis, goroutine dumps, and more.
# Interactive pprof index
curl http://localhost:8081/debug/pprof/
# CPU profile (30-second default)
go tool pprof http://localhost:8081/debug/pprof/profile?seconds=30
# Heap profile
go tool pprof http://localhost:8081/debug/pprof/heap
# Goroutine dump
curl http://localhost:8081/debug/pprof/goroutine?debug=2
# Allocs profile
go tool pprof http://localhost:8081/debug/pprof/allocs
# Block profile
go tool pprof http://localhost:8081/debug/pprof/block
# Mutex profile
go tool pprof http://localhost:8081/debug/pprof/mutex
# Execution trace (5-second)
curl -o trace.out http://localhost:8081/debug/pprof/trace?seconds=5
go tool trace trace.outAvailable profiles: profile (CPU), heap, goroutine, allocs, block, mutex, threadcreate, trace, cmdline, symbol.
Serves the admin UI single-page application (only available when admin.ui.enabled: true). All paths under /ui/ serve the embedded React SPA with client-side routing fallback — unknown paths return index.html.
admin:
enabled: true
port: 8081
ui:
enabled: trueOnce enabled, open http://localhost:8081/ui/ in a browser.
Trigger a hot configuration reload from disk. Equivalent to sending SIGHUP.
curl -X POST http://localhost:8081/reloadResponse:
{
"Success": true,
"Timestamp": "2026-01-15T10:30:00Z",
"Changes": ["route:api-v2 added", "route:old-api removed"]
}On failure:
{
"Success": false,
"Timestamp": "2026-01-15T10:30:00Z",
"Error": "validation error: route 'bad' missing backends"
}Returns 405 Method Not Allowed for non-POST requests.
Returns the last 50 reload results (most recent first).
curl http://localhost:8081/reload/statusOnly available when API key authentication is configured. Allows runtime management of API keys without config reload.
curl http://localhost:8081/admin/keysReturns a map of masked keys to their metadata. Keys are partially masked (first 4 and last 4 characters visible):
{
"abc1****xyz9": {
"client_id": "client-1",
"name": "Production Client",
"roles": ["admin"]
}
}curl -X POST http://localhost:8081/admin/keys \
-H "Content-Type: application/json" \
-d '{
"key": "new-secret-key-value",
"client_id": "client-3",
"name": "New Client",
"expires_at": "2027-01-01T00:00:00Z",
"roles": ["read"]
}'Response (201 Created):
{"status": "created"}The key and client_id fields are required. name, expires_at (RFC3339), and roles are optional.
curl -X DELETE http://localhost:8081/admin/keys \
-H "Content-Type: application/json" \
-d '{"key": "new-secret-key-value"}'Response:
{"status": "deleted"}When API key management is enabled, additional endpoints are available:
curl -X POST http://localhost:8081/api-keys/generate \
-H "Content-Type: application/json" \
-d '{"client_id": "partner-1", "name": "Partner API Key", "roles": ["read"], "ttl": "720h"}'Response (201):
{"key": "gw_a1b2c3d4e5f6..."}The raw key is returned only once. Store it securely.
curl -X POST http://localhost:8081/api-keys/gw_a1b2c/rotate \
-H "Content-Type: application/json" \
-d '{"grace_period": "24h"}'Response:
{"key": "gw_f7e8d9c0b1a2..."}Both old and new keys work during the grace period.
curl -X POST http://localhost:8081/api-keys/gw_a1b2c/revoke
curl -X POST http://localhost:8081/api-keys/gw_a1b2c/unrevokeRevoked keys return 403 (Forbidden), not 401. This distinction tells clients the key is known but blocked.
curl -X DELETE http://localhost:8081/api-keys/gw_a1b2c/deletecurl http://localhost:8081/api-keys/statsResponse:
{"total_keys": 5, "generated": 10, "rotated": 3, "revoked": 1, "rate_limited": 42}Returns custom error page configuration and render metrics per route.
curl http://localhost:8081/error-pagesResponse:
{
"my-api": {
"pages": ["404", "5xx", "default"],
"metrics": {
"total_rendered": 15
}
}
}Returns nonce checker configuration and metrics per route.
