All endpoints are served from the control plane on port 3001 (HTTP) and 3002 (gRPC).
Fabric also provides a GraphQL API at /graphql — see GraphQL API below.
Method Path Description GET /healthzHealth check GET /readyzReadiness check GET /openapi.jsonOpenAPI specification
Method Path Description POST /v1/auth/signupSign up with email/password POST /v1/auth/loginLog in with email/password POST /v1/auth/logoutLog out (revoke current token) POST /v1/auth/logout-allInvalidate all sessions POST /v1/auth/token/refreshRefresh access token (single-use rotation) POST /v1/auth/social-loginConsumer-driven social login GET /v1/auth/verifyVerify email address POST /v1/auth/resend-verificationResend verification email POST /v1/auth/forgot-passwordSend password reset email POST /v1/auth/reset-passwordReset password with token POST /v1/auth/change-passwordChange password (requires auth) GET /v1/auth/social/{provider}Initiate server-side social login GET /v1/auth/callbackSocial login OAuth callback
Method Path Description GET /v1/meCurrent principal GET /v1/me/organizationsMy organizations GET /v1/me/teamsMy teams GET /v1/me/permissionsEffective permissions GET /v1/me/social-connectionsConnected social providers DELETE /v1/me/social-connections/{provider}Disconnect a social provider
Method Path Description GET /v1/admin/usersList all users GET /v1/admin/users/{id}Get user details DELETE /v1/admin/users/{id}Soft-delete a user POST /v1/admin/users/{id}/unlockUnlock locked account POST /v1/admin/users/{id}/verifyForce-verify email POST /v1/admin/users/{id}/logout-allInvalidate all sessions for user
Method Path Description POST /v1/organizationsCreate organization GET /v1/organizations/{id}Get organization GET /v1/organizations/{id}/teamsList teams GET /v1/organizations/{id}/membersList members POST /v1/teamsCreate team (RBAC enforced) GET /v1/teams/{id}Get team
Method Path Description POST /v1/invitationsCreate invitation (Admin+, duplicate/rate-limit guarded) GET /v1/invitationsList invitations for org (?organization_id=) GET /v1/invitations/{id}Get invitation by ID GET /v1/invitations/{id}/acceptAccept invitation (token verified, creates membership) POST /v1/invitations/{id}/revokeRevoke invitation
Method Path Description GET /v1/organizations/{id}/settingsGet org settings (branding, rate limits) PUT /v1/organizations/{id}/settingsUpdate org settings (Owner only)
Method Path Description POST /v1/authz/checkSingle permission check POST /v1/authz/check-batchBatch permission check
Method Path Description POST /v1/jobsSubmit a job (with idempotency key, cost estimate) GET /v1/jobs/{id}Get job by canonical job_id GET /v1/jobsList jobs GET /v1/jobs/{id}/usageJob cost/usage roll-up GET /v1/jobs/{id}/eventsPer-job event stream (SSE)
Method Path Description POST /v1/workflow-definitionsCreate definition (supports NodeDefinition schema) GET /v1/workflow-definitionsList definitions POST /v1/workflow-runsCreate run (with idempotency key) GET /v1/workflow-runs/{id}Get run status POST /v1/workflow-runs/{id}/startStart execution POST /v1/workflow-runs/{id}/cancelCancel run GET /v1/workflow-runs/{id}/eventsPer-run event stream (SSE)
POST /v1/workflows/runs accepts request bodies in JSON, YAML, or TOML ,
selected by the Content-Type header (plan 077). JSON is the default
when the header is missing or unrecognised, so existing clients are
unaffected.
Header Parser application/json (default)serde_jsonapplication/yaml / text/yaml / application/x-yamlserde_yaml_ngapplication/toml / text/toml / application/x-tomltoml
Response bodies remain JSON. See the
Submitting Jobs guide
for usage examples.
