The Space Agent server exposes a structured REST-style API underDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/agent0ai/space-agent/llms.txt
Use this file to discover all available pages before exploring further.
/api/<endpoint>. Nearly every endpoint accepts a JSON body via POST and requires a valid session cookie. This page explains how the API is organised, how authentication works, and which endpoint families you can explore in the rest of this section.
Base URL and Request Format
All API endpoints live at/api/<endpoint> on the same origin as the Space Agent app. Endpoints accept POST with a JSON body unless a specific entry below notes otherwise. Endpoint names use snake_case and map directly to filenames under server/api/.
Authentication
All endpoints except/api/health, /api/login, /api/login_challenge, /api/login_check, and /api/guest_create require a valid space_session cookie.
| Cookie attribute | Value |
|---|---|
| Name | space_session |
HttpOnly | ✅ |
SameSite | Strict |
| Path | / |
| Max age | 30 days |
/api/login or /api/login_challenge + /api/login. It acts as a bearer token; the server stores only a signed verifier in L2/<username>/meta/logins.json and never the raw secret. Unsigned or expired records are rejected.
Single-user mode — When the server is started with
SINGLE_USER_APP=true, every request automatically resolves to the implicit user principal and no cookie is required. This mode is used by packaged desktop distributions. The login endpoints return 403 in this mode.Logout
GET /logout clears the space_session cookie and redirects the browser to /login. No request body is needed.
The Outbound Fetch Proxy
Authenticated browser code can route external HTTP requests through the server instead of making them directly from the browser. Send aPOST to /api/proxy:
method, headers, and body fields are optional. The server executes the request server-side and streams the response back. This is useful when the target origin does not permit cross-origin requests from browsers.
Health Check
GET /api/health is the only fully anonymous endpoint. It returns a small status object that includes the server name and the resolved browser app URL.
Endpoint Groups
File Operations
Read, write, list, delete, move, copy, and download files and folders across all app layers.
Module Operations
Install, remove, list, and inspect modules from Git repos or local sources.
Auth and Identity
Log in, check sessions, retrieve identity information, and manage passwords.
Git History
Browse commit history, diff files, preview rollbacks, and revert or travel in time.
File endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/file_read | GET, POST | Read one or multiple files |
/api/file_write | POST | Write or mutate a file |
/api/file_list | GET, POST | List directory contents |
/api/file_delete | POST | Delete a file or folder |
/api/file_move | POST | Move or rename a path |
/api/file_copy | POST | Copy a file or folder |
/api/file_info | GET, POST | Get metadata for a path |
/api/file_paths | GET, POST | Resolve glob patterns across layers |
/api/folder_download | GET | Download a folder as a ZIP attachment |
Module endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/module_list | GET | List installed modules |
/api/module_install | POST | Install a module from a Git URL |
/api/module_remove | POST | Remove an installed module |
/api/module_info | GET | Get info for a specific module |
/api/extensions_load | POST | Resolve HTML or JS extension anchors |
Auth endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/login_challenge | POST | Start a SCRAM login challenge |
/api/login | POST | Complete login, set session cookie |
/api/login_check | GET | Check if current session is valid |
/api/user_self_info | GET | Return identity and crypto state |
/api/password_change | POST | Change password and clear sessions |
/api/guest_create | POST | Create a guest account |
/api/user_crypto_bootstrap | POST | Bootstrap or recover browser crypto state |
/api/user_crypto_session_key | GET | Derive session-scoped wrapping key |
/api/password_generate | POST | Seal a password into a backend verifier envelope |
/logout | GET | Clear cookie and redirect to /login |
Git history endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/git_history_list | GET, POST | List commits for a layer path |
/api/git_history_diff | GET, POST | Get a file diff for a commit |
/api/git_history_preview | GET, POST | Preview a rollback or revert |
/api/git_history_rollback | POST | Hard-reset HEAD to a past commit |
/api/git_history_revert | POST | Create an inverse commit |
Share endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/cloud_share_create | POST | Upload a space ZIP to the hosted receiver |
/api/cloud_share_info | GET | Get metadata for a hosted share |
/api/cloud_share_download | GET | Download stored share ZIP bytes |
/api/cloud_share_clone | POST | Clone a share into a new guest account |
/api/space_import | POST | Import a space ZIP (authenticated) |
Error Handling
Every endpoint throws errors with an explicitstatusCode for expected failures. The router maps those codes directly to HTTP response statuses. Routine 4xx errors (missing files, permission denials) do not produce backend console.error output. Unexpected 5xx errors log one diagnostic line server-side but return a redacted "Internal server error" body to the browser.