curl http://localhost:8081/noncesResponse:
{
"payments": {
"header": "X-Nonce",
"mode": "local",
"scope": "per_client",
"ttl": "5m0s",
"required": true,
"metrics": {
"total_checked": 1500,
"rejected": 3,
"missing_nonce": 12,
"stale_timestamp": 0,
"store_size": 847
}
}
}Returns per-route CSRF protection status and metrics.
curl http://localhost:8081/csrfResponse:
{
"web-app": {
"cookie_name": "_csrf",
"header_name": "X-CSRF-Token",
"token_ttl": "1h0m0s",
"shadow_mode": false,
"inject_token": true,
"total_requests": 5000,
"token_generated": 2000,
"validation_success": 2900,
"validation_failed": 100,
"origin_check_failed": 5,
"missing_token": 80,
"expired_token": 10,
"invalid_signature": 5
}
}Returns per-route outlier detection status including per-backend stats, ejected backends, and aggregate counters.
curl http://localhost:8081/outlier-detectionResponse:
{
"api": {
"route_id": "api",
"backend_stats": {
"http://backend-1:8080": {
"total_requests": 150,
"total_errors": 2,
"error_rate": 0.013,
"p50": "5ms",
"p99": "45ms"
},
"http://backend-2:8080": {
"total_requests": 148,
"total_errors": 75,
"error_rate": 0.507,
"p50": "120ms",
"p99": "500ms"
}
},
"ejected_backends": {
"http://backend-2:8080": {
"ejected_at": "2025-01-15T10:30:00Z",
"duration": "30s",
"count": 1,
"reason": "error_rate"
}
},
"total_ejections": 3,
"total_recoveries": 2
}
}Returns per-route geo filtering status including configured allow/deny lists and metrics.
curl http://localhost:8081/geoResponse:
{
"api": {
"route_id": "api",
"enabled": true,
"allow_countries": ["US", "CA"],
"deny_countries": [],
"order": "deny_first",
"shadow_mode": false,
"inject_headers": true,
"metrics": {
"total_requests": 500,
"allowed": 480,
"denied": 15,
"lookup_errors": 5
}
}
}Returns per-route idempotency key statistics including cache hit rates and in-flight deduplication counts.
curl http://localhost:8081/idempotencyResponse:
{
"payments": {
"header_name": "Idempotency-Key",
"ttl": "24h0m0s",
"enforce": true,
"key_scope": "per_client",
"mode": "local",
"total_requests": 1500,
"cache_hits": 45,
"cache_misses": 1455,
"in_flight_waits": 3,
"enforced": 12,
"invalid_key": 0,
"store_errors": 0,
"responses_stored": 1455
}
}Returns per-route backend request signing statistics.
curl http://localhost:8081/signingResponse:
{
"payments": {
"route_id": "payments",
"algorithm": "hmac-sha256",
"key_id": "runway-key-1",
"header_prefix": "X-Runway-",
"include_body": true,
"total_requests": 5000,
"signed": 5000,
"errors": 0,
"body_hashed": 4200
}
}Returns per-route compression statistics with per-algorithm metrics (bytes in/out, request count).
curl http://localhost:8081/compressionResponse:
{
"api": {
"algorithms": {
"br": {
"bytes_in": 524288,
"bytes_out": 98304,
"count": 150
},
"gzip": {
"bytes_in": 262144,
"bytes_out": 65536,
"count": 80
},
"zstd": {
"bytes_in": 131072,
"bytes_out": 32768,
"count": 40
}
}
}
}Returns per-route request decompression statistics including per-algorithm counts.
curl http://localhost:8081/decompressionResponse:
{
"api": {
"total_requests": 500,
"decompressed": 120,
"errors": 2,
"algorithm_count": {
"gzip": 80,
"br": 30,
"zstd": 10
}
}
}Returns per-route response size limit statistics.
curl http://localhost:8081/response-limitsResponse:
{
"api": {
"total_responses": 10000,
"limited": 15,
"total_bytes": 52428800,
"max_size": 1048576,
"action": "reject"
},
"uploads": {
"total_responses": 500,
"limited": 3,
"total_bytes": 25000000,
"max_size": 5242880,
"action": "truncate"
}
}Returns per-route maintenance mode status and metrics.
curl http://localhost:8081/maintenanceResponse:
{
"api": {
"enabled": true,
"status_code": 503,
"retry_after": "3600",
"exclude_paths": ["/health"],
"total_blocked": 150,
"total_bypassed": 25
}
}Enable maintenance mode for a route at runtime.
