API reference
kynetradb speaks JSON over HTTP. Every endpoint, auth requirement, and payload
shape is listed below. The same spec is served live at
/openapi.json
on any running instance.
Base URL
http://localhost:8080 # local
https://your-deploy.fly.dev # production Authentication
Send your JWT as a bearer token on every request except /v1/auth/signup,
/v1/auth/login, the health endpoints, and connector webhooks:
Authorization: Bearer eyJhbGciOi... Content type
JSON requests use Content-Type: application/json. File uploads use multipart/form-data.
Errors
Non-2xx responses return a JSON envelope:
{
"error": "validation_failed",
"message": "field 'title' is required",
"status": 400
} Rate limits
No rate limit is enforced by default. Per-tenant quotas + per-IP throttles
are configurable via KYNETRA_RATE_LIMIT_* env vars at boot.
Health & metrics
Unauthenticated probes for orchestrators. Use these in liveness/readiness checks.
/healthz public Liveness probe. Returns 200 if the process is up.
200 OK
{ "status": "ok" } /readyz public Readiness. Returns 200 only after WAL replay completes.
200 OK
{ "ready": true, "log_seq": 1234 } /metrics public Prometheus metrics: per-route p50/p95/p99, write tput, SLO breaches.
/openapi.json public Full OpenAPI 3.1 spec generated from the route table.
Auth
Bcrypt-hashed passwords (cost 12) + stateless HS256 JWT, 7-day TTL.
/v1/auth/signup public Create a user. The first signup becomes Admin; subsequent users are Editor.
{
"email": "you@example.com",
"password": "strong-pw",
"display_name": "You"
} 201 Created
{ "id": "01K3...", "role": "admin" } curl -X POST $BASE/v1/auth/signup \
-H 'Content-Type: application/json' \
-d '{"email":"you@example.com","password":"strong-pw","display_name":"You"}' /v1/auth/login public Exchange credentials for a JWT.
{ "email": "you@example.com", "password": "strong-pw" } 200 OK
{ "token": "eyJhbGciOi...", "user": { "id": "...", "role": "admin" } } curl -X POST $BASE/v1/auth/login \
-H 'Content-Type: application/json' \
-d '{"email":"you@example.com","password":"strong-pw"}' /v1/auth/me jwt Return the authenticated user.
200 OK
{ "id": "...", "email": "...", "role": "admin", "display_name": "..." } /v1/auth/users admin List all users. Admin only.
/v1/auth/users admin Create a user with an explicit role. Admin only.
{ "email": "...", "password": "...", "role": "editor", "display_name": "..." } /v1/auth/users/:id admin Delete a user. Admin only.
Entities
Lowest-level write API. Schema-free JSON keyed by a free-form kind tag.
/v1/entities jwt Upsert an entity. Omit id to auto-assign a ULID.
{
"id": "01K3...", // optional
"kind": "product",
"attrs": {
"title": "Aurora Espresso",
"price": 2200,
"tags": ["coffee", "espresso"]
}
} 200 OK
{ "id": "01K3...", "log_seq": 42 } curl -X POST $BASE/v1/entities \
-H "Authorization: Bearer $TOKEN" \
-H 'Content-Type: application/json' \
-d '{"kind":"product","attrs":{"title":"Aurora Espresso","price":2200}}' /v1/entities/:id jwt Fetch a single entity by id.
200 OK
{ "id": "...", "kind": "product", "attrs": {...}, "updated_at": 1717... } /v1/entities/:id jwt Tombstone delete. Entity is removed from all indexes; tombstone persists in WAL.
/v1/filter jwt JSON predicate filter over attrs.
{
"kind": "product",
"where": {
"and": [
{ "field": "price", "op": "lt", "value": 5000 },
{ "field": "vendor", "op": "eq", "value": "Aurora" }
]
},
"limit": 50
} Ops: eq, neq, gt, gte, lt, lte, in, nin, contains, starts_with. Logical: and, or, not.
Search & vector
BM25 full-text + HNSW vector ANN. Both read the same entity state as KV.
/v1/search jwt BM25 full-text search over indexed text fields in attrs.
{
"q": "espresso colombian",
"top_k": 10,
"kind": "product" // optional filter
} 200 OK
{
"hits": [
{ "id": "01K3...", "score": 4.21, "kind": "product", "attrs": {...} },
...
]
} /v1/vector jwt Cosine ANN search over attrs.vector embeddings.
{
"vector": [0.012, -0.34, ...],
"top_k": 10,
"kind": "product"
} Dimensionality is fixed by the first vector inserted; mismatched dims are rejected.
Products (ecommerce shortcut)
Convenience routes for the ecommerce shape — they wrap /v1/entities with kind="product".
/v1/products jwt Upsert a product entity.
/v1/products/:id jwt Fetch a product by id.
/v1/products/search jwt BM25 search constrained to kind="product".
Collections
Typed schemas with field validation and per-operation role rules.
/v1/collections jwt List all collections.
/v1/collections admin Create or update a collection definition.
{
"name": "posts",
"fields": [
{ "name": "title", "type": "text", "required": true },
{ "name": "body", "type": "long_text" },
{ "name": "tags", "type": "json" }
],
"rules": {
"list": ["admin", "editor"],
"view": ["admin", "editor"],
"create": ["admin", "editor"],
"update": ["admin", "editor"],
"delete": ["admin"]
}
} /v1/collections/:name jwt Fetch one collection definition.
/v1/collections/:name admin Delete a collection and all its records.
/v1/collections/:name/records jwt List records (rule-gated by `list`).
/v1/collections/:name/records jwt Create a record. Rule-gated by `create`.
/v1/collections/:name/records/:id jwt Fetch a record. Rule-gated by `view`.
