HTTP API — overview
Status: stub. Day 3 deliverable.
The control plane exposes a Hono-based JSON API at
https://api.worker-os.com.
- Authentication: Bearer key in
Authorizationheader. Key minted viaPOST /api/v1/signup. The raw key is returned exactly once — the database stores onlySHA-256(key). - Edge defense: every metered route passes through the L−1 plane (R1–R6 — see /architecture/edge-defense). Anonymous traffic is clamped to zero on metered routes.
- Glass-Box: every successful decision result is persisted verbatim to the audit log. The full trace (every fact, every evaluated rule) is reconstructible from the row alone.
Endpoint catalogue
| Method | Path | Auth |
|---|---|---|
POST | /api/v1/signup | none |
POST | /api/v1/lint | none |
POST | /api/v1/policies | bearer |
GET | /api/v1/policies/:policy_id | bearer |
POST | /api/v1/policies/:policy_id/decide | bearer |
POST | /api/v1/decide | bearer |
GET | /api/v1/audit/logs | bearer |
GET | /api/v1/audit/policy-commits | bearer |
GET | /api/v1/audit/l4-overrides | bearer |
POST | /api/v1/stripe/webhook | Stripe signature |
GET | /health | none |