API Documentation

This document provides comprehensive details of the Konarr REST API. The API serves both the web UI and external integrations, with separate authentication for users and agents.

API Implementation: The REST API is implemented using the Rocket framework. All API routes are defined in the server/src/api directory.

Base URL and Versioning

Base URL: http://<konarr-host>:9000/api

Current Version: The API is currently unversioned. Future versions will include version paths.

Content Type: All endpoints expect and return application/json unless otherwise specified.

Authentication

Konarr supports two authentication methods: Agent tokens for automated tools and Session-based authentication for web users.

Agent Authentication

Agents authenticate using a Bearer token in the Authorization header:

curl -H "Authorization: Bearer <AGENT_TOKEN>" \
  http://localhost:9000/api/projects

The agent token is generated by the server and stored as agent.key in the ServerSettings table. You can retrieve it from the admin panel (Settings page) or by querying the database directly.

Key Points:

Agent tokens grant access to specific endpoints for uploading snapshots and creating projects
Token validation checks a cached value first, then falls back to database lookup (implemented in authentication guards)
Agents are identified as the konarr-agent user internally

Session Authentication

Web UI users authenticate via session cookies. Sessions are managed automatically by the frontend and use HTTP-only cookies (x-konarr-token) for security.

Authentication Endpoints (implementation):

Login: POST /api/auth/login
Logout: POST /api/auth/logout
Registration: POST /api/auth/register

Sessions are validated on each request and cached in memory for performance. Users can be assigned Admin or User roles (user model).

Admin Authentication

Admin-only endpoints require both:

Valid session authentication
User role must be Admin

The first registered user automatically receives the Admin role.

Quick Reference

Endpoint Summary

Base & Health Endpoints

Endpoint	Method	Authentication	Description
`/api/`	GET	Optional	Server status and statistics
`/api/health`	GET	None	Health check

Authentication Endpoints

Endpoint	Method	Authentication	Description
`/api/auth/login`	POST	None	User login
`/api/auth/logout`	POST	Session	User logout
`/api/auth/register`	POST	None	User registration

Project Endpoints

(implementation)

Endpoint	Method	Authentication	Description
`/api/projects`	GET	Session/Agent	List projects
`/api/projects`	POST	Session/Agent	Create project
`/api/projects/{id}`	GET	Session	Get project details
`/api/projects/{id}`	PATCH	Session	Update project
`/api/projects/{id}`	DELETE	Admin	Archive project

Snapshot Endpoints

(implementation)

Endpoint	Method	Authentication	Description
`/api/snapshots`	GET	Session	List snapshots
`/api/snapshots`	POST	Session	Create snapshot
`/api/snapshots/{id}`	GET	Session	Get snapshot details
`/api/snapshots/{id}/bom`	POST	Session	Upload SBOM
`/api/snapshots/{id}/metadata`	PATCH	Session	Update metadata
`/api/snapshots/{id}/dependencies`	GET	Session	List snapshot dependencies
`/api/snapshots/{id}/alerts`	GET	Session	List snapshot alerts

Dependency Endpoints

(implementation)

Endpoint	Method	Authentication	Description
`/api/dependencies`	GET	Session	List dependencies
`/api/dependencies/{id}`	GET	Session	Get dependency details

Security Alert Endpoints

(implementation)

Endpoint	Method	Authentication	Description
`/api/security`	GET	Session	List security alerts
`/api/security/{id}`	GET	Session	Get alert details

User Management Endpoints

(implementation)

Endpoint	Method	Authentication	Description
`/api/user/whoami`	GET	Session	Get current user
`/api/user/password`	PATCH	Session	Update password
`/api/user/sessions`	GET	Session	List user sessions
`/api/user/sessions/{id}`	DELETE	Session	Revoke session

Admin Endpoints

(implementation)

Endpoint	Method	Authentication	Description
`/api/admin`	GET	Admin	Get admin settings
`/api/admin`	PATCH	Admin	Update settings
`/api/admin/users`	GET	Admin	List all users
`/api/admin/users/{id}`	PATCH	Admin	Update user

WebSocket Endpoint

(implementation)

Endpoint	Method	Authentication	Description
`/api/ws?agent`	GET (WebSocket)	Session	Agent status monitoring

Core Endpoints

Base Information

GET /api/ (implementation)

Description: Server status, configuration, and summary statistics
Authentication: Optional (returns more data when authenticated)
Response: Server version, commit, configuration, and statistics

Response Fields:

Field	Type	Description
`version`	string	Konarr version number
`commit`	string	Git commit SHA of the build
`config.initialised`	boolean	Whether the server has been initialized
`config.registration`	boolean	Whether new user registration is enabled
`user`	object	Current user details (authenticated only)
`projects`	object	Project statistics summary (authenticated only)
`dependencies`	object	Dependency statistics summary (authenticated only)
`security`	object	Security alerts summary (authenticated only)
`agent`	object	Agent configuration (agent authentication only)

# Unauthenticated request
curl http://localhost:9000/api/

# Authenticated request with session
curl -H "Cookie: x-konarr-token=<token>" http://localhost:9000/api/

Health Check

GET /api/health (implementation)

