Skip to main content

API overview

The Midcore backend is a FastAPI application for automation, CI, and integrations: agent runs, gates, evidence, tenancy, and the large autonomy module surface.

OpenAPI and interactive docs

Non-production deployments expose machine-readable and browsable API documentation on the same origin as the API (not the Next.js site). Production disables Swagger/ReDoc/OpenAPI JSON to reduce IP exposure:

  • GET /openapi.json — OpenAPI 3 schema
  • GET /docs — Swagger UI
  • GET /redoc — ReDoc

Example: if your API base is https://api.example.com, open https://api.example.com/docs. From the web app in the browser, API calls are usually proxied via /api/backend/* (see App vs autonomy API).

Automation and agent surface

Agent orchestration, studio runs, streaming, smart gates, and reliability helpers live under the /api/v1/autonomy/ prefix on the FastAPI server. Examples (all require auth in normal deployments):

MethodPath (on API server)Purpose
POST/api/v1/autonomy/runFull automation run (optional stream, budget_seconds)
POST/api/v1/autonomy/vibe/runVibe coding run
GET/api/v1/autonomy/streaming/{session_id}/eventsSSE for a run session
GET/api/v1/autonomy/smart-gatesGate readiness snapshot
GET/api/v1/autonomy/reliability-contextBudget / concurrency hints for the studio
GET/api/v1/autonomy/evidence-packEvidence pack snapshot
POST/api/v1/autonomy/voice/transcribeVoice transcription

Shorthand in UI copy

In-product text may show POST /autonomy/run as shorthand; the full server path is /api/v1/autonomy/run.

Run vs vibe (security review)

RBAC, streaming, and audit behavior for /autonomy/run vs /autonomy/vibe/run are documented in your internal readiness and parity artifacts. Static HTML report bundles are not published on the public product site — see Readiness report (resources).

When to use the API

  • Automating agent runs from scripts or CI/CD
  • Integrating with external tools (ticketing, dashboards)
  • Running gates and reading evidence from your own services

Authentication

API access uses cookies/session, API keys, or SSO depending on your deployment. Store secrets in environment variables or a secrets manager. See Authentication and Security.

Main use cases

  • Triggering agent runs — Start a task remotely; use streaming endpoints for live output.
  • Running gates — Same gate set as the CLI (midcore gates run) with pass/fail and evidence.
  • Reading evidence — Query the evidence ledger and related autonomy snapshots.

App vs autonomy API · SDK and client libraries · CLI reference · Authentication