LibreFang
中文

API Reference

LibreFang exposes a REST API, WebSocket endpoints, and SSE streaming when the daemon is running. The default listen address is http://127.0.0.1:4545.

All responses include security headers (CSP, X-Frame-Options, X-Content-Type-Options, HSTS) and are protected by a GCRA cost-aware rate limiter with per-IP token bucket tracking and automatic stale entry cleanup. LibreFang implements 16 security systems including Merkle audit trails, taint tracking, WASM dual metering, Ed25519 manifest signing, SSRF protection, subprocess sandboxing, and secret zeroization.

Table of Contents

Agent & Workflow API

Agent Endpoints, Workflow Endpoints, Trigger Endpoints, Schedule Endpoints, Goals Endpoints, Cron Endpoints

System & Configuration API

Template Endpoints, System Endpoints, Config Management, Session Management, Task Queue, Backup & Restore, Migration, Bindings & Commands

Intelligence & Skills API

Memory Endpoints, Skills & Marketplace, ClawHub, Hands, Extensions, Plugins, Media Generation

Provider & Model API

Model Catalog, Provider Configuration

Communication & Network API

Channel Endpoints, MCP & A2A Protocol, Audit & Security, Usage & Analytics, Budget, Webhooks, Integrations, Pairing, OAuth/OIDC, Comms, Approvals, Network & Peers

Real-time API

WebSocket Protocol, SSE Streaming, OpenAI-Compatible API

Authentication

When an API key is configured in config.toml, all endpoints (except /api/health and /) require a Bearer token:

Authorization: Bearer <your-api-key>

Setting the API Key

Add to ~/.librefang/config.toml:

api_key = "your-secret-api-key"

No Authentication

If api_key is empty or not set, the API is accessible without authentication. CORS is restricted to localhost origins in this mode.

Public Endpoints (No Auth Required)

  • GET /api/health
  • GET / (WebChat UI)

Error Responses

All error responses use a consistent JSON format:

{
  "error": "Description of what went wrong"
}

HTTP Status Codes

CodeMeaning
200Success
201Created (spawn agent, create workflow, create trigger, install skill)
400Bad request (invalid UUID, missing required fields, malformed TOML/JSON)
401Unauthorized (missing or invalid Authorization: Bearer header)
404Not found (agent, workflow, trigger, template, model, skill, or KV key does not exist)
429Too many requests (GCRA rate limit exceeded)
500Internal server error (agent loop failure, database error, driver error)

Request IDs

Every response includes an x-request-id header with a UUID for tracing:

x-request-id: 550e8400-e29b-41d4-a716-446655440000

Use this value when reporting issues or correlating requests in logs.

Security Headers

Every response includes security headers:

HeaderValue
Content-Security-Policydefault-src 'self' (with appropriate directives)
X-Frame-OptionsDENY
X-Content-Type-Optionsnosniff
Strict-Transport-Securitymax-age=63072000; includeSubDomains
X-Request-IdUnique UUID per request

Rate Limiting

The GCRA (Generic Cell Rate Algorithm) rate limiter provides cost-aware token bucket rate limiting with per-IP tracking and automatic stale entry cleanup. Different endpoints consume different token costs (e.g., /api/agents/&lbrace;id&rbrace;/message costs more than /api/health). When the limit is exceeded, the server returns 429 Too Many Requests:

HTTP/1.1 429 Too Many Requests
Retry-After: 60

{"error": "Rate limit exceeded"}

The Retry-After header indicates the window duration in seconds.

Endpoint Summary

230+ endpoints total across 35 groups.

