The Hugin API server exposes a REST API for automation, scripting, and integration with external tools. Every feature accessible through the UI is also accessible via REST.
🔗Base URL and Default Port
http://127.0.0.1:8081/api/The API port defaults to 8081 and is configurable via --api-port or the config file. An OpenAPI spec is served at /openapi.json.
🔗Authentication
When running locally (bound to 127.0.0.1), authentication is disabled by default. When exposed on a network interface (0.0.0.0), enable authentication. See Authentication for details.
🔗Endpoint Reference
All endpoints are prefixed with /api/ unless otherwise noted.
🔗Infrastructure
GET /api/health Health check (no auth required)
GET /api/update/check Check for updates
GET /api/ca.pem Download CA certificate
GET /api/proxy/status Proxy status and statistics🔗Flows
GET /api/flows List flows (query params: method, host, flagged, limit, offset)
POST /api/flows Create/import a flow
GET /api/flows/{id} Get flow details🔗Repeater
POST /api/repeater/send Replay a request with modifications
POST /api/repeater/batch Send batch requests
GET /api/repeater/history List replay history
GET /api/repeater/queue Queue status
POST /api/repeater/queue Queue a request for later
GET /api/repeater/queue/list List queued requests
DELETE /api/repeater/queue Clear the queue
DELETE /api/repeater/queue/{id} Cancel a queued request
POST /api/repeat Send raw HTTP request
POST /api/flows/{id}/repeat Replay a flow through the proxy🔗Intercept
GET /api/intercept Intercept status
POST /api/intercept Toggle intercept on/off
GET /api/intercept/pending List pending intercepted requests
GET /api/intercept/pending/{id} Get a pending request
POST /api/intercept/forward/{id} Forward a request
POST /api/intercept/drop/{id} Drop a request
POST /api/intercept/forward-all Forward all pending
POST /api/intercept/drop-all Drop all pending
GET /api/intercept/captured List captured intercepts
POST /api/intercept/captured/clear Clear captured interceptsResponse Intercept:
GET /api/intercept/responses List pending responses
GET /api/intercept/responses/{id} Get a pending response
POST /api/intercept/responses/forward/{id} Forward a response
POST /api/intercept/responses/drop/{id} Drop a response
POST /api/intercept/responses/forward-all Forward all responses
POST /api/intercept/responses/drop-all Drop all responses🔗Rules
GET /api/rules List intercept rules
POST /api/rules Create a rule
GET /api/rules/{id} Get rule details
PATCH /api/rules/{id} Update a rule
DELETE /api/rules/{id} Delete a rule
GET /api/rules/groups List rule groups
POST /api/rules/groups Create a group
DELETE /api/rules/groups/{id} Delete a group🔗Scope
GET /api/scope Get scope configuration
POST /api/scope Update scope
POST /api/scope/mode Set scope mode
POST /api/scope/recording Toggle recording
POST /api/scope/pattern Add a scope pattern
DELETE /api/scope/pattern/{p} Remove a scope pattern🔗Scanner
POST /api/scanner/scan Start a scan
GET /api/scanner/status Scan status
GET /api/scanner/findings List findings
POST /api/scanner/findings Create a manual finding
DELETE /api/scanner/findings Clear all findings
GET /api/scanner/findings/{id} Get finding details
DELETE /api/scanner/findings/{id} Delete a finding
PATCH /api/scanner/findings/{id} Update a finding
GET /api/scanner/findings/{id}/flows List flows for a finding
POST /api/scanner/findings/{id}/flows Add flow to finding
DELETE /api/scanner/findings/{id}/flows/{flow_id} Remove flow from finding
GET /api/scanner/findings/{id}/tags List finding tags
POST /api/scanner/findings/{id}/tags Add tag to finding
DELETE /api/scanner/findings/{id}/tags/{tag} Remove tag
GET /api/scanner/findings/tags List all tags across findings
POST /api/scanner/cancel Cancel active scan
POST /api/scanner/pause Pause scan
POST /api/scanner/resume Resume scan
GET /api/scanner/checks List available checks
GET /api/scanner/scans List scan history
GET /api/scanner/scans/{id} Get scan details
DELETE /api/scanner/scans/{id} Delete a scan
POST /api/scanner/scans/{id}/cancel Cancel specific scan
GET /api/scanner/scans/{scan_id}/audit-items Audit items for a scan🔗BAC (Pro)
All /api/bac/* routes require Feature::Bac. Community tier gets 402 Payment Required on every route. Trial, Pro, and Dev-bypass builds have full access.
