Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/agent0ai/space-agent/llms.txt

Use this file to discover all available pages before exploring further.

The Space Agent server exposes a structured REST-style API under /api/<endpoint>. Nearly every endpoint accepts a JSON body via POST and requires a valid session cookie. This page explains how the API is organised, how authentication works, and which endpoint families you can explore in the rest of this section.

Base URL and Request Format

All API endpoints live at /api/<endpoint> on the same origin as the Space Agent app. Endpoints accept POST with a JSON body unless a specific entry below notes otherwise. Endpoint names use snake_case and map directly to filenames under server/api/.
curl -s https://your-space-agent.example/api/health

Authentication

All endpoints except /api/health, /api/login, /api/login_challenge, /api/login_check, and /api/guest_create require a valid space_session cookie.
Cookie attributeValue
Namespace_session
HttpOnly
SameSiteStrict
Path/
Max age30 days
The cookie is set by a successful call to /api/login or /api/login_challenge + /api/login. It acts as a bearer token; the server stores only a signed verifier in L2/<username>/meta/logins.json and never the raw secret. Unsigned or expired records are rejected.
Single-user mode — When the server is started with SINGLE_USER_APP=true, every request automatically resolves to the implicit user principal and no cookie is required. This mode is used by packaged desktop distributions. The login endpoints return 403 in this mode.

Logout

GET /logout clears the space_session cookie and redirects the browser to /login. No request body is needed.

The Outbound Fetch Proxy

Authenticated browser code can route external HTTP requests through the server instead of making them directly from the browser. Send a POST to /api/proxy:
{
  "url": "https://api.example.com/data",
  "method": "GET",
  "headers": { "Authorization": "Bearer <token>" },
  "body": null
}
The method, headers, and body fields are optional. The server executes the request server-side and streams the response back. This is useful when the target origin does not permit cross-origin requests from browsers.

Health Check

GET /api/health is the only fully anonymous endpoint. It returns a small status object that includes the server name and the resolved browser app URL.
curl -s https://your-space-agent.example/api/health
{
  "ok": true,
  "name": "space-agent-server",
  "browserAppUrl": "https://your-space-agent.example",
  "user": null
}
Use /api/health in readiness probes and load-balancer health checks. It never requires a session and never reads user data.

Endpoint Groups

File Operations

Read, write, list, delete, move, copy, and download files and folders across all app layers.

Module Operations

Install, remove, list, and inspect modules from Git repos or local sources.

Auth and Identity

Log in, check sessions, retrieve identity information, and manage passwords.

Git History

Browse commit history, diff files, preview rollbacks, and revert or travel in time.

File endpoints

EndpointMethodDescription
/api/file_readGET, POSTRead one or multiple files
/api/file_writePOSTWrite or mutate a file
/api/file_listGET, POSTList directory contents
/api/file_deletePOSTDelete a file or folder
/api/file_movePOSTMove or rename a path
/api/file_copyPOSTCopy a file or folder
/api/file_infoGET, POSTGet metadata for a path
/api/file_pathsGET, POSTResolve glob patterns across layers
/api/folder_downloadGETDownload a folder as a ZIP attachment

Module endpoints

EndpointMethodDescription
/api/module_listGETList installed modules
/api/module_installPOSTInstall a module from a Git URL
/api/module_removePOSTRemove an installed module
/api/module_infoGETGet info for a specific module
/api/extensions_loadPOSTResolve HTML or JS extension anchors

Auth endpoints

EndpointMethodDescription
/api/login_challengePOSTStart a SCRAM login challenge
/api/loginPOSTComplete login, set session cookie
/api/login_checkGETCheck if current session is valid
/api/user_self_infoGETReturn identity and crypto state
/api/password_changePOSTChange password and clear sessions
/api/guest_createPOSTCreate a guest account
/api/user_crypto_bootstrapPOSTBootstrap or recover browser crypto state
/api/user_crypto_session_keyGETDerive session-scoped wrapping key
/api/password_generatePOSTSeal a password into a backend verifier envelope
/logoutGETClear cookie and redirect to /login

Git history endpoints

EndpointMethodDescription
/api/git_history_listGET, POSTList commits for a layer path
/api/git_history_diffGET, POSTGet a file diff for a commit
/api/git_history_previewGET, POSTPreview a rollback or revert
/api/git_history_rollbackPOSTHard-reset HEAD to a past commit
/api/git_history_revertPOSTCreate an inverse commit

Share endpoints

EndpointMethodDescription
/api/cloud_share_createPOSTUpload a space ZIP to the hosted receiver
/api/cloud_share_infoGETGet metadata for a hosted share
/api/cloud_share_downloadGETDownload stored share ZIP bytes
/api/cloud_share_clonePOSTClone a share into a new guest account
/api/space_importPOSTImport a space ZIP (authenticated)

Error Handling

Every endpoint throws errors with an explicit statusCode for expected failures. The router maps those codes directly to HTTP response statuses. Routine 4xx errors (missing files, permission denials) do not produce backend console.error output. Unexpected 5xx errors log one diagnostic line server-side but return a redacted "Internal server error" body to the browser.
{ "error": "File not found.", "status": 404 }

Build docs developers (and LLMs) love