Base URL
The API listens on port3000 by default. You can change this by setting HTTP_PORT in your .env file.
localhost:3000 with your domain or internal service address.
Authentication
The API token (api_token) lives in the vault — pnpm run setup generates and seeds it, or set your own with API_TOKEN=... pnpm run seed-vault. Every request (except GET /api/health) must include the token in the Authorization header:
The HTTP channel carries medium trust. It is suited for information queries, scheduling requests, and read-only operations. Actions that require higher trust — such as financial transactions or irreversible operations — must originate from the Signal or CLI channel. If you send a medium-trust request that triggers a high-trust action, Curia will ask you to confirm via a trusted channel before proceeding.
Example authenticated request
Available endpoints
POST /api/messages
Send a message to the Coordinator agent and receive a synchronous response. Supports conversation threading via
conversation_id.GET /api/messages/stream
Open a Server-Sent Events connection to receive agent responses, tool invocations, and tool results in real time.
GET /api/health
Returns the health status of the Curia instance. No authentication required. Use this for uptime monitors and load balancer probes.
GET /api/agents/status
Returns a snapshot of all registered agents and their current state. Requires Bearer token authentication.
Dashboard-only endpoints
The following endpoints are used by the built-in web dashboard. They authenticate via session cookie (set by the/auth exchange) rather than a Bearer token, and require WEB_APP_BOOTSTRAP_SECRET to be configured.
| Endpoint | Description |
|---|---|
GET /api/jobs | List scheduled jobs, with optional status and agent_id filters |
GET /api/jobs/:id | Get a single scheduled job by ID |
POST /api/jobs | Create a new scheduled job |
PATCH /api/jobs/:id | Update or unsuspend a scheduled job |
DELETE /api/jobs/:id | Cancel (soft-delete) a scheduled job |
GET /api/kg/* | Knowledge graph browser — nodes, edges, search, and chat |
GET /api/autonomy | Current autonomy score, band, trend direction, lastSetBy, and scored action count |
PUT /api/autonomy | Set the autonomy score (body: { "score": 85, "reason": "..." }) |
GET /api/autonomy/history | Paginated autonomy score change history (query: limit, offset) |
GET /api/registry/skills | List registered skills with installed/enabled state |
GET /api/registry/agents | List registered agents with installed/enabled state |
POST /api/registry/:kind/:name/install | Install a skill or agent (kind is skills or agents) |
POST /api/registry/:kind/:name/enable | Enable an installed skill or agent |
POST /api/registry/:kind/:name/install-enable | Install and enable in one call |
POST /api/registry/:kind/:name/disable | Disable a skill or agent |
DELETE /api/registry/:kind/:name | Uninstall a skill or agent |
GET /api/vault/* | Manage vault secrets and channel credentials (names only; values are never returned) |
Rate limiting
The API enforces a global limit of 200 requests per minute. Stricter per-route limits apply to authentication endpoints to prevent brute-force attacks. When you exceed the limit, the API returns429 Too Many Requests.
Error responses
All errors follow the same JSON format:| Status | Meaning |
|---|---|
200 | Success |
400 | Bad request — a required field is missing or invalid |
401 | Unauthorized — token missing or incorrect |
413 | Payload too large — message body exceeds the 64 KiB limit |
429 | Rate limited — slow down and retry |
500 | Internal server error — check your Curia logs |
503 | Service degraded — typically a database connectivity issue |
504 | Gateway timeout — the agent did not respond within 120 seconds |