Skip to main content

REST API

Plain HTTP with an x-bossmode-token header. Every surface BossMode offers — context, directives, approvals, reports, packs, devices, revenue events, guardian, AvatarCzar — is reachable over standard HTTPS and rate-limited per workspace. Reach for the REST API when your caller is your own Node or Python pipeline, a CI runner shipping without Node installed, or any integration where adding an MCP host or the CLI would be overkill. The same x-bossmode-token used by the CLI and the MCP server works here — one token, three surfaces.

Base URL

https://bossmode.ing

Authentication

All Pro API routes require the x-bossmode-token header:
curl -H "x-bossmode-token: YOUR_TOKEN_HERE" \
  https://bossmode.ing/api/pro/context
Obtain your token from the workspace settings page at bossmode.ing/app/<workspace>/settings/api. Unauthenticated requests to Pro routes return 401 Unauthorized. Admin routes (/api/admin/*) use a separate admin session cookie — not the Pro token.

Rate limits

Rate limits are applied per IP per route. Limits are sourced from lib/api-rate-limit.ts.
RouteLimitWindow
/api/pro/context60 req60 s
/api/pro/profile20 req60 s
/api/pro/bootstrap20 req60 s
/api/pro/feed30 req60 s
/api/pro/metrics30 req60 s
/api/pro/revenue-events30 req60 s
/api/pro/ack30 req60 s
/api/pro/approvals30 req60 s
/api/pro/work-packets20 req60 s
/api/pro/audit-feed30 req60 s
/api/pro/standing-orders30 req60 s
/api/pro/skill-packs30 req60 s
/api/pro/directive20 req60 s
/api/pro/family/comment30 req60 s
/api/pro/guardian/checkpoint30 req60 s
/api/pro/guardian/killswitch30 req60 s
/api/pro/guardian/preflight60 req60 s
/api/pro/guardian/revert20 req60 s
/api/pro/consigliere/chat30 req60 s
/api/pro/engines30 req60 s
/api/pro/avatarczar/avatar5 req60 s
/api/pro/avatarczar/intelligence5 req60 s
/api/pro/avatarczar/induction60 req60 s
/api/pro/avatarczar/webhooks5 req60 s
/api/pro/escalations/decide20 req60 s
/api/pro/subscription/verify60 req60 min
/api/local/hydrate5 req60 min
When a limit is exceeded the response is 429 Too Many Requests with headers:
Retry-After: <seconds>
X-RateLimit-Limit: <limit>
X-RateLimit-Remaining: 0

OpenAPI spec

An OpenAPI spec is not currently served at /openapi.json. The route table below is maintained from lib/api-rate-limit.ts, which is the source of truth.

Common routes

RouteMethodDescription
/api/pro/contextGETFull consigliere brief (signals, packets, standing orders, metrics, audit, guardian, AvatarCzar persona)
/api/pro/profileGETOperator profile — autonomy settings, installed packs, tier, device list
/api/pro/feedGETActivity feed
/api/pro/metricsGETRevenue and performance metrics
/api/pro/revenue-eventsPOSTLog a revenue event
/api/pro/ackPOSTAcknowledge a signal
/api/pro/directivePOSTSubmit a boss directive
/api/pro/approvalsGET / POSTList pending approvals / approve or reject
/api/pro/work-packetsGETList work packets
/api/pro/audit-feedGETAgent action log
/api/pro/standing-ordersGETActive standing orders
/api/pro/guardian/killswitchPOSTTrigger the guardian kill switch
/api/pro/guardian/revertPOSTRestore after a kill switch
/api/pro/consigliere/chatPOSTSend a message to the local consigliere

Error shape

{
  "error": "unauthorized",
  "reason": "invalid_token",
  "requestId": "..."
}
Always include requestId when filing a support ticket.

Idempotency

Mutation endpoints accept Idempotency-Key headers. Replaying a request with the same key returns the original result without double-executing. Keys are good for 24 hours.

Timestamps

All timestamps are Unix milliseconds (Date.now() in JavaScript). Same shape in Convex and in the API.

Example: pull the full brief

curl -sS -H "x-bossmode-token: $BOSSMODE_TOKEN" \
  https://bossmode.ing/api/pro/context | jq .
Response includes signals, work packets, standing orders, metrics, audit feed, guardian state, and the AvatarCzar persona payload — everything the consigliere reads to decide what to do next.

Example: queue a directive

curl -sS -X POST -H "x-bossmode-token: $BOSSMODE_TOKEN" \
  -H "Content-Type: application/json" \
  -H "Idempotency-Key: $(uuidgen)" \
  -d '{"text":"draft the weekly brief for Tuesday"}' \
  https://bossmode.ing/api/pro/directive
The response returns { directiveId, approvalId, status: "pending_approval" }. Approve via /api/pro/approvals or the CLI.