MethodPathDescription
System
GET/WebChat UI
GET/api/healthHealth check (no auth, redacted)
GET/api/health/detailFull health check (auth required)
GET/api/statusKernel status
GET/api/versionVersion info
POST/api/shutdownGraceful shutdown
GET/api/profilesList agent profiles
GET/api/profiles/{name}Get a specific profile
GET/api/toolsList available tools
GET/api/tools/{name}Get tool details
GET/api/metricsPrometheus metrics
GET/api/versionsAPI version discovery
GET/api/openapi.jsonOpenAPI specification
Config
GET/api/configConfiguration (secrets redacted)
GET/api/config/schemaConfig JSON Schema
POST/api/config/setSet a config value at runtime
POST/api/config/reloadReload config from disk
Agents
GET/api/agentsList agents
POST/api/agentsSpawn agent
POST/api/agents/bulkBulk create agents
DELETE/api/agents/bulkBulk delete agents
POST/api/agents/bulk/startBulk start agents
POST/api/agents/bulk/stopBulk stop agents
GET/api/agents/{id}Get agent details
DELETE/api/agents/{id}Kill agent
PATCH/api/agents/{id}Partial update agent
PUT/api/agents/{id}/updateFull update agent config
PUT/api/agents/{id}/modeSet agent mode (Stable/Normal)
PATCH/api/agents/{id}/identityUpdate agent identity
PATCH/api/agents/{id}/configPatch agent config
POST/api/agents/{id}/cloneClone agent
POST/api/agents/{id}/messageSend message (blocking)
POST/api/agents/{id}/message/streamSend message (SSE stream)
GET/api/agents/{id}/sessionGet current conversation history
GET/api/agents/{id}/sessionsList all agent sessions
POST/api/agents/{id}/sessionsCreate new session
POST/api/agents/{id}/sessions/{session_id}/switchSwitch active session
GET/api/agents/{id}/sessions/by-label/{label}Find session by label
DELETE/api/agents/{id}/historyClear conversation history
POST/api/agents/{id}/session/resetReset session
POST/api/agents/{id}/session/compactLLM-based compaction
POST/api/agents/{id}/stopCancel current run
PUT/api/agents/{id}/modelSwitch model
GET/api/agents/{id}/toolsGet agent tools
PUT/api/agents/{id}/toolsSet agent tools
GET/api/agents/{id}/skillsGet agent skills
PUT/api/agents/{id}/skillsSet agent skills
GET/api/agents/{id}/mcp_serversGet agent MCP servers
PUT/api/agents/{id}/mcp_serversSet agent MCP servers
GET/api/agents/{id}/tracesExecution traces
GET/api/agents/{id}/metricsAgent metrics
GET/api/agents/{id}/logsAgent log lines
GET/api/agents/{id}/deliveriesInbound deliveries
GET/api/agents/{id}/filesList workspace files
GET/api/agents/{id}/files/{filename}Get workspace file
PUT/api/agents/{id}/files/{filename}Set workspace file
DELETE/api/agents/{id}/files/{filename}Delete workspace file
POST/api/agents/{id}/uploadUpload file (multipart)
GET/api/uploads/{file_id}Retrieve uploaded file
GET/api/agents/{id}/wsWebSocket chat
GET/api/agents/{id}/memory/exportExport KV memory
POST/api/agents/{id}/memory/importImport KV memory
Workflows
GET/api/workflowsList workflows
POST/api/workflowsCreate workflow
GET/api/workflows/{id}Get workflow
PUT/api/workflows/{id}Update workflow
DELETE/api/workflows/{id}Delete workflow
POST/api/workflows/{id}/runRun workflow
GET/api/workflows/{id}/runsList workflow runs
Triggers
GET/api/triggersList triggers (optional ?agent_id=)
POST/api/triggersCreate trigger
GET/api/triggers/{id}Get trigger detail
PATCH/api/triggers/{id}Partially update trigger
DELETE/api/triggers/{id}Delete trigger
Schedules
GET/api/schedulesList schedules
POST/api/schedulesCreate schedule