GET /api/bac/findings List scored BAC findings (kind/min_severity/limit)
DELETE /api/bac/findings Purge findings (project_id)
GET /api/bac/signals List passive BAC observations (kind/identity_id/limit)
DELETE /api/bac/signals Purge signals (project_id)
GET /api/bac/corpus List classified ID corpus (id_kind/identity_id/limit)
DELETE /api/bac/corpus Purge corpus (project_id)
GET /api/bac/shapes Response shape groupings (requires endpoint)
POST /api/bac/audit Start an audit; body matches bac_audit audit params; returns audit_id
POST /api/bac/audit/progress Read live counters for a running audit; body {audit_id}
POST /api/bac/audit/cancel Flip cancel flag; body {audit_id}
POST /api/bac/export Render findings (markdown|sarif|html|csv|summary|json)audit_id from POST /api/bac/audit is shared with the MCP bac_audit tool and the UI progress registry — a UI-initiated audit is observable from a curl progress poll and cancellable from an MCP bac_audit cancel.
See the BAC pipeline doc for the full surface and check reference.
🔗Live Audit (Scanner Continuous Mode)
POST /api/live_audit/start Begin continuous scanning (body: profile|config)
POST /api/live_audit/stop Halt continuous scanning
GET /api/live_audit/status flows_seen/flows_scanned/flows_skipped/findings_count/configToggles the same singleton the live_audit MCP tool and the Scanner view’s Continuous toggle both drive. Every captured flow through the proxy gets auto-scanned against the configured check set, deduplicated by (method, host, path-pattern) with numeric / UUID / hex path segments normalised. Known CDN / static-asset hosts are skipped.
🔗Session
GET /api/session/tokens List tracked tokens
GET /api/session/status Session status
GET /api/session/macro List macros
POST /api/session/macro Create a macro
GET /api/session/macro/{id} Get macro details
DELETE /api/session/macro/{id} Delete a macro
POST /api/session/macro/{id}/execute Execute a macro
POST /api/session/refresh Refresh all sessions🔗WebSocket
GET /api/websocket/connections List WS connections
GET /api/websocket/connections/{id} Get connection details
DELETE /api/websocket/connections/{id} Close a connection
GET /api/websocket/connections/{id}/messages Get messages
POST /api/websocket/connections/{id}/send Send a message
GET /api/websocket/stream/messages SSE stream of WS messages
GET /api/websocket/stream/connections SSE stream of WS connectionsWebSocket Intercept:
GET /api/websocket/intercept Intercept status
POST /api/websocket/intercept Toggle WS intercept
GET /api/websocket/intercept/pending List pending
GET /api/websocket/intercept/pending/{id} Get pending message
POST /api/websocket/intercept/forward/{id} Forward message
POST /api/websocket/intercept/drop/{id} Drop message
POST /api/websocket/intercept/forward-all Forward all
POST /api/websocket/intercept/drop-all Drop all🔗Projects
GET /api/projects List projects
POST /api/projects Create project
GET /api/projects/{id} Get project
PUT /api/projects/{id} Update project
DELETE /api/projects/{id} Delete project
POST /api/projects/{id}/archive Archive/unarchive
POST /api/projects/{id}/activate Set as active project
GET /api/projects/{id}/stats Project statistics
GET /api/projects/{id}/scope Get project scope
PUT /api/projects/{id}/scope Update project scope
POST /api/projects/{id}/assign-flows Assign flows to project
POST /api/projects/{id}/scope/snapshots Create scope snapshot
