API reference

kynetradb speaks JSON over HTTP. Every endpoint, auth requirement, and payload shape is listed below. The same spec is served live at /openapi.json on any running instance.

Base URL

http://localhost:8080      # local
https://your-deploy.fly.dev # production

Authentication

Send your JWT as a bearer token on every request except /v1/auth/signup, /v1/auth/login, the health endpoints, and connector webhooks:

Authorization: Bearer eyJhbGciOi...

Content type

JSON requests use Content-Type: application/json. File uploads use multipart/form-data.

Errors

Non-2xx responses return a JSON envelope:

{
  "error": "validation_failed",
  "message": "field 'title' is required",
  "status": 400
}

Rate limits

No rate limit is enforced by default. Per-tenant quotas + per-IP throttles are configurable via KYNETRA_RATE_LIMIT_* env vars at boot.

Health & metrics

Unauthenticated probes for orchestrators. Use these in liveness/readiness checks.

GET /healthz public

Liveness probe. Returns 200 if the process is up.

Response
200 OK
{ "status": "ok" }
GET /readyz public

Readiness. Returns 200 only after WAL replay completes.

Response
200 OK
{ "ready": true, "log_seq": 1234 }
GET /metrics public

Prometheus metrics: per-route p50/p95/p99, write tput, SLO breaches.

GET /openapi.json public

Full OpenAPI 3.1 spec generated from the route table.

Auth

Bcrypt-hashed passwords (cost 12) + stateless HS256 JWT, 7-day TTL.

POST /v1/auth/signup public

Create a user. The first signup becomes Admin; subsequent users are Editor.

Request
{
  "email": "you@example.com",
  "password": "strong-pw",
  "display_name": "You"
}
Response
201 Created
{ "id": "01K3...", "role": "admin" }
curl
curl -X POST $BASE/v1/auth/signup \
  -H 'Content-Type: application/json' \
  -d '{"email":"you@example.com","password":"strong-pw","display_name":"You"}'
POST /v1/auth/login public

Exchange credentials for a JWT.

Request
{ "email": "you@example.com", "password": "strong-pw" }
Response
200 OK
{ "token": "eyJhbGciOi...", "user": { "id": "...", "role": "admin" } }
curl
curl -X POST $BASE/v1/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"email":"you@example.com","password":"strong-pw"}'
GET /v1/auth/me jwt

Return the authenticated user.

Response
200 OK
{ "id": "...", "email": "...", "role": "admin", "display_name": "..." }
GET /v1/auth/users admin

List all users. Admin only.

POST /v1/auth/users admin

Create a user with an explicit role. Admin only.

Request
{ "email": "...", "password": "...", "role": "editor", "display_name": "..." }
DELETE /v1/auth/users/:id admin

Delete a user. Admin only.

Entities

Lowest-level write API. Schema-free JSON keyed by a free-form kind tag.

POST /v1/entities jwt

Upsert an entity. Omit id to auto-assign a ULID.

Request
{
  "id": "01K3...",            // optional
  "kind": "product",
  "attrs": {
    "title": "Aurora Espresso",
    "price": 2200,
    "tags": ["coffee", "espresso"]
  }
}
Response
200 OK
{ "id": "01K3...", "log_seq": 42 }
curl
curl -X POST $BASE/v1/entities \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"kind":"product","attrs":{"title":"Aurora Espresso","price":2200}}'
GET /v1/entities/:id jwt

Fetch a single entity by id.

Response
200 OK
{ "id": "...", "kind": "product", "attrs": {...}, "updated_at": 1717... }
DELETE /v1/entities/:id jwt

Tombstone delete. Entity is removed from all indexes; tombstone persists in WAL.

POST /v1/filter jwt

JSON predicate filter over attrs.