GET/api/schedules/{id}Get schedule
PUT/api/schedules/{id}Update schedule
DELETE/api/schedules/{id}Delete schedule
POST/api/schedules/{id}/runRun schedule now
Memory (KV)
GET/api/memory/agents/{id}/kvList KV pairs
GET/api/memory/agents/{id}/kv/{key}Get KV value
PUT/api/memory/agents/{id}/kv/{key}Set KV value
DELETE/api/memory/agents/{id}/kv/{key}Delete KV value
Memory (Proactive)
GET/api/memoryList all proactive memories
POST/api/memoryAdd proactive memory
GET/api/memory/searchSearch memories (global)
GET/api/memory/statsMemory aggregate stats
POST/api/memory/cleanupRemove stale memories
POST/api/memory/decayApply time decay
POST/api/memory/bulk-deleteBulk delete memories
PUT/api/memory/items/{memory_id}Update memory entry
DELETE/api/memory/items/{memory_id}Delete memory entry
GET/api/memory/items/{memory_id}/historyMemory edit history
GET/api/memory/user/{user_id}Memories by user
GET/api/memory/agents/{id}Agent proactive memories
DELETE/api/memory/agents/{id}Clear agent memories
GET/api/memory/agents/{id}/searchSearch agent memories
GET/api/memory/agents/{id}/statsAgent memory stats
DELETE/api/memory/agents/{id}/level/{level}Clear memory by level
GET/api/memory/agents/{id}/duplicatesFind duplicate memories
POST/api/memory/agents/{id}/consolidateConsolidate memories
GET/api/memory/agents/{id}/countCount agent memories
GET/api/memory/agents/{id}/relationsQuery relations graph
POST/api/memory/agents/{id}/relationsStore relations
GET/api/memory/agents/{id}/exportExport agent memories
POST/api/memory/agents/{id}/importImport agent memories
Channels
GET/api/channelsList channels (44 adapters)
GET/api/channels/{name}Get channel config
POST/api/channels/{name}/configureConfigure channel
DELETE/api/channels/{name}/configureRemove channel config
POST/api/channels/{name}/testTest channel
POST/api/channels/reloadReload all channels
POST/api/channels/whatsapp/qr/startStart WhatsApp QR session
GET/api/channels/whatsapp/qr/statusWhatsApp QR status
Templates
GET/api/templatesList templates
GET/api/templates/{name}Get template
Sessions
GET/api/sessionsList all sessions
POST/api/sessions/cleanupCleanup orphaned sessions
GET/api/sessions/{id}Get session details
DELETE/api/sessions/{id}Delete session
PUT/api/sessions/{id}/labelLabel a session
Model Catalog
GET/api/modelsFull model catalog (130+ models)
GET/api/models/aliasesList model aliases
POST/api/models/aliasesCreate model alias
DELETE/api/models/aliases/{alias}Delete model alias
POST/api/models/customRegister custom model
DELETE/api/models/custom/{id}Remove custom model
GET/api/models/{id}Model details
GET/api/catalog/statusCatalog version and update info
POST/api/catalog/updateTrigger catalog update
Providers
GET/api/providersProvider list with auth status
GET/api/providers/ollama/detectAuto-detect Ollama
POST/api/providers/github-copilot/oauth/startStart Copilot OAuth
GET/api/providers/github-copilot/oauth/poll/{poll_id}Poll Copilot OAuth
GET/api/providers/{name}Get provider details
POST/api/providers/{name}/keySet provider API key
DELETE/api/providers/{name}/keyRemove provider API key
POST/api/providers/{name}/testTest provider connectivity
PUT/api/providers/{name}/urlOverride provider base URL
Skills & Marketplace
GET/api/skillsList installed skills (60 bundled)
POST/api/skills/installInstall skill
POST/api/skills/uninstallUninstall skill
POST/api/skills/createCreate new skill
GET/api/marketplace/searchSearch FangHub
