REST API

The OpenACP daemon exposes a local HTTP API used by the CLI and the web dashboard.

Base URL: http://127.0.0.1:21420 (configurable via api.host and api.port)

Auth: Bearer token from ~/.openacp/api-secret

TOKEN=$(cat ~/.openacp/api-secret)
curl -H "Authorization: Bearer $TOKEN" http://localhost:21420/api/sessions

The secret file is created automatically with mode 0600 on first start. Protect it like an SSH private key.

Exempt from auth: GET /api/health, GET /api/version, GET /api/events (SSE uses query param ?token=).

Body size limit: 1 MB.

Health & System

GET /api/health

Returns daemon health. No auth required.

Response

{
  "status": "ok",
  "uptime": 123456,
  "version": "0.6.7",
  "memory": {
    "rss": 52428800,
    "heapUsed": 30000000,
    "heapTotal": 45000000
  },
  "sessions": {
    "active": 2,
    "total": 5
  },
  "adapters": ["telegram"],
  "tunnel": { "enabled": true, "url": "https://abc.trycloudflare.com" }
}

uptime is milliseconds since daemon start. sessions.active counts sessions with status active or initializing.

GET /api/version

Returns daemon version string. No auth required.

Response

POST /api/restart

Sends a restart signal to the daemon. The daemon exits cleanly and the process manager (or openacp start) restarts it.

Response

Returns 501 if restart is not available in the current run mode.

GET /api/adapters

Lists registered channel adapters.

Response

Sessions

GET /api/sessions

Lists all sessions (active, finished, cancelled, error).

Response

Session status values: initializing, active, finished, cancelled, error.

GET /api/sessions/:id

Returns details for a single session.

Response

Returns 404 if not found.

POST /api/sessions

Creates a new session.

Request body (all fields optional)

agent defaults to defaultAgent from config. workspace defaults to workspace.baseDir.

Response

Returns 429 if maxConcurrentSessions is reached.

Permissions are auto-approved for sessions created via the API when no channel adapter is attached.

DELETE /api/sessions/:id

Cancels a session.

Response

Returns 404 if not found.

POST /api/sessions/:id/prompt

Enqueues a prompt for a session. The session processes prompts serially; queueDepth indicates how many are waiting.

Request body

Response

Returns 400 if the session is cancelled, finished, or error. Returns 404 if not found.

PATCH /api/sessions/:id/dangerous

Enables or disables dangerous mode for a session.

Request body

Response

POST /api/sessions/:id/permission

Resolves a pending permission request for a session.

Request body

Response

Returns 400 if there is no matching pending request.

POST /api/sessions/:id/summary

Requests the agent to generate a summary name for the session.

Response

POST /api/sessions/:id/archive

Archives a session.

Response

POST /api/sessions/adopt

Adopts an existing external agent session and surfaces it as a messaging thread.

Request body

agent and agentSessionId are required. cwd defaults to the daemon's working directory. channel defaults to the first registered adapter.

Response

status is "existing" if the session was already active (topic is pinged instead of created). Returns 429 on session limit, 400 for unsupported agent.

Agents

GET /api/agents

Lists agents configured in the daemon.

Response

Configuration

GET /api/config

Returns the full runtime config. Sensitive fields (botToken, token, apiKey, secret, password, webhookSecret) are redacted to "***".

Response

PATCH /api/config

Updates a single config value by dot-notation path. Only fields marked as safe in the config registry can be modified via the API.

Request body

value can be any JSON type. String values that parse as JSON are used as-is.

Response

needsRestart: true means the change requires a daemon restart to take effect. Returns 403 for fields not in the safe-fields scope.

GET /api/config/editable

Returns metadata about editable config fields (used by the web dashboard). Includes path, displayName, group, type, options, value, and hotReload.

Topics

Topics represent channel adapter threads (Telegram forum topics, Discord threads, etc.).

GET /api/topics

Lists all topics. Optionally filter by status.

Query params

Response

Returns 501 if topic management is not available (no adapter with topic support).

DELETE /api/topics/:sessionId

Deletes the topic for a session. Returns 409 if the session is active and --force is not set. Returns 403 for system topics.

Query params

Response

POST /api/topics/cleanup

Deletes all topics matching the given statuses. Returns counts of deleted and failed topics.

Request body (optional)

Response

Tunnel

GET /api/tunnel

Returns tunnel status for the primary tunnel service.

Response (when enabled)

Response (when disabled)

GET /api/tunnel/list

Lists all active user tunnels.

Response

POST /api/tunnel

Creates a new tunnel to a local port.

Request body

port is required. label and sessionId are optional.

Response

Returns 400 if the tunnel service is not enabled.

DELETE /api/tunnel/:port

Stops the tunnel for a specific local port.

Response

DELETE /api/tunnel

Stops all user tunnels.

Response

Notifications

POST /api/notify

Sends a notification message to all registered channel adapters (e.g. to the Notifications topic in Telegram).

Request body

Response

Server-Sent Events

GET /api/events

SSE stream of real-time daemon events. Auth via query parameter (EventSource cannot set headers).

Returns a persistent SSE connection. Events include session lifecycle changes, agent output, and health pings.