Request
{
  "kind": "product",
  "where": {
    "and": [
      { "field": "price", "op": "lt",  "value": 5000 },
      { "field": "vendor", "op": "eq", "value": "Aurora" }
    ]
  },
  "limit": 50
}

Ops: eq, neq, gt, gte, lt, lte, in, nin, contains, starts_with. Logical: and, or, not.

Products (ecommerce shortcut)

Convenience routes for the ecommerce shape — they wrap /v1/entities with kind="product".

POST /v1/products jwt

Upsert a product entity.

GET /v1/products/:id jwt

Fetch a product by id.

POST /v1/products/search jwt

BM25 search constrained to kind="product".

Collections

Typed schemas with field validation and per-operation role rules.

GET /v1/collections jwt

List all collections.

POST /v1/collections admin

Create or update a collection definition.

Request
{
  "name": "posts",
  "fields": [
    { "name": "title", "type": "text", "required": true },
    { "name": "body",  "type": "long_text" },
    { "name": "tags",  "type": "json" }
  ],
  "rules": {
    "list":   ["admin", "editor"],
    "view":   ["admin", "editor"],
    "create": ["admin", "editor"],
    "update": ["admin", "editor"],
    "delete": ["admin"]
  }
}
GET /v1/collections/:name jwt

Fetch one collection definition.

DELETE /v1/collections/:name admin

Delete a collection and all its records.

GET /v1/collections/:name/records jwt

List records (rule-gated by `list`).

POST /v1/collections/:name/records jwt

Create a record. Rule-gated by `create`.

GET /v1/collections/:name/records/:id jwt

Fetch a record. Rule-gated by `view`.

PATCH /v1/collections/:name/records/:id jwt

Partial update. Rule-gated by `update`.

DELETE /v1/collections/:name/records/:id jwt

Delete a record. Rule-gated by `delete`.

Files

Content-addressable storage. Local FS or any S3-compatible backend.

GET /v1/files jwt

List files visible to the caller.

POST /v1/files jwt

Multipart upload. Returns file id + sha256.

curl
curl -X POST $BASE/v1/files \
  -H "Authorization: Bearer $TOKEN" \
  -F file=@image.png
GET /v1/files/:id jwt

Download raw file bytes.

GET /v1/files/:id/meta jwt

Fetch file metadata: name, size, sha256, content type, uploader.

DELETE /v1/files/:id jwt

Delete file (gated by ownership or admin role).

Realtime (SSE)

Server-Sent Events stream of every write matching the filter.

GET /v1/realtime jwt

Subscribe to live writes. Filter by topics and kinds via query params.

Request
Query params:
  topics=entities,files,collections     (comma-sep)
  kinds=product,article                 (comma-sep)

Event format:
  event: change
  data:  { "op":"put", "kind":"product", "id":"01K...", "log_seq":42 }
curl
curl -N -H "Authorization: Bearer $TOKEN" \
  "$BASE/v1/realtime?topics=entities&kinds=product"

Uses tokio::broadcast under the hood. Slow consumers see dropped-message SSE comments rather than blocking writers.

LLM runtime

Unified completion API in front of Ollama, Anthropic, and OpenAI.

GET /v1/llm/providers jwt

List configured LLM providers and their models.

POST /v1/llm/complete jwt

Provider-agnostic completion. Cost tracked per call.

Request
{
  "provider": "anthropic",
  "model": "claude-opus-4-7",
  "messages": [{ "role": "user", "content": "Hello" }],
  "max_tokens": 256,
  "temperature": 0.2
}
Response
200 OK
{
  "content": "...",
  "input_tokens": 12,
  "output_tokens": 34,
  "cost_usd": 0.00021
}

GDPR

Right-to-export and right-to-be-forgotten endpoints.

POST /v1/gdpr/export jwt

Stream every entity, record, and file owned by the authenticated user as JSON.

DELETE /v1/gdpr/user/:id admin

Hard-erase a user and tombstone everything they ever wrote. Append-only audit entry remains.

Stats & connectors

Engine introspection and inbound webhook receivers.