curl -X POST http://localhost:8081/maintenance/api/enableResponse:
{"route": "api", "status": "enabled"}Disable maintenance mode for a route at runtime.
curl -X POST http://localhost:8081/maintenance/api/disableResponse:
{"route": "api", "status": "disabled"}Returns trusted proxy configuration and real IP extraction metrics.
curl http://localhost:8081/trusted-proxiesResponse (configured):
{
"total_requests": 15000,
"extracted": 14500,
"trusted_cidrs": 3,
"headers": ["X-Forwarded-For", "X-Real-IP"],
"max_hops": 0
}Response (not configured):
{"enabled": false}Returns current drain status.
curl http://localhost:8081/drainResponse (not draining):
{"draining": false}Response (draining):
{
"draining": true,
"drain_start": "2026-01-15T10:30:00Z",
"drain_duration": "5m30s"
}Initiate drain mode. Readiness checks (/ready, /readyz) will immediately begin returning 503.
curl -X POST http://localhost:8081/drainResponse:
{"status": "draining", "message": "drain mode activated, readiness checks will return 503"}Already draining:
{"status": "already_draining", "message": "server is already in drain mode"}Returns per-route security headers configuration and request counts.
curl http://localhost:8081/security-headersResponse:
{
"api": {
"total_requests": 1500,
"header_count": 5,
"headers": [
"X-Content-Type-Options",
"Strict-Transport-Security",
"X-Frame-Options",
"Referrer-Policy",
"Permissions-Policy"
]
}
}Returns webhook dispatcher status, queue usage, delivery metrics, and recent events. Returns {"enabled": false} when webhooks are not configured.
curl http://localhost:8081/webhooksResponse:
{
"enabled": true,
"endpoints": 2,
"queue_size": 1000,
"queue_used": 0,
"metrics": {
"total_emitted": 42,
"total_delivered": 40,
"total_failed": 1,
"total_dropped": 0,
"total_retries": 3
},
"recent_events": []
}Returns HTTPS redirect statistics. Returns {"enabled": false} when not configured.
curl http://localhost:8081/https-redirectResponse:
{
"enabled": true,
"port": 443,
"permanent": true,
"redirects": 847
}Returns allowed hosts configuration and rejection count. Returns {"enabled": false} when not configured.
curl http://localhost:8081/allowed-hostsResponse:
{
"enabled": true,
"hosts": ["api.example.com", "*.internal.example.com"],
"rejected": 23
}Returns per-route claims propagation statistics.
curl http://localhost:8081/claims-propagationResponse:
{
"route-id": {
"claims": {"sub": "X-User-ID", "email": "X-User-Email"},
"propagated": 3200
}
}Returns token revocation statistics (checked, revoked, store size). Returns {"enabled": false} when not configured.
curl http://localhost:8081/token-revocationResponse:
{
"checked": 15000,
"revoked": 42,
"store_size": 38
}Adds a token or JTI to the revocation blocklist.
curl -X POST http://localhost:8081/token-revocation/revoke \
-d '{"token":"eyJ...","ttl":"2h"}'
# or
curl -X POST http://localhost:8081/token-revocation/revoke \
-d '{"jti":"abc-123","ttl":"1h"}'Removes a token or JTI from the revocation blocklist.
curl -X POST http://localhost:8081/token-revocation/unrevoke \
-d '{"jti":"abc-123"}'Returns per-route backend auth (OAuth2 client_credentials) stats including refresh counts and errors.
curl http://localhost:8081/backend-authResponse:
{
"protected-api": {
"refreshes": 12,
"errors": 0,
"last_refresh_at": "2026-02-20T08:30:00Z"
}
}Returns per-route status code mapping stats including total requests and remapped count.
curl http://localhost:8081/status-mappingResponse:
{
"api-route": {
"total": 1000,
"remapped": 42,
"mappings": {"404": 200, "500": 503}
}
}Returns per-route static file serving stats including root directory and served count.
curl http://localhost:8081/static-filesResponse:
{
"docs": {
"root": "/var/www/docs",
"served": 5200,
"browse": false
}
}Returns service-level rate limit stats (global throughput cap).
