Skip to Content
DocsAPIOverview

API Reference

TL;DR

This page describes the REST API surface for the control plane: managing sessions, machines, commands, files, schedules, and webhooks over a Bearer-authenticated JSON API. It is the target shape, not a complete live contract — the agent plane ships today over gRPC (via the SDKs and CLI), and the current REST surface is narrower (machines, fleets, schedules, tunnels, auth). Requests go to the per-customer domain your cmdop.com account provisions (on the cmdop.dev domain), or to a relay you self-host. Prefer the official SDKs and CLI over raw API calls.

What is the base URL?

Use the per-customer domain your cmdop.com account provisions:

https://your-server.cmdop.dev/api/v1

The base URL is your account’s per-customer domain on cmdop.dev. If you self-host the relay, point requests at your own host instead. See Pricing & editions.

How do I authenticate?

All requests require an API key as a Bearer token. CMDOP API keys are issued in the form cmdop_apikey_<random>:

# Include the API key as a Bearer token in the Authorization header curl https://your-server.cmdop.dev/api/v1/sessions \ -H "Authorization: Bearer cmdop_apikey_..."

Create an API key with the CLI (cmdop auth create-key) or from your control plane’s API-keys settings.

What is the response format?

All responses are JSON:

{ "data": { ... }, "meta": { "request_id": "req_abc123", "timestamp": "2026-02-14T10:30:00Z" } }

What does a success response look like?

{ "data": { "session_id": "sess_abc123", "status": "CONNECTED" } }

What does an error response look like?

{ "error": { "code": "session_not_found", "message": "Session not found", "details": { "session_id": "sess_invalid" } } }

What HTTP status codes does the API return?

CodeDescription
200Success
201Created
204No Content
400Bad Request — Invalid parameters
401Unauthorized — Invalid or missing API key
403Forbidden — No permission
404Not Found — Resource doesn’t exist
409Conflict — Resource already exists
422Unprocessable — Validation failed
429Rate Limited — Too many requests
500Server Error — Internal error
503Service Unavailable — Temporary outage

What are the rate limits?

Per-tier rate limits are part of the hosted billing tiers that are being finalized and not yet enforced. A self-hosted relay imposes no enforced API rate caps. The numbers below describe the intended tiers, not a live product. See Pricing & editions.

Intended managed-cloud limits (planned, not live):

Tier (planned)Requests/minute
Free100
Pro1,000
Enterprise10,000

When rate limiting is in effect, responses carry headers:

X-RateLimit-Limit: 1000 # Max requests per window X-RateLimit-Remaining: 999 # Requests remaining X-RateLimit-Reset: 1707903600 # Unix timestamp when limit resets

When rate limited (429):

{ "error": { "code": "rate_limited", "message": "Rate limit exceeded", "details": { "retry_after": 60 } } }

How does pagination work?

List endpoints support pagination:

# Paginate with limit (page size) and offset (skip count) curl "https://your-server.cmdop.dev/api/v1/sessions?limit=10&offset=0"

Parameters:

ParameterDefaultMax
limit20100
offset0

Response:

{ "data": [...], "meta": { "total": 45, "limit": 10, "offset": 0, "has_more": true } }

How do I filter results?

Many endpoints support filtering:

# Filter by status curl "https://your-server.cmdop.dev/api/v1/sessions?status=CONNECTED" # Filter by machine curl "https://your-server.cmdop.dev/api/v1/sessions?machine_hostname=prod-server" # Multiple filters curl "https://your-server.cmdop.dev/api/v1/sessions?status=CONNECTED&machine_hostname=prod-server"

How do I sort results?

# Sort by created date (descending) curl "https://your-server.cmdop.dev/api/v1/sessions?sort=-created_at" # Sort by hostname (ascending) curl "https://your-server.cmdop.dev/api/v1/machines?sort=hostname"

What endpoints are available?

The endpoint catalog below describes the planned hosted REST API surface, not a live contract. Today the shipping agent plane is reached over gRPC (via the SDKs and CLI), and the relay’s own REST surface covers a narrower set — primarily machines, fleets, schedules, tunnels, and auth. Endpoints such as session attach/detach, a generic /commands runner, /files, and /webhooks are part of the intended managed/REST offering and are not all available yet. Treat this page as the target shape; use the SDKs and CLI for what ships today.

Sessions

MethodEndpointDescription
GET/sessionsList sessions
GET/sessions/:idGet session
POST/sessions/:id/attachAttach to session
POST/sessions/:id/detachDetach from session

Machines

MethodEndpointDescription
GET/machinesList machines
GET/machines/:idGet machine
DELETE/machines/:idRemove machine

Commands

MethodEndpointDescription
POST/commandsExecute command
GET/commands/:idGet command result

Files

MethodEndpointDescription
GET/filesList files
GET/files/contentRead file
PUT/files/contentWrite file
DELETE/filesDelete file

Webhooks

MethodEndpointDescription
GET/webhooksList webhooks
POST/webhooksCreate webhook
DELETE/webhooks/:idDelete webhook

Are there official SDKs available?

We recommend using official SDKs instead of raw API:

  • Python SDK — Full-featured async SDK
  • CLI — Command-line access

How do I use real-time streaming?

For real-time streaming, use the gRPC API via SDK.