Method Path Description GET /v1/providersList available providers and capabilities POST /v1/providers/executeExecute a provider request POST /v1/providers/execute/streamExecute with SSE token streaming POST /v1/providers/estimateCost estimation
Method Path Description POST /v1/api-keysCreate key (returns raw key once) GET /v1/api-keysList keys GET /v1/api-keys/{id}Get key metadata DELETE /v1/api-keys/{id}Revoke key POST /v1/api-keys/{id}/disableDisable key
Method Path Description POST /v1/assetsUpload asset GET /v1/assets/{id}Download asset
Method Path Description GET /v1/organizations/{id}/usageUsage summary with breakdowns GET /v1/organizations/{id}/usage/recordsDetailed usage records
Method Path Description GET /v1/organizations/{id}/audit-logsOrg audit trail GET /v1/audit-logsGlobal audit logs
Method Path Description GET /v1/events/streamAll events (SSE) GET /v1/events/wsAll events (WebSocket) GET /v1/jobs/{id}/eventsPer-job events (SSE) GET /v1/workflow-runs/{id}/eventsPer-run events (SSE)
Fabric provides a full GraphQL API alongside REST, enabled with --features graphql. All GraphQL operations enforce the same authentication, RBAC, ACL, rate limiting, and audit logging as the REST API.
Method Path Description POST /graphqlQuery and mutation endpoint GET /graphqlGraphiQL playground (dev mode only) GET /graphql/sdlSDL schema export (dev mode only) GET /graphql/wsWebSocket subscriptions (graphql-ws protocol)
Query Description organization(id)Get organization by ID organizations(first, after)List organizations (paginated) team(id)Get team by ID teams(orgId, first, after)List teams in an organization meCurrent authenticated principal myOrganizationsOrganizations the caller belongs to myTeamsTeams accessible to the caller myPermissionsEffective permissions (highest role per scope) apiKey(id)Get API key metadata apiKeys(orgId, first)List API keys for an organization workflows(orgId, first)List registered workflows workflow(name, orgId)Resolve workflow by name workflowRun(id)Get workflow run status workflowRuns(orgId, first)List workflow runs waitingRuns(orgId, first)List runs waiting for signals asset(id)Get asset metadata assets(orgId, first)List assets assetDownloadUrl(id, ttlSeconds)Generate signed download URL webhook(id)Get webhook webhooks(orgId, first)List webhooks webhookDeliveries(webhookId, first)List delivery attempts
Mutation Description createOrganization(name, slug)Create organization (caller becomes Owner) updateOrganization(id, name)Update organization name archiveOrganization(id)Archive organization (soft-delete) createTeam(orgId, name, slug)Create team within organization disableApiKey(id)Disable an API key deleteApiKey(id)Permanently delete an API key submitWorkflowRun(name, orgId, input)Submit a workflow run cancelWorkflowRun(id, reason)Cancel a running workflow pauseWorkflowRun(id, reason)Pause a workflow resumeWorkflowRun(id)Resume a paused workflow signalWorkflowRun(id, signalName, payload)Send signal to a waiting workflow approveWorkflowRun(id, approved, reason)Approve or reject a waiting workflow createWebhook(input)Create webhook subscription deleteWebhook(id)Delete webhook
Subscription Description events(orgId)All events for an organization workflowRunEvents(runId)Events for a specific workflow run
The GraphQL API enforces all the same security controls as REST:
Authentication : JWT or API key via Authorization headerRBAC + ACL : Every resolver checks evaluate_with_acls() (3-layer: deny ACL > allow ACL > role hierarchy)API key scopes : Validated per-resolver when using API key authRate limiting : Same per-tenant + per-org limits as RESTDepth limit : Max 10 levels of nestingComplexity limit : Max cost 200 (list fields multiply by page size)Pagination : All list fields require first (max 100)Query timeout : 30 secondsBatch rejection : Array-batched requests ([{query:...}]) are rejectedCSRF : Rejects non-JSON Content-TypeIntrospection : Disabled in productionAudit : All mutations logged with transport: "graphql"
organizations ( first : 10 ) {
createOrganization ( name : " Acme Corp " ) {
GraphQL uses its own response format (not the REST envelope):
Every response follows the standard envelope format:
"timestamp" : " 2026-03-19T12:00:00Z " ,
"organization_id" : " uuid " ,
Error responses:
"meta" : { "status" : 403 , ... },
"message" : " Insufficient permissions "