curl http://localhost:8081/service-rate-limitResponse:
{
"enabled": true,
"allowed": 150000,
"rejected": 42
}Returns per-route spike arrest stats.
curl http://localhost:8081/spike-arrestResponse:
{
"api": {
"allowed": 5000,
"rejected": 120,
"per_ip": true,
"tracked_ips": 45
}
}Returns per-route content replacer stats.
curl http://localhost:8081/content-replacerResponse:
{
"api": {
"total": 1000,
"replaced": 342,
"rules": 3
}
}Returns per-route follow redirect stats.
curl http://localhost:8081/follow-redirectsResponse:
{
"legacy-api": {
"redirects_followed": 150,
"max_exceeded": 2,
"max_redirects": 5
}
}Returns per-route body generator stats.
curl http://localhost:8081/body-generatorResponse:
{
"search": {
"generated": 5000,
"content_type": "application/json"
}
}Returns per-route sequential proxy stats.
curl http://localhost:8081/sequentialResponse:
{
"user-enriched": {
"total_requests": 1000,
"total_errors": 5,
"steps": [
{"errors": 2, "total_latency_us": 500000},
{"errors": 3, "total_latency_us": 1200000}
]
}
}Returns per-route quota enforcement stats.
curl http://localhost:8081/quotasResponse:
{
"api": {
"limit": 10000,
"period": "daily",
"allowed": 8500,
"rejected": 42,
"redis": false
}
}Returns per-route response aggregation stats.
curl http://localhost:8081/aggregateResponse:
{
"user-profile": {
"total_requests": 1500,
"total_errors": 3,
"fail_strategy": "partial",
"backends": [
{"name": "user", "errors": 0, "total_latency_us": 45000},
{"name": "orders", "errors": 3, "total_latency_us": 120000}
]
}
}Returns per-route response body generator stats.
curl http://localhost:8081/response-body-generatorResponse:
{
"api-wrapper": {
"generated": 1500,
"content_type": "application/json"
}
}Returns per-route parameter forwarding stats.
curl http://localhost:8081/param-forwardingResponse:
{
"secure-api": {
"stripped": 340,
"allowed_headers": 3,
"allowed_query": 3,
"allowed_cookies": 1
}
}Returns per-route content negotiation stats.
curl http://localhost:8081/content-negotiationResponse:
{
"api-flexible": {
"json_count": 1200,
"xml_count": 150,
"yaml_count": 50,
"not_acceptable": 5
}
}Returns per-route CDN cache header injection stats.
curl http://localhost:8081/cdn-cache-headersResponse:
{
"public-api": {
"applied": 1500,
"cache_control": "public, max-age=3600, s-maxage=86400",
"vary": "Accept, Accept-Encoding",
"surrogate_control": "max-age=86400",
"override": true
}
}Returns per-route backend encoding stats.
curl http://localhost:8081/backend-encodingResponse:
{
"legacy-xml-api": {
"encoding": "xml",
"encoded": 1500,
"errors": 3
}
}Returns per-route bot detection block counts.
curl http://localhost:8081/bot-detectionResponse:
{
"api": {
"blocked": 42
}
}Returns per-route AI crawler detection statistics including per-crawler metrics.
curl http://localhost:8081/ai-crawl-controlResponse:
{
"api": {
"total_detected": 150,
"total_blocked": 100,
"total_allowed": 30,
"total_monitored": 20,
"crawlers": {
"GPTBot": {
"requests": 80,
"blocked": 80,
"allowed": 0,
"monitored": 0,
"last_seen": "2026-02-25T10:30:00Z",
"action": "block"
},
"ClaudeBot": {
"requests": 30,
"blocked": 0,
"allowed": 30,
"monitored": 0,
"last_seen": "2026-02-25T10:28:00Z",
"action": "allow"
}
}
}
}Returns per-route client mTLS verification and rejection counts.
curl http://localhost:8081/client-mtlsResponse:
{
"payments": {
"verified": 1500,
"rejected": 23
},
"internal": {
"verified": 800,
"rejected": 2
}
}Returns per-route backend-facing rate limit stats.
curl http://localhost:8081/proxy-rate-limitsResponse:
{
"api": {
"allowed": 5000,
"rejected": 120
}
}Returns per-route mock response served count.
curl http://localhost:8081/mock-responsesResponse:
{
"mock-api": {
"served": 156
}
}Returns stats for all named retry budget pools.
