Skip to content

HTTP API

octo serve exposes one REST + WebSocket API; the embedded Web UI is just its first client. All routes below are prefixed /api and require the access key on any non-loopback bind. GET /api/health and GET /api/version are the two unauthenticated routes.

This API is Best-effort (see Compatibility): scripting it with curl is documented, supported behavior, but routes and fields may change in a minor release, called out in the release notes — there’s no versioned /api/v1 yet.

Route Purpose
POST /api/chat create a chat
POST /api/chat/{id}/turn send a turn
GET /ws WebSocket — live session/task/workflow events for the Web UI
Route Purpose
GET/POST /api/sessions list / create
GET /api/sessions/{id} fetch one, or /messages, /artifacts
DELETE, PATCH /api/sessions/{id} delete, or update (model, reasoning effort, show-reasoning, permission mode, working dir)
GET/PUT/DELETE /api/sessions/{id}/goal read, set, or clear the session’s goal
Route Purpose
GET /api/tools list available tools
GET /api/skills, PATCH /api/skills/{name}/toggle, DELETE, POST /api/skills/import, GET .../export manage skills
GET /api/workflows list workflows
GET/POST/PATCH/DELETE /api/mcp/servers manage MCP servers
Route Purpose
GET /api/channels, /available list configured / connectable platforms
GET/POST/DELETE /api/channels/{platform} read, save, or remove a platform’s config
POST /api/channels/{platform}/test send a test message
POST /api/channels/{platform}/send, /send-file send from the API
POST/GET/DELETE /api/channels/weixin/login WeChat QR login flow
Route Purpose
GET/POST /api/tasks list / create a scheduled cron task
DELETE, PATCH /api/tasks/{id} delete, or edit any subset of fields (this is also how you enable/disable)
POST /api/tasks/{id}/run trigger an out-of-schedule run now
GET /api/profile/soul, /api/profile/user read soul.md / user.md
GET /api/memories read the memory index
GET /api/trash, POST .../empty, POST .../{id}/restore, DELETE /api/trash/{id} the recoverable-delete trash panel
Route Purpose
GET/POST /api/onboard/status, /complete first-run onboarding state
GET /api/providers, GET /api/config available providers; effective config
POST /api/config/test verify a provider/model/key combination
POST/PATCH/DELETE /api/config/models{,/{id}} manage model entries; /default, /lite set the two special slots
Route Purpose
GET /api/browser/status, POST /api/browser/verify CDP connection state
GET/PUT/DELETE /api/browser/recordings{,/{name}} manage record/replay recordings
POST /api/upload, GET /api/uploads/{name} file upload used by chat attachments
Route Purpose
POST /api/restart request a restart; returns 202 immediately, drains in-flight turns in the background

Next: the security model covers exactly what the access key protects and what doesn’t need it (loopback).