Source of truth
The cloud control plane is a FastAPI service. Its OpenAPI document is the canonical reference; this page summarizes the direct FastAPI surface and the BFF routes the dashboard calls.Traffic model
The CLI talks to FastAPI directly withAuthorization: Bearer <api-key>.
The dashboard sits behind Supabase auth and uses two BFF layers: named /api/cloud/* routes for higher-level dashboard actions, and a guarded catch-all /api/[...path] proxy for a narrow allowlist of Cloud read/sync routes.
/openapi.json remains the source of truth for generated clients.
FastAPI route families
| Family | Routes |
|---|---|
| System | /, /healthz, /health, /health/db, /health/r2 |
| Status | GET /api/status, GET /api/status/operational |
| Workspaces | /api/workspaces, /api/workspaces/{workspace_id}, invitations, transfer ownership |
| Projects | /api/projects, /api/projects/{project_id} |
| Sync | POST /api/sync/runs, GET /api/sync/ledger-head, POST /api/sync/ledger-head, artifact initiate/commit/abort |
| Runs | /api/runs, /api/runs/{run_id}, manifest, metrics, log, signature, compliance mapping, artifact download, delete |
| API keys | /api/api-keys, rotate, revoke |
| Shares | /api/shares, revoke, /api/public/shares/{token} |
| Billing | checkout, portal, webhook |
| Usage | reserve, commit, revert |
| Profile / DSAR | /api/me, object, restrict, export, delete, cancel delete |
| Claims | /api/claims, /api/claims/{claim_id} |
| Museum | /api/museum |
| Audit logs | /api/audit/logs |
GET /GET /api/api-keysPOST /api/api-keysDELETE /api/api-keys/{api_key_id}POST /api/api-keys/{api_key_id}/rotateGET /api/artifacts/{artifact_id}GET /api/audit/logsPOST /api/billing/checkoutPOST /api/billing/portalPOST /api/billing/webhookGET /api/claimsGET /api/claims/{claim_id}GET /api/mePATCH /api/mePOST /api/me/deletePOST /api/me/delete/cancelGET /api/me/exportPOST /api/me/objectPOST /api/me/restrictGET /api/museumGET /api/projectsPOST /api/projectsDELETE /api/projects/{project_id}GET /api/projects/{project_id}PATCH /api/projects/{project_id}DELETE /api/projects/{project_id}/staging-e2e-treePOST /api/projects/{project_id}/staging-retention-proofGET /api/public/shares/{token}GET /api/runsDELETE /api/runs/{run_id}GET /api/runs/{run_id}POST /api/runs/{run_id}/evidence-packageGET /api/runs/{run_id}/logGET /api/runs/{run_id}/manifestGET /api/runs/{run_id}/metricsGET /api/sharesPOST /api/sharesPOST /api/shares/{share_id}/reliability-consentDELETE /api/shares/{share_id}/reliability-consent/{consent_id}GET /api/shares/{share_id}/reliability-consent/{consent_id}/exportPOST /api/shares/{share_id}/reliability-consent/{consent_id}/revokePOST /api/shares/{share_id}/revokeGET /api/statusGET /api/status/operationalPOST /api/sync/artifacts/abortPOST /api/sync/artifacts/commitPOST /api/sync/artifacts/initiateGET /api/sync/ledger-headPOST /api/sync/ledger-headPOST /api/sync/runsPOST /api/usage/reservePOST /api/usage/commitPOST /api/usage/revertGET /api/workspacesPOST /api/workspacesDELETE /api/workspaces/{workspace_id}GET /api/workspaces/{workspace_id}PATCH /api/workspaces/{workspace_id}GET /api/workspaces/{workspace_id}/invitationsPOST /api/workspaces/{workspace_id}/invitationsPATCH /api/workspaces/{workspace_id}/transfer-ownershipGET /healthGET /health/dbGET /health/r2GET /healthz
BFF routes
These are the dashboard’s own routes. Most are thin proxies that add auth and forward the body to FastAPI.| Route | FastAPI target | Used by |
|---|---|---|
GET /api/cloud/me | /api/me | Profile panel |
PATCH /api/cloud/me | /api/me | Profile opt-ins |
POST /api/cloud/me | /api/me/... | DSAR actions (export, delete, restrict) |
GET /api/cloud/workspaces | /api/workspaces | Workspace switcher |
POST /api/cloud/workspaces | /api/workspaces | Workspace creation |
GET /api/cloud/projects | /api/projects | Project list |
POST /api/cloud/projects | /api/projects | Project creation |
GET /api/cloud/runs | /api/runs | Recent runs table |
POST /api/cloud/api-keys | /api/api-keys | API key issuance (one-time secret) |
POST /api/cloud/shares | /api/shares | Create / revoke public share |
POST /api/cloud/billing/checkout | /api/billing/checkout | Stripe Checkout session |
