This page documents the current operator-facing control-plane endpoints and their intended use.
Scope
The control API is a privileged admin surface. It should be treated as operator-only infrastructure, not as a public application endpoint.
Current endpoint family:
- health
- readiness
- runtime snapshot
- certificate reload
- full config reload
- restart request
Protocol
The control API uses HTTP/1.1 over TLS. HTTP/2 is not supported.
When using curl, pass --http1.1 explicitly — curl negotiates h2 by default when connecting to a TLS endpoint and the server will reject the connection:
curl -k --http1.1 https://<address>:<port>/...
The -k flag skips certificate verification for self-signed certs.
Security Expectations
- bind to loopback or a strongly isolated admin network whenever possible
- require a strong bearer token for privileged endpoints
- avoid broad public exposure even when authentication is enabled
Authentication
Privileged endpoints use bearer-token authentication via:
Authorization: Bearer <token>
The token is configured with observability.control_api.auth_token.
Endpoints
GET /health
Purpose:
- liveness check
- watchdog state visibility
Expected use:
- load balancer or platform liveness probe
- operator sanity check
GET /ready
Purpose:
- readiness state for serving traffic
Expected use:
- deployment orchestration
- maintenance and rollout checks
GET /admin/runtime
Purpose:
- runtime snapshot for operators
Typical contents include:
- worker and runtime state
- key counters
- admission state
- backend health summary
Expected use:
- debugging
- rollout validation
- incident response
POST /admin/runtime/reload
Purpose:
- reload the full config from disk and apply changes to upstreams, backends, policies, and timeouts
Important scope note:
- listener bind addresses, control API bind, and metrics bind cannot change without a restart
- in-flight requests on the old config complete normally; new requests use the new config immediately
Expected use:
- adding or removing backends
- changing load balancing, timeouts, resilience, or routing policy at runtime
Example:
curl -k --http1.1 -X POST https://127.0.0.1:9890/admin/runtime/reload \
-H "Authorization: Bearer <token>"
POST /admin/runtime/reload-certs
Purpose:
- reload listener certificate and related trust material for new handshakes
Important scope note:
- this is not full config hot reload
- existing sessions keep their already-negotiated certificate and auth state
Expected use:
- listener certificate rotation
- listener trust-material refresh
POST /admin/runtime/restart
Purpose:
- request a controlled restart/drain workflow through the watchdog coordinator
Expected use:
- operational restart requests
- orchestrated maintenance flow
Operator Notes
- use cert reload for cert-only changes
- use full config reload for backend, policy, timeout, or routing changes that don't require rebinding listeners
- use drain-and-restart when listener addresses or control API/metrics bind must change
- keep rollback available before using restart-triggering control-plane actions in production
- all curl invocations must use
--http1.1— the control API does not support HTTP/2