Description: Simple health check endpoint
Authentication: None required
Response: Basic status message and database connectivity check

curl http://localhost:9000/api/health

Response:

{
  "status": "ok",
  "message": "Konarr is running"
}

Projects

GET /api/projects

Description: List all active (non-archived) projects
Authentication: Session or Agent
Query Parameters:

Parameter	Type	Description	Default
`page`	integer	Page number for pagination (min 1)	0
`limit`	integer	Results per page (min 1, max 100)	25
`search`	string	Search projects by title	-
`type`	string	Filter by project type (or "all" for all types)	-
`top`	boolean	Fetch only top-level projects (no parent)	false
`parents`	boolean	Fetch only parent projects	false

Response: Array of project objects with metadata

POST /api/projects

Description: Create a new project
Authentication: Session or Agent
Request Body:

Field	Type	Required	Description
`name`	string	Yes	Project name (used as identifier)
`type`	string	Yes	Project type (container, server, etc.)
`description`	string	No	Optional project description
`parent`	integer	No	Parent project ID (for nested projects)

GET /api/projects/{id}

Description: Get specific project details with latest snapshot and children
Authentication: Session
Response: Project details including children, latest snapshot, and security summary

PATCH /api/projects/{id}

Description: Update project details
Authentication: Session
Request Body (all fields optional):

Field	Type	Description
`title`	string	Display title for the project
`type`	string	Project type
`description`	string	Project description (empty string to clear)
`parent`	integer	Parent project ID

DELETE /api/projects/{id}

Description: Archive a project (soft delete)
Authentication: Admin session required
Response: Archived project details

Snapshots

GET /api/snapshots

Description: List all snapshots with pagination
Authentication: Session
Query Parameters:

Parameter	Type	Description	Default
`page`	integer	Page number for pagination	0
`limit`	integer	Results per page	25

GET /api/snapshots/{id}

Description: Get specific snapshot details including metadata
Authentication: Session
Response: Snapshot metadata, dependencies count, and security summary

POST /api/snapshots

Description: Create a new empty snapshot
Authentication: Session
Request Body:

Field	Type	Required	Description
`project_id`	integer	Yes	Project ID to associate snapshot with

POST /api/snapshots/{id}/bom

Description: Upload SBOM data to an existing snapshot
Authentication: Session
Content-Type: application/json (CycloneDX format)
Max Size: 10 MB
Response: Updated snapshot details
Note: Automatically triggers SBOM processing task

PATCH /api/snapshots/{id}/metadata

Description: Update snapshot metadata
Authentication: Session
Request Body: JSON object with key-value pairs of metadata to update
Note: Empty values are ignored; valid keys must match SnapshotMetadataKey enum

GET /api/snapshots/{id}/dependencies

Description: List dependencies for a specific snapshot
Authentication: Session
Query Parameters:

Parameter	Type	Description
`search`	string	Search term for component names
`page`	integer	Page number for pagination
`limit`	integer	Results per page

GET /api/snapshots/{id}/alerts

Description: List security alerts for a specific snapshot
Authentication: Session
Query Parameters:

Parameter	Type	Description
`search`	string	Search term for alert names or CVE IDs
`severity`	string	Filter by severity (critical, high, medium, low, etc.)
`page`	integer	Page number for pagination
`limit`	integer	Results per page

Dependencies

GET /api/dependencies

Description: Search and list all dependencies (components)
Authentication: Session
Query Parameters:

Parameter	Type	Description
`search`	string	Search term for component names
`deptype`	string	Filter by component type (library, application, framework, etc.)
`top`	boolean	Get top dependencies by usage
`page`	integer	Page number for pagination
`limit`	integer	Results per page

GET /api/dependencies/{id}

Description: Get specific dependency details
Authentication: Session
Query Parameters:

Parameter	Type	Description
`snapshot`	integer	Get dependency details for specific snapshot context

Response: Component details, versions across projects, and associated projects (when no snapshot specified)

Security Alerts

GET /api/security

Description: List security alerts and vulnerabilities
Authentication: Session
Query Parameters:

Parameter	Type	Description
`page`	integer	Page number for pagination
`limit`	integer	Number of results per page
`search`	string	Search term for alert names or CVE IDs
`state`	string	Filter by alert state (defaults to state check)
`severity`	string	Filter by severity level (critical, high, medium, low, informational, malware, unmaintained, unknown)

GET /api/security/{id}

Description: Get specific security alert details
Authentication: Session
Response: Alert details including advisory information, affected dependency with full details, and associated snapshot

User Profile

GET /api/user/whoami

Description: Get current authenticated user's profile
Authentication: Session required
Response: User details including username, role, state, creation date, and last login

PATCH /api/user/password

Description: Update current user's password
Authentication: Session required
Request Body:

Field	Type	Required	Description
`current_password`	string	Yes	Current password for verification
`new_password`	string	Yes	New password (min 12 characters)
`new_password_confirm`	string	Yes	Confirmation of new password

GET /api/user/sessions

Description: List active sessions for the current user
Authentication: Session required
Response: Array of session summaries with ID, creation time, last accessed time, and state