POST /api/cloud/billing/portal | /api/billing/portal | Stripe Customer Portal |
POST /api/cloud/sample-run | /api/runs (synthetic) | Onboarding “upload sample run” |
POST /api/workspace/selection | local selection state | Workspace switcher |
/api/[...path] is intentionally allowlisted. It forwards only:
GET /healthGET /api/statusGET /api/runs,GET /api/runs/{run_id}, and run manifest/metrics/log/signature/compliance mapping readsGET /api/artifacts/{artifact_id}GET /api/claims,GET /api/claims/{claim_id}GET /api/museum- workspace/project list and creation
- API-key creation
- share list/create/revoke
- sync run create and artifact initiate/commit/abort
GET /healthGET /api/statusGET /api/runsGET /api/runs/{id}GET /api/runs/{id}/{manifest|metrics|log|signature|compliance_mapping}GET /api/artifacts/{id}GET /api/claimsGET /api/claims/{id}GET /api/museumGET /api/workspacesPOST /api/workspacesGET /api/projectsPOST /api/projectsPOST /api/api-keysGET /api/sharesPOST /api/sharesPOST /api/shares/{uuid}/revokePOST /api/sync/runsPOST /api/sync/artifacts/{initiate|commit|abort}
| Route | Purpose |
|---|---|
POST /api/auth/login | Supabase email/password sign-in |
POST /api/auth/signup | Supabase email/password sign-up |
POST /api/auth/logout | Supabase sign-out |
POST /api/auth/reset-password | Supabase reset email request |
POST /api/auth/session | Current session check |
| Route | Purpose |
|---|---|
GET /api/public/r/[token] | Resolve a public share token to a run snapshot |
GET /api/public/vla-leaderboard | Return public VLA leaderboard snapshots |
| State | HTTP status | Code | Cache |
|---|---|---|---|
| Active share | 200 | n/a | private, no-store |
| Token not found or token mismatch | 404 | share_not_found | no-store |
| Revoked | 410 | share_revoked | no-store |
| Expired | 410 | share_expired | no-store |
| Missing password | 401 | share_password_required | no-store |
| Wrong password | 401 | share_wrong_password | no-store |
| Password locked | 429 | share_password_locked | no-store + rate-limit headers |
| Read rate limited | 429 | share_rate_limited | no-store + rate-limit headers |
| Evidence verification failure | 409 | evidence_unverified | no-store |
| Artifact filtered or unavailable | 409 | artifact_filtered | no-store |
| Public payload policy rejected | 409 | public_payload_policy_rejected | no-store |
DELETE /api/[...path]GET /api/[...path]PATCH /api/[...path]POST /api/[...path]PUT /api/[...path]POST /api/auth/loginPOST /api/auth/logoutPOST /api/auth/reset-passwordPOST /api/auth/sessionPOST /api/auth/signupDELETE /api/cloud/api-keysPOST /api/cloud/api-keysPOST /api/cloud/billing/checkoutPOST /api/cloud/billing/portalGET /api/cloud/mePATCH /api/cloud/mePOST /api/cloud/meDELETE /api/cloud/projectsGET /api/cloud/projectsPOST /api/cloud/projectsPOST /api/cloud/projects/[projectId]/staging-retention-proofGET /api/cloud/runsPOST /api/cloud/runsPOST /api/cloud/sample-runGET /api/cloud/sharesPOST /api/cloud/sharesDELETE /api/cloud/workspacesGET /api/cloud/workspacesPOST /api/cloud/workspacesPOST /api/e2e/cli-syncGET /api/public/r/[token]GET /api/public/vla-leaderboardPOST /api/workspace/selection
Auth header
All/api/cloud/* calls expect a Supabase session cookie when called from the dashboard. The CLI does not call these BFF routes; it sends Authorization: Bearer <wfx_…> directly to FastAPI.
Error shape
The BFF normalizes failures into one shape:code is stable. Common values seen by the dashboard:
| Code | When |
|---|---|
login_required | Session missing or expired. The dashboard redirects to /login. |
validation_error | Body shape mismatch. details carries the offending field path. |
quota_exceeded | Workspace plan cap hit. The Billing panel surfaces an upgrade CTA. |
not_found | Resource id does not exist or is invisible to this caller. |
unsupported_action | Method not allowed (e.g. POST /api/cloud/runs without the e2e fixture flag). |
E2E fixtures
WhenWORLDFLUX_WEB_E2E_FIXTURES=1 is set, the BFF returns deterministic in-memory data instead of proxying to FastAPI. This is what Playwright tests use.
/api/e2e/cli-sync is the synthetic endpoint the test suite hits to seed runs.