{
"critical_pool": {
"ratio": 0.2,
"min_retries": 10,
"window": "10s",
"total_reqs": 5000,
"total_retries": 120,
"utilization": 0.024
}
}Returns per-route inbound signature verification status.
{
"api-route": {
"route_id": "api-route",
"algorithm": "hmac-sha256",
"key_id": "key-1",
"header_prefix": "X-Runway-",
"include_body": true,
"max_age": "5m0s",
"shadow_mode": false,
"total_requests": 1000,
"verified": 995,
"rejected": 3,
"expired": 2,
"errors": 0
}
}Returns per-route PII redaction metrics.
{
"api-route": {
"total": 500,
"redacted": 42,
"patterns": 3,
"scope": "response"
}
}Returns per-route field encryption metrics.
{
"api-route": {
"total": 1000,
"encrypted": 450,
"decrypted": 550,
"errors": 0,
"encrypt_fields": 2,
"decrypt_fields": 1
}
}Returns per-route blue-green deployment status.
{
"api-route": {
"route_id": "api-route",
"state": "active",
"active_group": "blue",
"inactive_group": "green",
"error_threshold": 0.05,
"rollback_on_error": true,
"groups": {
"green": {
"requests": 5000,
"errors": 12,
"error_rate": 0.0024,
"avg_latency_ms": 45.2
}
}
}
}Triggers promotion of the inactive group to active. Returns 409 if state does not allow promotion.
Triggers rollback to original weights. Returns 409 if state does not allow rollback.
Returns detailed snapshot for a specific route's blue-green deployment.
Returns per-route A/B test metrics including per-group request counts, error rates, and p99 latency.
curl http://localhost:8081/ab-testsResets accumulated metrics for a running A/B test experiment and restarts the timer.
curl -X POST http://localhost:8081/ab-tests/homepage/resetReturns per-route session affinity configuration (cookie name, TTL) for all routes with session affinity enabled.
curl http://localhost:8081/session-affinityReturns per-route traffic replay stats (recording state, buffer size/usage, replay progress).
curl http://localhost:8081/traffic-replayReturns detailed recording and replay state for a specific route.
curl http://localhost:8081/traffic-replay/api/statusStart recording incoming requests on this route.
curl -X POST http://localhost:8081/traffic-replay/api/startStop recording incoming requests.
curl -X POST http://localhost:8081/traffic-replay/api/stopReplay recorded requests against a target backend.
curl -X POST http://localhost:8081/traffic-replay/api/replay \
-H "Content-Type: application/json" \
-d '{"target": "http://new-backend:8080", "concurrency": 10, "rate_per_sec": 50}'Cancel an active replay operation.
curl -X POST http://localhost:8081/traffic-replay/api/cancelClear all recorded requests from the ring buffer.
curl -X DELETE http://localhost:8081/traffic-replay/api/recordingsSee Traffic Replay for full documentation.
Returns per-route request queue metrics including current depth, enqueued/dequeued counts, timeouts, and average wait time.
curl http://localhost:8081/request-queuesReturns SSRF protection status and blocked request count.
curl http://localhost:8081/ssrf-protectionResponse (200 OK):
{
"enabled": true,
"blocked_ranges": 9,
"allowed_ranges": 2,
"blocked_requests": 15
}Returns dedup configuration and status for all routes.
curl http://localhost:8081/request-dedupResponse (200 OK):
{
"webhook-receiver": {
"enabled": true,
"mode": "local",
"ttl": "1m0s",
"include_headers": ["X-Webhook-ID"],
"include_body": true,
"max_body_size": 1048576
}
}Returns IP blocklist status for all routes.
curl http://localhost:8081/ip-blocklistResponse (200 OK):
{
"api": {
"enabled": true,
"action": "block",
"static_entries": 3,
"feed_count": 2,
"total_blocked_ips": 1250,
"blocked_requests": 42
}
}Forces an immediate refresh of all threat feeds (global and per-route).
curl -X POST http://localhost:8081/ip-blocklist/refreshResponse (200 OK):
{
"status": "ok",
"refreshed": 3
}Returns per-route SSE proxy statistics. When fan-out mode is enabled, includes hub and client metrics.