GET /api/projects/{id}/scope/snapshots List scope snapshots
GET /api/projects/{id}/scope/snapshots/{sid} Get snapshot
GET /api/projects/{id}/export Export project
POST /api/projects/import Import project
POST /api/projects/deactivate Deactivate project contextLegacy project API (file-based):
POST /api/project/save Save project to file
POST /api/project/load Load project from file
GET /api/project/recent List recent projects🔗Site Map
GET /api/hosts List all hosts
GET /api/sitemap/hosts List hosts with stats
GET /api/sitemap/hosts/{host} Host details
GET /api/sitemap/hosts/{host}/paths Paths for a host
GET /api/sitemap/hosts/{host}/flows Flows for a host
GET /api/sitemap/paths/{host}/{path} Path details
GET /api/sitemap/search Search URLs
GET /api/sitemap/stats Aggregated stats
GET /api/sitemap/tree Hierarchical tree
GET /api/sitemap/export Export site map🔗Sequencer
GET /api/sequencer/captures List capture sessions
POST /api/sequencer/capture Start a token capture
DELETE /api/sequencer/capture/{id} Delete session
GET /api/sequencer/capture/{id}/status Session status
GET /api/sequencer/capture/{id}/tokens Get captured tokens
POST /api/sequencer/capture/{id}/stop Stop capture
GET /api/sequencer/capture/{id}/export Export session
POST /api/sequencer/analyze Analyze tokens
POST /api/sequencer/compare Compare token sets🔗Crawler
POST /api/crawler/start Start a crawl
POST /api/crawler/stop Stop crawl
POST /api/crawler/pause Pause crawl
POST /api/crawler/resume Resume crawl
GET /api/crawler/status Crawl status
GET /api/crawler/urls Discovered URLs
GET /api/crawler/export Export URLs🔗Browser
POST /api/browser/launch Launch a browser session
POST /api/browser/sweep Full sweep (launch + crawl)
POST /api/browser/close Close browser
GET /api/browser/status Browser status
POST /api/browser/navigate Navigate to URL
POST /api/browser/exec_js Execute JavaScript
POST /api/browser/screenshot Take screenshot
GET /api/browser/list List active browser sessions🔗Tunnel Mode
GET /api/tunnel/domains List tunnel domains
POST /api/tunnel/domains/add Add a domain to tunnel mode
POST /api/tunnel/domains/remove Remove a domain from tunnel mode🔗Oastify (Native OOB Server)
POST /api/oastify-native/start Start OOB server
POST /api/oastify-native/stop Stop OOB server
GET /api/oastify-native/status Server status
GET /api/oastify-native/domain Get callback domain
GET /api/oastify-native/stats Statistics
GET /api/oastify-native/payloads List payloads
POST /api/oastify-native/payloads Generate a payload
POST /api/oastify-native/payloads/batch Generate batch payloads
POST /api/oastify-native/payloads/all All protocol payloads
GET /api/oastify-native/payloads/{id} Get payload details
GET /api/oastify-native/interactions List interactions
GET /api/oastify-native/interactions/{id} Get interaction
DELETE /api/oastify-native/interactions/{id} Delete interaction
POST /api/oastify-native/interactions/{id}/acknowledge Acknowledge
POST /api/oastify-native/interactions/acknowledge-bulk Bulk acknowledge
GET /api/oastify-native/interactions/correlation/{id} By correlation ID
GET /api/oastify-native/poll Poll for new interactions
GET /api/oastify-native/stream SSE stream of interactions🔗Oastify (Remote Tracker)
GET /api/oastify/status Connection status
POST /api/oastify/connect Connect to remote server
POST /api/oastify/disconnect Disconnect
GET /api/oastify/stats Statistics
