Skip to main content

REST API reference

Every concept in the framework — sign in, run a query, fetch a screen, trigger a job, talk to the assistant — is reachable through the REST surface. The frontend uses the same endpoints external integrations would, and the OpenAPI document at /docs (live, generated from the FastAPI route signatures) is browsable as a developer reference.

This page is a domain-by-domain map of the endpoints, with the required permission, the request shape and the response shape for each. The interactive variant is at http://${HOST}:${PORT}/docs — the framework's bundled Swagger UI is the canonical reference for request / response schemas.

Conventions

  • Base path — the framework serves the API at the root of the bound origin: https://liberty.example.com/api/... and https://liberty.example.com/admin/....
  • Authentication — every endpoint requires a Bearer token in the Authorization header, except POST /auth/login, POST /auth/refresh, the OIDC pair and GET /api/healthz.
  • Content type — JSON in / JSON out unless stated. Errors carry a { "detail": "..." } body with a non-2xx status.
  • LanguageX-Liberty-Lang: fr overrides the response's labels for endpoints that include them (screens, dictionary, menus, errors).
  • Permission codes are the same ones documented under Roles & permissions. * is wildcard; sql:billing:* matches any query of the billing connector.

Health

MethodPathPermissionResponse
GET/api/healthznone (public){ "ok": true, "version": "0.42.0" }

Useful for liveness probes. Doesn't touch the database.

Auth

MethodPathPermissionBodyResponse
POST/auth/loginpublic{ "username", "password" }{ "access_token", "refresh_token", "token_type": "Bearer", "expires_in": 900 }
POST/auth/refreshpublic (cookie / body){ "refresh_token" }Same as /auth/login.
POST/auth/logoutauthenticated{ "ok": true }. Invalidates the refresh token.
GET/auth/meauthenticated{ "username", "display_name", "roles", "permissions": [...] }.
GET/auth/oidc/loginpublic302 to the IdP.
GET/auth/oidc/callbackpublicquery302 to /. Sets the local session.

See Authentication for the OIDC flow.

Connectors & data

SQL connectors

MethodPathPermissionDescription
GET/api/connectorsconnectors:readList every connector with type + status.
GET/api/connectors/{name}connectors:readConnector definition + discovered schema.
POST/api/sql/{pool}/_schemaconnectors:readIntrospect the schema of one pool (table list, column list).
GET/api/sql/{connector}/{query}sql:{connector}:{query}Execute a read query. Query params bind to the connector's params.
POST/api/sql/{connector}/{query}sameSame as GET but with a JSON body for complex param maps.
POST/api/sql/{connector}/{query}:writesql:{connector}:{query}:writeExecute a write query. Body is the param map.

HTTP / API connectors

MethodPathPermissionDescription
POST/api/http/{connector}/{endpoint}api:{connector}:{endpoint}Call a named endpoint. Body carries the param map.

Excel export

MethodPathPermissionDescription
POST/api/screens/{app}/{screen_id}/exportscreen:{app}:{id}Export the screen's current view as XLSX. Body accepts the active filters. Response is application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.

Screens

MethodPathPermissionDescription
GET/api/screensscreens:readList every screen across every app.
GET/api/screens/{app}screens:readScreens for one app.
GET/api/screens/{app}/{screen_id}screen:{app}:{id}Screen definition + grid columns + dialog fields.
POST/api/screens/{app}/{screen_id}/lockscreen:{app}:{id}Acquire a record lock — { "key": {...} }.
DELETE/api/screens/{app}/{screen_id}/locksameRelease the record lock.

Dashboards & charts

MethodPathPermissionDescription
GET/api/dashboardsdashboards:readList every dashboard.
GET/api/dashboards/{id}dashboard:{id}Dashboard layout + per-panel chart references.
GET/api/chartscharts:readList every chart.
GET/api/charts/{id}chart:{id}Chart definition + bound data (when called with ?include_data=true).
POST/api/charts/{id}/datachart:{id}Refresh a chart's data with a parameter map.
MethodPathPermissionDescription
GET/api/menusauthenticatedEvery menu tree the caller can see, pruned per permission.
GET/api/menus/{app}authenticatedOne app's menu tree.

Dictionary

MethodPathPermissionDescription
GET/api/dictionaryauthenticatedEvery column, lookup and label, localised per X-Liberty-Lang.
GET/api/dictionary/lookups/{name}authenticatedA single lookup's value set.

i18n

MethodPathPermissionDescription
GET/api/i18n/{lang}authenticatedBundled language pack for lang. Includes common + per-app overrides.
GET/api/i18n/_revisionsauthenticatedThe revision string of each loaded pack. The frontend uses it as a cache key.