curl http://localhost:8081/sseResponse (standard mode):
{
"events-api": {
"active_connections": 5,
"total_connections": 142,
"total_events": 8923,
"heartbeats_sent": 456
}
}Response (fan-out mode):
{
"live-feed": {
"active_connections": 150,
"total_connections": 500,
"total_events": 0,
"heartbeats_sent": 0,
"fanout": {
"hub_connected": true,
"clients": 150,
"buffer_used": 256,
"reconnects": 2,
"dropped_events": 15,
"last_event_id": "evt-12000"
}
}
}Returns per-route gRPC proxy configuration and statistics.
curl http://localhost:8081/grpc-proxyResponse:
{
"grpc-api": {
"enabled": true,
"deadline_propagation": true,
"requests": 15000,
"deadlines_set": 12000,
"max_recv_msg_size": 4194304,
"max_send_msg_size": 4194304,
"authority": "grpc-backend.svc",
"health_check": true
}
}Returns per-route gRPC reflection proxy statistics.
curl http://localhost:8081/grpc-reflectionResponse:
{
"grpc-api": {
"backends": 2,
"services": 5,
"cache_ttl": "5m0s",
"requests": 150,
"errors": 0
}
}See gRPC Proxy — Reflection for configuration.
Returns per-route GraphQL federation statistics.
curl http://localhost:8081/graphql-federationResponse:
{
"unified-graphql": {
"sources": 2,
"requests": 5000,
"errors": 12,
"introspections": 45,
"refresh_interval": "5m0s",
"fields": 5
}
}See GraphQL Federation for configuration.
Returns per-route deprecation status including request counts, blocked counts, and sunset status.
curl http://localhost:8081/deprecationResponse:
{
"legacy-api": {
"requests_total": 5000,
"blocked": 120,
"message": "Use /api/v2 instead",
"sunset_date": "2025-06-01T00:00:00Z",
"past_sunset": true
}
}See API Deprecation Lifecycle for configuration.
Returns per-route SLO stats including target, total requests, errors, error rate, budget remaining, and shed count.
curl http://localhost:8081/sloResponse:
{
"critical-api": {
"target": 0.999,
"total": 100000,
"errors": 50,
"error_rate": 0.0005,
"budget_remaining": 0.5,
"shed_count": 0
}
}See SLI/SLO Enforcement for configuration.
Returns the full API catalog as JSON. Requires admin.catalog.enabled: true.
curl http://localhost:8081/catalogResponse:
{
"title": "API Gateway",
"stats": {
"total_routes": 3,
"total_specs": 1,
"total_backends": 5
},
"entries": [
{
"id": "users-api",
"path": "/api/users/*",
"methods": ["GET", "POST"],
"description": "User management API",
"tags": ["Auth Required"],
"backends": 2,
"spec_id": "specs-users-yaml",
"auth": true
}
],
"specs": [
{
"id": "specs-users-yaml",
"title": "Users API",
"version": "1.0.0",
"route_id": "users-api"
}
]
}Lists all discovered OpenAPI specs as a JSON array.
curl http://localhost:8081/catalog/specsReturns the raw OpenAPI spec JSON for a specific spec ID. Returns 404 if not found.
curl http://localhost:8081/catalog/specs/specs-users-yamlServes an HTML page listing all APIs with links to Redoc documentation viewers.
Serves a Redoc-powered documentation viewer for the specified OpenAPI spec. Returns 404 if not found.
See Developer Portal for full documentation.
Purge cached entries by route, by specific cache key, or globally across all routes.
# Purge all entries for a route
curl -X POST http://localhost:8081/cache/purge \
-H "Content-Type: application/json" \
-d '{"route": "my-route"}'
# Purge a specific cache key
curl -X POST http://localhost:8081/cache/purge \
-H "Content-Type: application/json" \
-d '{"route": "my-route", "key": "/api/products?category=shoes"}'
# Purge all caches globally
curl -X POST http://localhost:8081/cache/purge \
-H "Content-Type: application/json" \
-d '{"all": true}'Response (200 OK):
{
"purged": true,
"entries_removed": 42
}Returns 400 if the request body is invalid or missing required fields. Returns 404 if the specified route does not have caching enabled.
See Caching for full documentation.