POST /api/oastify/generate Generate tracked payload
GET /api/oastify/payloads List tracked payloads
GET /api/oastify/interactions List interactions
POST /api/oastify/sync Sync callbacks
POST /api/oastify/register_batch Register batch payloads🔗Dashboard
GET /api/dashboard/events Event log (query: limit, since_id)
GET /api/dashboard/tasks Active tasks
GET /api/dashboard/stats Aggregated statistics🔗Events
GET /api/events List events (query: category, level, search, since, until)
DELETE /api/events Clear all events
GET /api/events/recent Recent events from memory cache
GET /api/events/stats Event statistics
GET /api/events/stream SSE stream of events
DELETE /api/events/before Delete events before timestamp🔗RatRace
POST /api/ratrace/test Run race condition test
POST /api/ratrace/detect Detect race conditions
POST /api/ratrace/quick Quick race test
POST /api/ratrace/limit Rate limit test
POST /api/ratrace/batch Batch race test
GET /api/ratrace/sessions List sessions
GET /api/ratrace/sessions/{id} Get session
DELETE /api/ratrace/sessions/{id} Delete session
POST /api/ratrace/sessions/{id}/cancel Cancel session
GET /api/ratrace/results/{id} Get results
POST /api/ratrace/discover Discover endpoints
POST /api/ratrace/param-hunt Hunt for race-prone params
GET /api/ratrace/endpoints List discovered endpoints
POST /api/ratrace/scan Full race scan
GET /api/ratrace/scan/findings Scan findings
POST /api/ratrace/ws WebSocket race test
POST /api/ratrace/microservice Microservice race test
POST /api/ratrace/cache-race Cache race test
POST /api/ratrace/state-fuzz State fuzzing
POST /api/ratrace/orchestrate Multi-step orchestration
GET /api/ratrace/report/{id} Generate report
POST /api/ratrace/graphql-subscription GraphQL subscription race
POST /api/ratrace/oidc-logout OIDC logout race🔗Intruder
GET /api/intruder/attacks List attacks
POST /api/intruder/attacks Start an attack
GET /api/intruder/attacks/{id} Get attack details
DELETE /api/intruder/attacks/{id} Delete attack
GET /api/intruder/attacks/{id}/status Attack status
POST /api/intruder/attacks/{id}/pause Pause
POST /api/intruder/attacks/{id}/resume Resume
POST /api/intruder/attacks/{id}/cancel Cancel
GET /api/intruder/attacks/{id}/results Get results
GET /api/intruder/generators List payload generators
GET /api/intruder/processors List processing rules🔗Comparer
POST /api/comparer/compare Compare two responses
POST /api/comparer/blind-detect Blind vulnerability detection
GET /api/comparer/similarity Calculate similarity score🔗Extensions
GET /api/extensions List extensions
GET /api/extensions/stats Statistics
GET /api/extensions/{id} Get extension details
POST /api/extensions/{id}/load Load
POST /api/extensions/{id}/unload Unload
POST /api/extensions/{id}/enable Enable
POST /api/extensions/{id}/disable Disable
POST /api/extensions/{id}/reload Reload
POST /api/extensions/test-hook Test a hook🔗Settings
GET /api/settings/upstream-proxy Get upstream proxy config
POST /api/settings/upstream-proxy Set upstream proxy
DELETE /api/settings/upstream-proxy Clear upstream proxy
GET /api/settings/upstream-proxy/rules List proxy rules
POST /api/settings/upstream-proxy/rules Add proxy rule
PUT /api/settings/upstream-proxy/rules Replace all rules
DELETE /api/settings/upstream-proxy/rules/{id} Remove rule
POST /api/settings/upstream-proxy/test Test proxy connection
POST /api/settings/upstream-proxy/preset Apply preset (tor, burp, mullvad, etc.)