Jobs (Nomaflow)

MethodPathPermissionDescription
GET/admin/jobsjobs:readJob catalog + last run status per job.
GET/admin/jobs/{name}job:{name}One job's definition + last 50 runs.
POST/admin/jobs/{name}/runjob:{name}Trigger a manual run. Body accepts params overrides. Returns { "run_id" }.
GET/admin/jobs/runsjobs:readList runs across every job — filterable by job, status, from, to.
GET/admin/jobs/runs/{run_id}job:{name}Full run detail with steps + the latest 1000 log lines.
POST/admin/jobs/runs/{run_id}/abortjob:{name}Abort an in-flight run.
POST/admin/jobs/runs/{run_id}/replayjob:{name}Re-run with the same params.
GET/admin/jobs/runs/{run_id}/logsjob:{name}Stream the log tail. ?follow=true upgrades to Socket.IO.
GET/admin/jobs/cron-preview?expression=...jobs:readParse a cron expression and return the next 5 fire-times.

AI assistant

MethodPathPermissionDescription
GET/ai/toolsai:chatThe tool list the caller would see in chat — useful for permission debugging.
POST/ai/chatai:chatSend a turn. Streams Server-Sent Events by default; ?stream=false returns a single JSON response.
GET/ai/conversationsai:chatList the caller's conversations.
GET/ai/conversations/{id}ai:chatOne conversation with messages, tool calls and results.
DELETE/ai/conversations/{id}ai:chatDelete a conversation.
POST/ai/conversations/{id}/shareai:shareProduce a read-only share link.

Admin config (Settings UI back-end)

Each per-section TOML follows the same shape — <section> is one of: pools, connectors, dictionary, menus, screens, dashboards, charts, jobs.

MethodPathPermissionDescription
GET/admin/config/{section}/parsedsettings:{section}The parsed TOML as JSON.
PUT/admin/config/{section}/parsedsettings:{section}Replace the parsed TOML. The server re-serialises with comment preservation.
GET/admin/config/{section}/rawsettings:rawRaw TOML text.
POST/admin/config/{section}/rawsettings:rawReplace the raw TOML text.
POST/admin/config/connectors/{name}/test-sqlsettings:connectorsExecute one SQL query — body has { "query", "params" }.
POST/admin/config/api/testsettings:connectorsExecute one HTTP endpoint.
POST/admin/config/renamesettings:writeRename an entity across every file. Body: { "scope", "from", "to" }.
POST/admin/reloadsettings:reloadReload the in-memory registries. ?scope=<section> to narrow; defaults to all.

License

MethodPathPermissionDescription
GET/api/licenselicense:readThe current license payload + verification status.
POST/admin/license/reloadlicense:writeRe-read LIBERTY_LICENSE_KEY and re-verify the signature without a full restart.

Users & roles

MethodPathPermissionDescription
GET/admin/usersusers:readList every user.
GET/admin/users/{username}users:readOne user with roles and effective permissions.
POST/admin/usersusers:writeCreate a user.
PUT/admin/users/{username}users:writeUpdate display name, roles, active flag.
POST/admin/users/{username}/passwordusers:writeSet a new password.
POST/admin/users/{username}/revokeusers:writeRevoke every active session.
GET/admin/rolesusers:readList every role.
POST/admin/rolesusers:writeCreate a role.
PUT/admin/roles/{name}users:writeUpdate permissions / inheritance / description.
DELETE/admin/roles/{name}users:writeDelete a role (refused when members exist).

Socket.IO

The framework also exposes a Socket.IO endpoint at /socket.io for live updates. It is not a REST endpoint but plays the same role:

EventDirectionPurpose
config.reloadedserver → clientBroadcast after a hot-reload — clients re-fetch the affected catalog.
lock.acquired / lock.releasedserver → clientRecord locks on screens (visible on the Technical dashboard).
job.run.transitionedserver → clientA job run changed status (runningsucceeded / failed / aborted).
job.run.logserver → clientOne log line from an in-flight run. Filtered per run_id.
pool.statsserver → clientPeriodic pool snapshot for the Technical dashboard.
ai.chat.deltaserver → clientA token chunk during an AI chat turn.

Authentication is the same Bearer token as REST, passed in the auth payload of the Socket.IO handshake.

OpenAPI

The full OpenAPI document is served at:

  • /docs — interactive Swagger UI.
  • /redoc — static Redoc view.
  • /openapi.json — the raw OpenAPI 3.1 JSON, suitable for code generation.

Every endpoint is documented there with the exact request / response shape generated from the route's Pydantic models — this page is the conceptual map; the OpenAPI doc is the precise contract.

Tips & best practices

  • Use /openapi.json to generate clients. Tools like openapi-typescript or openapi-python-client produce typed SDKs in one command.
  • Always pass X-Liberty-Lang when displaying responses to a user. The default is en — labels in your locale require the header.
  • Prefer the named-endpoint REST over raw SQL. GET /api/sql/billing/invoices-for-period is auditable and permission-checked; building SQL in the client and POSTing it is neither (the framework refuses anyway — there is no "run arbitrary SQL" endpoint).
  • Pin the Authorization header on every call. The frontend has cookie fallback for the refresh token but the API surface itself requires the explicit header — easier to debug.
  • POST /admin/reload from CI after deploying configuration. A git pull on liberty-apps doesn't reach the running framework until the registry is rebuilt.

What's next