/v1/collections/:name/records/:id jwt Partial update. Rule-gated by `update`.
/v1/collections/:name/records/:id jwt Delete a record. Rule-gated by `delete`.
Files
Content-addressable storage. Local FS or any S3-compatible backend.
/v1/files jwt List files visible to the caller.
/v1/files jwt Multipart upload. Returns file id + sha256.
curl -X POST $BASE/v1/files \
-H "Authorization: Bearer $TOKEN" \
-F file=@image.png /v1/files/:id jwt Download raw file bytes.
/v1/files/:id/meta jwt Fetch file metadata: name, size, sha256, content type, uploader.
/v1/files/:id jwt Delete file (gated by ownership or admin role).
Realtime (SSE)
Server-Sent Events stream of every write matching the filter.
/v1/realtime jwt Subscribe to live writes. Filter by topics and kinds via query params.
Query params:
topics=entities,files,collections (comma-sep)
kinds=product,article (comma-sep)
Event format:
event: change
data: { "op":"put", "kind":"product", "id":"01K...", "log_seq":42 } curl -N -H "Authorization: Bearer $TOKEN" \
"$BASE/v1/realtime?topics=entities&kinds=product" Uses tokio::broadcast under the hood. Slow consumers see dropped-message SSE comments rather than blocking writers.
LLM runtime
Unified completion API in front of Ollama, Anthropic, and OpenAI.
/v1/llm/providers jwt List configured LLM providers and their models.
/v1/llm/complete jwt Provider-agnostic completion. Cost tracked per call.
{
"provider": "anthropic",
"model": "claude-opus-4-7",
"messages": [{ "role": "user", "content": "Hello" }],
"max_tokens": 256,
"temperature": 0.2
} 200 OK
{
"content": "...",
"input_tokens": 12,
"output_tokens": 34,
"cost_usd": 0.00021
} GDPR
Right-to-export and right-to-be-forgotten endpoints.
/v1/gdpr/export jwt Stream every entity, record, and file owned by the authenticated user as JSON.
/v1/gdpr/user/:id admin Hard-erase a user and tombstone everything they ever wrote. Append-only audit entry remains.
Stats & connectors
Engine introspection and inbound webhook receivers.
/v1/stats jwt High-level engine stats: entity count, log_seq, index sizes, uptime.
/v1/connectors jwt List configured inbound connectors (Shopify, Stripe, etc.).
/v1/connectors/:name/webhook public Receive a webhook payload. HMAC-verified per-connector secret.
Public route — auth is via per-connector webhook secret, not JWT.
Admin — Database
Cloudflare D1-style admin surface. All routes require Admin role.
/admin/db/overview admin Stat cards: entity count, write rate, storage on disk.
/admin/db/metrics admin 24h rolling read/write counters for the live dashboard.
/admin/db/console/execute admin Run a typed admin query from the embedded REPL.
/admin/db/time-travel admin List snapshot points for point-in-time restore.
/admin/db/restore admin Restore to a snapshot. Creates a backup of current state first.
/admin/db/restore-backups admin List backups produced by prior restores.
/admin/db/restore-undo admin Roll back the most recent restore using its safety backup.
/admin/db/delete-all admin Wipe everything. Irreversible; requires explicit confirmation token.
/admin/db/settings admin Boot-time settings snapshot.
/admin/db/slo admin Per-route p50/p95/p99 SLO tracker.
/admin/db/collections admin Per-collection row counts + write rate.
/admin/db/cost-per-write admin Estimated $/MM writes by storage + sink fanout.
Admin — Agents
Author, run, schedule, and approve LLM tool-use agents.
/admin/actions admin List the 10 typed actions agents can call.
/admin/agents admin List all agents.
/admin/agents admin Create or update an agent definition.
/admin/agents/:id/run admin Run an agent synchronously and return the full transcript.
/admin/agents/:id/run/stream admin Run an agent with SSE streaming of tokens + tool calls.
/admin/agents/:id/runs admin List historical runs for one agent.
/admin/runs admin Global run log across all agents.
/admin/agents/runs/summary admin Aggregate token + cost totals.
/admin/agents/schedules admin Schedule an agent to run on a cron expression.
/admin/agents/schedules admin List schedules.
/admin/agents/schedules/:id admin Delete a schedule.
/admin/agents/approvals admin Pending approval requests from agent runs.
/admin/agents/approvals/:id/approve admin Approve a paused action; agent resumes.
/admin/agents/approvals/:id/reject admin Reject; agent terminates with reason.
Admin — Sinks, providers, integrations
Outbound DB mirroring, multi-cloud control plane, and inbound integrations.
/admin/sinks admin List configured outbound DB sinks.
/admin/sinks/ping admin Smoke-test every sink concurrently.
/admin/providers admin List cloud providers configured for deploys.
/admin/providers admin Add a provider (credentials AES-256-GCM encrypted in the WAL).
/admin/providers/catalog admin List the 10 supported providers + required fields.
/admin/providers/:id admin Fetch one provider.
/admin/providers/:id admin Remove a provider.
/admin/providers/:id/test admin Verify credentials by calling the provider's health/list API.
/admin/providers/:id/instances admin List deployed instances under this provider.
/admin/providers/:id/deploy admin Provision a new kynetradb instance on this provider.
/admin/providers/:id/instances/:instance_id admin Destroy an instance.
/admin/connect/options admin Snippets for the 12 frameworks shown in the Connect tab.
/admin/connect/agent-prompt admin Copy-ready system prompt for connecting an LLM agent.
/admin/connect/connection-string admin Canonical kynetra:// connection string.
/admin/integrations admin List inbound integrations (Shopify, Stripe, etc.).
/admin/integrations/:name/test admin Verify an integration's credentials.