GET /api/settings/http2 Get HTTP/2 config
POST /api/settings/http2 Set HTTP/2 config🔗Decoder
POST /api/decoder/encode Encode data
POST /api/decoder/decode Decode data
POST /api/decoder/chain Chain encode/decode operations
POST /api/decoder/analyze Analyze encoding layers
POST /api/decoder/reencode Re-encode detected layers
POST /api/decoder/jwt/decode Decode JWT
POST /api/decoder/jwt/forge Forge JWT
POST /api/decoder/polyglot Generate polyglot payloads
GET /api/decoder/polyglot/contexts List polyglot contexts
GET /api/decoder/operations List available operations🔗Assets
GET /api/assets List assets
POST /api/assets Create asset
GET /api/assets/stats Statistics
GET /api/assets/coverage Pipeline coverage
POST /api/assets/ingest/subflow Ingest SubFlow results
POST /api/assets/ingest/xmass Ingest XMass results
POST /api/assets/ingest/vmap Ingest vmap results
POST /api/assets/crawl-seeds Generate crawl seeds from assets
GET /api/assets/cluster/jarm/{hash} Cluster by JARM hash
GET /api/assets/cluster/favicon/{mmh3} Cluster by favicon hash
GET /api/assets/{id} Get asset
DELETE /api/assets/{id} Delete asset
PATCH /api/assets/{id} Update asset
GET /api/assets/{id}/ports List ports
GET /api/assets/{id}/events List events🔗Intelligence
GET /api/intelligence/params List discovered params
GET /api/intelligence/params/search Search params by name
GET /api/intelligence/params/stats Param statistics
GET /api/intelligence/params/endpoint Params for endpoint
GET /api/intelligence/routes List routes
GET /api/intelligence/routes/detail Route details
GET /api/intelligence/reflections List reflected params
GET /api/intelligence/reflections/candidates XSS candidates
GET /api/intelligence/reflections/stats Reflection stats
GET /api/intelligence/endpoints List endpoints
GET /api/intelligence/endpoints/detail Endpoint details
GET /api/intelligence/endpoints/stats Endpoint stats
GET /api/intelligence/rollups Security rollups
GET /api/intelligence/rollups/summary Rollup summary
GET /api/intelligence/rollups/host/{host} Host posture
POST /api/intelligence/analyze Analyze existing flows🔗Nerve (Parameter Analysis)
POST /api/nerve/analyze Analyze parameters
POST /api/nerve/analyze-flows Analyze params from flows
GET /api/nerve/categories List categories
GET /api/nerve/categories/{short} Category details
GET /api/nerve/stats Statistics🔗Collaboration (Pro)
POST /api/collab/share Create shared session
POST /api/collab/join Join via invite code
GET /api/collab/status Session status
POST /api/collab/leave Leave session
POST /api/collab/publish Publish annotation to partner🔗Access Tokens
GET /api/tokens List tokens
POST /api/tokens/create Create token
DELETE /api/tokens/{token} Revoke token🔗License
GET /api/license/status License status
POST /api/license/account Set account ID🔗External Tools
GET /api/tools List registered tools
GET /api/tools/health Health check all tools
GET /api/tools/{name} Get tool info
GET /api/tools/{name}/health Health check one tool
POST /api/tools/{name}/execute Execute tool command🔗Scheduler
GET /api/scheduler/jobs List jobs
POST /api/scheduler/jobs Create job
GET /api/scheduler/jobs/{id} Get job
PATCH /api/scheduler/jobs/{id} Update job
DELETE /api/scheduler/jobs/{id} Delete job
POST /api/scheduler/jobs/{id}/run Trigger job
GET /api/scheduler/jobs/{id}/runs List run history🔗Workflows
GET /api/workflows List all workflows
GET /api/workflows/{id} Fetch one workflow
POST /api/workflows/{id}/validate Validate graph (nodes, edges, trigger/action presence)
POST /api/workflows/{id}/run Manual one-shot run (body: {"flow_id": "uuid"})
GET /api/workflows/{id}/runs Execution history (?limit=N&offset=N)The passive engine auto-runs workflows against live flows – these REST routes are for manual invocation and history inspection. The run response includes triggers_matched so you can tell whether the passive engine would have selected this flow. Run records persist in SQLite (workflow_runs table). See the Workflows chapter for the full data model.
🔗GraphQL
GET /graphql GraphQL Playground (HTML)
POST /graphql GraphQL query/mutation endpoint🔗Real-time
GET /ws WebSocket endpoint for real-time flow updates🔗Response Format
All API responses return JSON. Successful responses typically include the data directly. Errors return HTTP status codes:
200– Success400– Bad request (invalid parameters)401– Unauthorized (auth required)404– Not found500– Internal server error
🔗CORS
The API enables permissive CORS (all origins, all methods, all headers) to allow browser-based tooling to connect from any domain.