Returns load shedding status and current system metrics.
curl http://localhost:8081/load-sheddingResponse (200 OK):
{
"enabled": true,
"shedding": false,
"rejected": 1250,
"allowed": 458000,
"cpu_percent": 72.5,
"memory_percent": 61.3,
"goroutine_count": 1842
}Response (not configured):
{
"enabled": false
}See Load Shedding for configuration and behavior details.
Returns per-route baggage propagation configuration.
curl http://localhost:8081/baggageResponse (200 OK):
{
"my-api": {
"enabled": true,
"tags": [
{"name": "X-Tenant-ID", "source": "jwt_claim:tenant_id"},
{"name": "X-Request-Source", "source": "header:X-Source"},
{"name": "X-Environment", "source": "static:production"}
]
}
}See Baggage Propagation for configuration and source types.
Returns per-route backpressure status including currently backed-off backends.
curl http://localhost:8081/backpressureResponse (200 OK):
{
"my-api": {
"enabled": true,
"status_codes": [429, 503],
"max_retry_after": "1m0s",
"default_delay": "5s",
"backed_off_backends": {
"http://backend-2:9000": {
"until": "2026-02-20T10:35:30Z",
"remaining": "25s",
"reason": 429
}
},
"total_backoffs": 12,
"active_backoffs": 1
}
}See Backend Backpressure for configuration and behavior details.
Returns per-route audit logging configuration and delivery metrics.
curl http://localhost:8081/audit-logResponse (200 OK):
{
"payments": {
"enabled": true,
"webhook_url": "https://audit.example.com/events",
"sample_rate": 1.0,
"include_body": true,
"max_body_size": 16384,
"buffer_size": 1000,
"batch_size": 10,
"flush_interval": "5s",
"methods": [],
"status_codes": [],
"events_captured": 5200,
"events_delivered": 5180,
"events_dropped": 0,
"delivery_errors": 2
}
}See Audit Logging for configuration, webhook payload format, and examples.
Returns per-route JMESPath query stats.
curl http://localhost:8081/jmespathResponse (200 OK):
{
"api": {
"applied": 1500,
"wrap_collections": false
}
}See Data Manipulation for configuration.
Returns per-route field-level content replacer stats.
curl http://localhost:8081/field-replacerResponse (200 OK):
{
"api": {
"operations": 4,
"processed": 850
}
}See Data Manipulation for configuration.
Returns per-route Martian-style modifier chain stats.
curl http://localhost:8081/modifiersResponse (200 OK):
{
"api": {
"modifier_count": 6,
"applied": 2500
}
}See Data Manipulation for configuration.
Returns per-route error handling mode and stats.
curl http://localhost:8081/error-handlingResponse (200 OK):
{
"api": {
"mode": "pass_status",
"total": 5000,
"reformatted": 42
}
}See Data Manipulation for configuration.
Returns per-route Lua script execution stats.
curl http://localhost:8081/luaResponse (200 OK):
{
"api": {
"requests_run": 5000,
"responses_run": 5000,
"errors": 2
}
}See Data Manipulation for configuration.
Returns per-route AWS Lambda invocation stats.
curl http://localhost:8081/lambdaResponse (200 OK):
{
"serverless-api": {
"function_name": "my-api-handler",
"total_requests": 5000,
"total_errors": 12,
"total_invokes": 5000
}
}See AWS Lambda Backend for configuration.
Returns per-route AMQP handler stats.
curl http://localhost:8081/amqpResponse (200 OK):
{
"message-publisher": {
"url": "amqp://guest:guest@rabbitmq:5672/",
"total_requests": 3000,
"total_errors": 5,
"published": 2995,
"consumed": 0
}
}See AMQP/RabbitMQ Backend for configuration.
Returns per-route Pub/Sub handler stats.
curl http://localhost:8081/pubsubResponse (200 OK):
{
"events-publish": {
"publish_url": "gcppubsub://my-project/my-topic",
"subscription_url": "",
"total_requests": 2000,
"total_errors": 3,
"published": 1997,
"consumed": 0
}
}See Go CDK Pub/Sub Backend for configuration.
GET /wasm-plugins
Returns per-route WASM plugin chain statistics including invocation counts, errors, timeouts, latency, and pool usage.
Response (200 OK):
{
"my-api": [
{
"name": "auth-enricher",
"phase": "request",
"request_invocations": 15000,
"response_invocations": 0,
"errors": 2,
"timeouts": 0,
"total_latency_ns": 45000000,
"pool": {
"borrows": 15000,
"returns": 15000,
"pool_misses": 3,
"pool_size": 10
}
}
]
}See WASM Plugins for configuration.