ClawHub
GET/api/clawhub/searchSearch ClawHub
GET/api/clawhub/browseBrowse ClawHub
GET/api/clawhub/skill/{slug}Skill details
GET/api/clawhub/skill/{slug}/codeSkill source code
POST/api/clawhub/installInstall from ClawHub
Hands
GET/api/handsList hand definitions
POST/api/hands/installInstall a hand
GET/api/hands/activeList active hand instances
GET/api/hands/{hand_id}Get hand details
POST/api/hands/{hand_id}/activateActivate hand
POST/api/hands/{hand_id}/check-depsCheck hand dependencies
POST/api/hands/{hand_id}/install-depsInstall hand dependencies
GET/api/hands/{hand_id}/settingsGet hand settings
PUT/api/hands/{hand_id}/settingsUpdate hand settings
POST/api/hands/instances/{id}/pausePause hand instance
POST/api/hands/instances/{id}/resumeResume hand instance
DELETE/api/hands/instances/{id}Deactivate hand instance
GET/api/hands/instances/{id}/statsHand instance stats
GET/api/hands/instances/{id}/browserHand browser state
Extensions
GET/api/extensionsList extensions
GET/api/extensions/{name}Get extension
POST/api/extensions/installInstall extension
POST/api/extensions/uninstallUninstall extension
Plugins
GET/api/plugins/registriesList plugin registries
GET/api/pluginsList plugins
GET/api/plugins/{name}Get plugin
POST/api/plugins/installInstall plugin
POST/api/plugins/uninstallUninstall plugin
POST/api/plugins/scaffoldScaffold plugin
POST/api/plugins/{name}/install-depsInstall plugin deps
MCP (managed)
GET/api/mcp/serversMCP server connections
POST/api/mcp/serversAdd MCP server
GET/api/mcp/servers/{name}Get MCP server
PUT/api/mcp/servers/{name}Update MCP server
DELETE/api/mcp/servers/{name}Delete MCP server
A2A (external)
GET/api/a2a/agentsList external A2A agents
GET/api/a2a/agents/{id}Get external A2A agent
POST/api/a2a/discoverDiscover external A2A agent
POST/api/a2a/sendSend task to external A2A agent
GET/api/a2a/tasks/{id}/statusExternal A2A task status
MCP & A2A Protocol
POST/mcpMCP HTTP transport (JSON-RPC 2.0)
GET/.well-known/agent.jsonA2A agent card
GET/a2a/agentsA2A local agent list
POST/a2a/tasks/sendSend A2A task
GET/a2a/tasks/{id}Get A2A task status
POST/a2a/tasks/{id}/cancelCancel A2A task
Audit & Security
GET/api/audit/recentRecent audit logs
GET/api/audit/verifyVerify Merkle chain integrity
GET/api/securitySecurity status (16 systems)
GET/api/logs/streamSSE live log stream
Usage & Analytics
GET/api/usageUsage statistics
GET/api/usage/summaryUsage summary with quota
GET/api/usage/by-modelUsage by model breakdown
GET/api/usage/dailyDaily usage breakdown
Budget
GET/api/budgetGlobal budget status
PUT/api/budgetUpdate global budget
GET/api/budget/agentsAgent budget ranking
GET/api/budget/agents/{id}Agent budget details
PUT/api/budget/agents/{id}Set agent budget
Goals
GET/api/goalsList goals
POST/api/goalsCreate goal
GET/api/goals/{id}Get goal
PUT/api/goals/{id}Update goal
DELETE/api/goals/{id}Delete goal
GET/api/goals/{id}/childrenList sub-goals
Cron
GET/api/cron/jobsList cron jobs
POST/api/cron/jobsCreate cron job
GET/api/cron/jobs/{id}Get cron job
PUT/api/cron/jobs/{id}Update cron job
DELETE/api/cron/jobs/{id}Delete cron job
PUT/api/cron/jobs/{id}/enableToggle cron job
GET/api/cron/jobs/{id}/statusCron job status
Webhooks
GET/api/webhooks/eventsList event webhook subscriptions
POST/api/webhooks/eventsCreate event webhook
PUT/api/webhooks/events/{id}Update event webhook
DELETE/api/webhooks/events/{id}Delete event webhook
