API endpoints

The canonical contract lives in apigw-go/openapi.yaml. That file is what Yandex API Gateway loads at deploy time and what the wizard generates code against. This page is the human-readable version of the most-used endpoints.

All authenticated requests carry a naasson_session cookie set by the OAuth callback. JWT is HS256, 24-hour TTL, signed with a Lockbox secret.

Auth

Method	Path	Purpose
GET	`/auth/providers`	List configured OAuth providers
GET	`/auth/yandex/authorize`	Begin Yandex OAuth
GET	`/auth/google/authorize`	Begin Google OAuth
GET	`/auth/github/authorize`	Begin GitHub OAuth
GET	`/auth/me`	Return the authenticated user’s record
POST	`/auth/logout`	Clear the session cookie
GET	`/auth/me/oauth-accounts`	List linked OAuth accounts
POST	`/auth/link/confirm`	Attach a pending provider link
POST	`/auth/unlink`	Detach a provider
GET	`/auth/edge-handoff?next=…`	Cross-domain SSO — mint 30s JWT, 302 to edge

Workspaces

Method	Path	Purpose
GET	`/workspaces`	List the caller’s workspaces
POST	`/workspaces`	Create a workspace (`label`, `adapter_kind`)
GET	`/workspaces/{id}`	Fetch one workspace (owner only)

Tunnel routes

Method	Path	Purpose
POST	`/tunnel-agents`	Mint a one-time agent token for a workspace
GET	`/tunnel-routes`	List the caller’s active routes
POST	`/tunnel-routes`	Create a route `fqdn → (agent, target_port)`
DELETE	`/tunnel-routes/{fqdn}`	Revoke a route

Routes enforce dual ownership as of 2026-05-16: both the workspace and the agent must belong to the caller. See Security model.

Products

Method	Path	Purpose
GET	`/products/catalog`	Read-mostly catalog (YDB-backed)
GET	`/products/search?q=`	Substring search across the catalog
GET	`/products/tags`	Tag list with counts (drives sidebar chips)
GET	`/products/{id}/wizard-config`	Per-product wizard schema

Drafts

Method	Path	Purpose
GET	`/drafts/{slug}`	Read a wizard draft
PUT	`/drafts/{slug}`	Save / overwrite a draft

Deployments

Method	Path	Purpose
POST	`/deploys`	Enqueue a deployment (writes YMQ)
GET	`/deploys`	List the caller’s deployments
GET	`/deploys/{id}/status`	Stream-friendly status snapshot
DELETE	`/deploys/{id}`	Cancel + cleanup

Payments

Method	Path	Purpose
POST	`/payments/init`	Begin a YooKassa top-up
POST	`/payments/webhook`	YooKassa webhook (signature-verified)

Mesh, Rental, Batch

The dispatched api-mesh, api-rental, and api-batch fat-functions cover Modes 2-5. See the OpenAPI spec for the full list — these are in production but their UI is rolled out gradually. Notable shapes:

POST /mesh/invites/{code}/redeem — peer joins your mesh
POST /rental/listings — register idle compute for rent
POST /rental/bookings — book someone’s listing
POST /batch/submit — push a sharded WASM job
GET /batch/{id}/status — poll job status

How to use this from code

A minimal authenticated probe (after you’ve signed in once):

JWT=$(open https://cloud.naasson.com  # sign in, then copy
                                      # the naasson_session cookie
                                      # value from DevTools)
curl -sS https://api.cloud.naasson.com/auth/me \
     -H "Cookie: naasson_session=$JWT" | jq

The full smoke test that exercises the registration flow lives in the repo at scripts/smoke-registration-flow.sh.