Returns all schema compatibility reports.
curl http://localhost:8081/schema-evolutionResponse:
{
"specs/users.yaml": {
"spec_id": "specs/users.yaml",
"old_version": "1.0.0",
"new_version": "1.1.0",
"compatible": false,
"breaking_changes": [
{
"type": "required_param_added",
"path": "/users",
"method": "GET",
"description": "Required parameter added: X-Tenant-ID"
}
],
"checked_at": "2026-01-15T10:30:00Z"
}
}Returns the compatibility report for a specific spec.
curl http://localhost:8081/schema-evolution/specs-users-yamlReturns 404 if no report exists.
See Schema Evolution for configuration.
| Field | Type | Description |
|---|---|---|
admin.enabled |
bool | Enable admin API |
admin.port |
int | Admin API port (default 8081) |
admin.metrics.enabled |
bool | Enable Prometheus metrics |
admin.metrics.path |
string | Metrics endpoint path (default /metrics) |
admin.readiness.min_healthy_backends |
int | Min healthy backends for ready (default 1) |
admin.readiness.require_redis |
bool | Require Redis for ready |
See Configuration Reference for all fields.
Returns per-route AI gateway statistics.
Response:
{
"route-1": {
"provider": "openai",
"model": "gpt-4o",
"total_requests": 1523,
"streaming_requests": 1200,
"non_streaming_requests": 323,
"total_tokens_in": 450000,
"total_tokens_out": 230000,
"total_errors": 12,
"latency_sum_ms": 1282366
}
}Compute average latency as latency_sum_ms / total_requests.
See AI Gateway for full documentation.
Cluster endpoints are role-dependent. They only appear when cluster.role is set to control_plane or data_plane.
Returns the connected data plane fleet. Each entry includes the node's identity, config version, heartbeat status, and runtime status.
curl http://localhost:8081/cluster/nodesResponse (200 OK):
[
{
"node_id": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
"hostname": "dp-pod-1",
"version": "1.4.0",
"config_version": 3,
"config_hash": 12345678901234567,
"last_heartbeat": "2026-02-25T10:30:05Z",
"status": "connected",
"node_status": {
"runway_version": "1.4.0",
"last_reload_error": "",
"last_successful_version": 3
}
}
]The status field is "connected" when heartbeats are arriving on time, or "stale" when no heartbeat has been received within 3x the heartbeat interval (default 30s).
Returns the current config YAML that the CP distributes to DPs. The response body is raw YAML (the cluster block is stripped from the distributed copy).
curl http://localhost:8081/api/v1/configPush a new config. The CP validates it, applies it locally, and pushes it to all connected DPs. The request body must be valid gateway YAML. Maximum body size is 10MB.
curl -X POST http://localhost:8081/api/v1/config \
-H "Content-Type: application/yaml" \
--data-binary @runway.yamlResponse (200 OK):
{
"Success": true,
"Timestamp": "2026-02-25T10:35:00Z",
"Changes": ["route:api-v2 added"]
}Returns 400 for parse/validation errors, 422 when the config is valid but the reload fails.
Returns the current config version metadata without the full YAML body.
curl http://localhost:8081/api/v1/config/hashResponse (200 OK):
{
"version": 3,
"hash": 12345678901234567,
"timestamp": "2026-02-25T10:28:00Z",
"source": "file"
}The source field indicates how the config was last set: "file" (disk reload), "admin-api" (POST /api/v1/config), or "init" (startup).
Returns this data plane's cluster connection status.
curl http://localhost:8081/cluster/statusResponse (200 OK):
{
"role": "data_plane",
"cp_address": "cp.example.com:9443",
"connected": true,
"config_version": 3,
"config_hash": 12345678901234567,
"node_id": "a1b2c3d4-5678-90ab-cdef-1234567890ab",
"has_config": true
}When connected is false, the DP is running from its cached config. When has_config is false, the DP has not yet received or loaded any config.
Returns 403 Forbidden when the gateway is running as a data plane. Config changes must go through the control plane.
curl -X POST http://localhost:8081/reload
# 403 Forbidden: config changes must go through control planeSee Cluster Mode for full documentation.