GET/api/webhooksList outbound webhooks
POST/api/webhooksCreate outbound webhook
GET/api/webhooks/{id}Get outbound webhook
PUT/api/webhooks/{id}Update outbound webhook
DELETE/api/webhooks/{id}Delete outbound webhook
POST/api/webhooks/{id}/testTest outbound webhook
POST/api/hooks/wakeWake trigger (unversioned)
POST/api/hooks/agentAgent trigger (unversioned)
Backup & Restore
POST/api/backupCreate backup
GET/api/backupsList backups
DELETE/api/backups/{filename}Delete backup
POST/api/restoreRestore from backup
MCP servers
GET/api/mcp/serversList configured MCP servers
POST/api/mcp/serversAdd a server (body: {template_id, credentials} or raw spec)
GET/api/mcp/servers/{id}Get one server
PUT/api/mcp/servers/{id}Update a server
DELETE/api/mcp/servers/{id}Remove a server
POST/api/mcp/servers/{id}/reconnectReconnect
GET/api/mcp/catalogList installable catalog entries
GET/api/mcp/catalog/{id}Get catalog entry detail
GET/api/mcp/healthAggregate health across servers
POST/api/mcp/reloadHot-reload MCP catalog + reconnect
Pairing
POST/api/pairing/requestInitiate pairing
POST/api/pairing/completeComplete pairing
POST/api/pairing/notifyNotify paired devices
GET/api/pairing/devicesList paired devices
DELETE/api/pairing/devices/{id}Remove paired device
OAuth / OIDC
GET/api/auth/providersList OAuth providers
GET/api/auth/loginRedirect to default OAuth login
GET/api/auth/login/{provider}Redirect to specific OAuth login
GET/api/auth/callbackOAuth callback (GET)
POST/api/auth/callbackOAuth callback (POST)
GET/api/auth/userinfoOIDC user info
POST/api/auth/introspectToken introspection
Task Queue
GET/api/tasks/statusTask queue summary
GET/api/tasks/listList queued tasks
DELETE/api/tasks/{id}Cancel queued task
POST/api/tasks/{id}/retryRetry failed task
GET/api/queue/statusQueue depth and throughput
Comms
GET/api/comms/topologyCommunication topology
GET/api/comms/eventsRecent comms events
GET/api/comms/events/streamSSE comms event stream
POST/api/comms/sendSend via comms layer
POST/api/comms/taskDispatch comms task
Approvals
GET/api/approvalsList approval requests
POST/api/approvalsCreate approval request
GET/api/approvals/{id}Get approval request
POST/api/approvals/{id}/approveApprove request (body: {totp_code?})
POST/api/approvals/{id}/rejectReject request
POST/api/approvals/totp/setupGenerate TOTP secret for enrollment
POST/api/approvals/totp/confirmConfirm TOTP enrollment with code
GET/api/approvals/totp/statusCheck TOTP enrollment status
POST/api/approvals/totp/revokeRevoke TOTP enrollment
Bindings & Commands
GET/api/bindingsList UI bindings
POST/api/bindingsAdd binding
DELETE/api/bindings/{index}Remove binding
GET/api/commandsList slash commands
GET/api/commands/{name}Get slash command
Media Generation
POST/api/media/imageGenerate images from text
POST/api/media/speechText-to-speech synthesis
POST/api/media/videoSubmit video generation task
GET/api/media/video/{task_id}Poll video task status
POST/api/media/musicGenerate music from prompt/lyrics
GET/api/media/providersList media providers & capabilities
Network & Peers
GET/api/peersList OFP peers
GET/api/peers/{id}Get OFP peer
GET/api/network/statusOFP network status
Migration
GET/api/migrate/detectDetect migration sources
POST/api/migrate/scanScan for importable data
POST/api/migrateRun migration
OpenAI Compatible
POST/v1/chat/completionsOpenAI-compatible chat
GET/v1/modelsOpenAI-compatible model list
Plugins (lifecycle & introspection)