GET /v1/stats jwt

High-level engine stats: entity count, log_seq, index sizes, uptime.

GET /v1/connectors jwt

List configured inbound connectors (Shopify, Stripe, etc.).

POST /v1/connectors/:name/webhook public

Receive a webhook payload. HMAC-verified per-connector secret.

Public route — auth is via per-connector webhook secret, not JWT.

Admin — Database

Cloudflare D1-style admin surface. All routes require Admin role.

GET /admin/db/overview admin

Stat cards: entity count, write rate, storage on disk.

GET /admin/db/metrics admin

24h rolling read/write counters for the live dashboard.

POST /admin/db/console/execute admin

Run a typed admin query from the embedded REPL.

GET /admin/db/time-travel admin

List snapshot points for point-in-time restore.

POST /admin/db/restore admin

Restore to a snapshot. Creates a backup of current state first.

GET /admin/db/restore-backups admin

List backups produced by prior restores.

POST /admin/db/restore-undo admin

Roll back the most recent restore using its safety backup.

POST /admin/db/delete-all admin

Wipe everything. Irreversible; requires explicit confirmation token.

GET /admin/db/settings admin

Boot-time settings snapshot.

GET /admin/db/slo admin

Per-route p50/p95/p99 SLO tracker.

GET /admin/db/collections admin

Per-collection row counts + write rate.

GET /admin/db/cost-per-write admin

Estimated $/MM writes by storage + sink fanout.

Admin — Agents

Author, run, schedule, and approve LLM tool-use agents.

GET /admin/actions admin

List the 10 typed actions agents can call.

GET /admin/agents admin

List all agents.

POST /admin/agents admin

Create or update an agent definition.

POST /admin/agents/:id/run admin

Run an agent synchronously and return the full transcript.

POST /admin/agents/:id/run/stream admin

Run an agent with SSE streaming of tokens + tool calls.

GET /admin/agents/:id/runs admin

List historical runs for one agent.

GET /admin/runs admin

Global run log across all agents.

GET /admin/agents/runs/summary admin

Aggregate token + cost totals.

POST /admin/agents/schedules admin

Schedule an agent to run on a cron expression.

GET /admin/agents/schedules admin

List schedules.

DELETE /admin/agents/schedules/:id admin

Delete a schedule.

GET /admin/agents/approvals admin

Pending approval requests from agent runs.

POST /admin/agents/approvals/:id/approve admin

Approve a paused action; agent resumes.

POST /admin/agents/approvals/:id/reject admin

Reject; agent terminates with reason.

Admin — Sinks, providers, integrations

Outbound DB mirroring, multi-cloud control plane, and inbound integrations.

GET /admin/sinks admin

List configured outbound DB sinks.

POST /admin/sinks/ping admin

Smoke-test every sink concurrently.

GET /admin/providers admin

List cloud providers configured for deploys.

POST /admin/providers admin

Add a provider (credentials AES-256-GCM encrypted in the WAL).

GET /admin/providers/catalog admin

List the 10 supported providers + required fields.

GET /admin/providers/:id admin

Fetch one provider.

DELETE /admin/providers/:id admin

Remove a provider.

POST /admin/providers/:id/test admin

Verify credentials by calling the provider's health/list API.

GET /admin/providers/:id/instances admin

List deployed instances under this provider.

POST /admin/providers/:id/deploy admin

Provision a new kynetradb instance on this provider.

DELETE /admin/providers/:id/instances/:instance_id admin

Destroy an instance.

GET /admin/connect/options admin

Snippets for the 12 frameworks shown in the Connect tab.

GET /admin/connect/agent-prompt admin

Copy-ready system prompt for connecting an LLM agent.

GET /admin/connect/connection-string admin

Canonical kynetra:// connection string.

GET /admin/integrations admin

List inbound integrations (Shopify, Stripe, etc.).

POST /admin/integrations/:name/test admin

Verify an integration's credentials.