GET/api/plugins/doctorDiagnose plugin issues across all installed plugins
GET/api/plugins/{name}/statusPlugin runtime status
GET/api/plugins/{name}/healthPlugin health probe
GET/api/plugins/{name}/envPlugin environment variables (redacted)
GET/api/plugins/{name}/exportExport plugin definition
GET/api/plugins/{name}/lintLint plugin manifest
POST/api/plugins/{name}/enableEnable / activate plugin
POST/api/plugins/{name}/reloadHot-reload plugin
POST/api/plugins/{name}/signSign plugin manifest (Ed25519)
POST/api/plugins/prewarmPre-warm plugin instances at boot
Skills (registry & runtime)
GET/api/skills/{name}Get individual skill detail
GET/api/skills/{name}/fileRetrieve a skill's supporting file (references/, templates/, scripts/, assets/)
GET/api/skills/registryList skill marketplace registry
POST/api/skills/reloadHot-reload installed skills
Tools (direct invocation)
POST/api/tools/{name}/invokeDirect tool call from a REST client (gated by [tool_invoke] allowlist)
Terminal
GET/api/terminal/healthTerminal service health check
GET/api/terminal/wsTerminal WebSocket session
A2A (extended task API)
GET/api/a2a/tasks/{id}Get external A2A task by ID
POST/api/a2a/tasks/sendSubmit a new task to an external A2A agent
MCP (HTTP transport)
POST/api/mcpMCP HTTP transport (JSON-RPC 2.0) — alternative to the unauthenticated /mcp mount
Config & Registry
GET/api/config/exportExport full effective config
GET/api/registry/schemaConfig JSON schema for editor tooling
GET/api/models/{*id}Wildcard model lookup (handles slash-bearing model IDs like vendor/model-name)
GET/api/templates/{name}/tomlRaw agent-template TOML (for editor use)
Goals & Inbox
GET/api/goals/templatesList goal templates
GET/api/inbox/statusInbox summary (pending counts by source)
GET/api/sessions/searchSearch sessions with filters
Approvals (extended)
GET/api/approvals/auditAudit trail of approval decisions
GET/api/approvals/countCount of pending approvals
POST/api/approvals/batchResolve multiple approvals atomically
Auto-Dream
GET/api/auto-dream/statusAuto-dream automation status
Hands (extended)
DELETE/api/hands/{hand_id}Uninstall a hand
POST/api/hands/reloadHot-reload hand definitions from disk
Media (extended)
POST/api/media/transcribeTranscribe audio to text
ClawHub CN mirror
GET/api/clawhub-cn/browseBrowse ClawHub China mirror catalog
GET/api/clawhub-cn/searchSearch ClawHub China mirror
Init
POST/api/initQuick-init wizard (called by librefang setup --quick)
Dashboard auth
POST/auth/logoutClear the dashboard session cookie
Prompt versioning & A/B testing (when [prompt_intelligence] enabled = true)
GET/agents/{agent_id}/prompts/versionsList prompt versions for an agent
POST/agents/{agent_id}/prompts/versionsSave a new prompt version
GET/prompts/versions/{id}Get a single prompt version
DELETE/prompts/versions/{id}Delete a prompt version
POST/prompts/versions/{id}/activateActivate this version for the agent
GET/agents/{agent_id}/prompts/experimentsList A/B experiments for an agent
POST/agents/{agent_id}/prompts/experimentsCreate an A/B experiment
GET/prompts/experiments/{id}Get experiment detail
POST/prompts/experiments/{id}/startStart the experiment (begin sampling)
POST/prompts/experiments/{id}/pausePause the experiment
POST/prompts/experiments/{id}/completeComplete the experiment + record winner
GET/prompts/experiments/{id}/metricsPer-arm metrics (impressions / wins / cost / latency)