DELETE /api/user/sessions/{id}

Description: Revoke a specific session
Authentication: Session required
Note: Can only revoke sessions belonging to the current user

Administration

GET /api/admin

Description: Administrative settings, statistics, and user list
Authentication: Admin session required
Response: Server settings, project statistics, user statistics, and list of all users

Response Fields:

Field	Type	Description
`settings`	object	Key-value pairs of all server settings
`project_stats`	object	Total, inactive, and archived project counts
`user_stats`	object	Total, active, and inactive user counts
`users`	array	List of all users with summary information

PATCH /api/admin

Description: Update server settings
Authentication: Admin session required
Request Body: JSON object with setting names as keys and new values as strings
Note: Only Toggle, Regenerate, and SetString setting types can be updated
Special Actions: Some settings trigger background tasks (e.g., security.rescan, security.advisories.pull)

GET /api/admin/users

Description: List all users
Authentication: Admin session required
Response: Array of user summaries (ID, username, role, state, creation date)

PATCH /api/admin/users/{id}

Description: Update user role or state
Authentication: Admin session required
Request Body (all fields optional):

Field	Type	Description
`role`	string	User role (admin or user)
`state`	string	User state (active or disabled)

Note: Cannot modify user ID 1 (default admin); disabling a user logs them out

WebSocket

GET /api/ws?agent

Description: WebSocket connection for agent status monitoring
Authentication: Session required
Protocol: WebSocket
Purpose: Allows agents to report online/offline status for projects

Message Format:

{
  "project": 123
}

When a client connects and sends a project ID, the snapshot for that project is marked as "online". When the connection closes, it's marked as "offline".

Authentication API Details

POST /api/auth/login

Description: Authenticate a user and create a session
Authentication: None required
Rate Limit: Yes (using RateLimit guard)
Request Body:

Field	Type	Required	Description
`username`	string	Yes	Username
`password`	string	Yes	Password

Response: Login status and reason (if failed)
Side Effect: Sets x-konarr-token private cookie on success

Response:

{
  "status": "success"
}

Or on failure:

{
  "status": "failed",
  "reason": "Invalid credentials"
}

Logout

POST /api/auth/logout

Description: Terminate the current session
Authentication: Session required
Response: Logout status
Side Effect: Removes x-konarr-token cookie and invalidates session

Register

POST /api/auth/register

Description: Register a new user account
Authentication: None required (registration must be enabled)
Rate Limit: Yes (using RateLimit guard)
Request Body:

Field	Type	Required	Description
`username`	string	Yes	Desired username
`password`	string	Yes	Password
`password_confirm`	string	Yes	Password confirmation (must match)

Response: Registration status and reason (if failed)
Note: First registered user becomes Admin; subsequent users are regular Users

Data Models

Project Object

{
  "id": 1,
  "name": "my-application",
  "title": "my-application",
  "type": "container",
  "description": "Production web application",
  "status": true,
  "parent": null,
  "createdAt": "2024-01-01T00:00:00Z",
  "snapshot": {
    "id": 15,
    "status": "completed",
    "createdAt": "2024-01-15T12:00:00Z",
    "dependencies": 245,
    "security": {
      "total": 12,
      "critical": 2,
      "high": 5,
      "medium": 3,
      "low": 2
    }
  },
  "snapshots": 15,
  "security": {
    "total": 12,
    "critical": 2,
    "high": 5,
    "medium": 3,
    "low": 2
  },
  "children": []
}

Fields:

Field	Type	Description
`id`	integer	Unique project identifier
`name`	string	Project name (identifier)
`title`	string	Display title for project
`type`	string	Project type (container, server, etc.)
`description`	string	Optional project description
`status`	boolean	Online/offline status from latest snapshot metadata
`parent`	integer	Parent project ID (null for top-level)
`createdAt`	string	ISO 8601 timestamp of creation
`snapshot`	object	Latest snapshot summary
`snapshots`	integer	Total snapshot count
`security`	object	Security summary from latest snapshot
`children`	array	Child projects (nested structure)

Snapshot Object

{
  "id": 1,
  "status": "completed",
  "error": null,
  "createdAt": "2024-01-01T00:00:00Z",
  "updatedAt": "2024-01-01T00:05:00Z",
  "dependencies": 245,
  "security": {
    "total": 12,
    "critical": 2,
    "high": 5,
    "medium": 3,
    "low": 2,
    "informational": 0,
    "unmaintained": 0,
    "malware": 0,
    "unknown": 0
  },
  "metadata": {
    "image": "nginx:1.21",
    "version": "1.21.0",
    "status": "online"
  }
}

Fields:

Field	Type	Description
`id`	integer	Unique snapshot identifier
`status`	string	Processing status (pending, processing, completed, failed)
`error`	string	Error message if processing failed
`createdAt`	string	ISO 8601 timestamp of creation
`updatedAt`	string	ISO 8601 timestamp of last update
`dependencies`	integer	Count of dependencies in snapshot
`security`	object	Security summary with severity breakdown
`metadata`	object	Key-value pairs of snapshot metadata

Dependency Object

{
  "id": 1,
  "type": "library",
  "manager": "npm",
  "name": "@types/node",
  "namespace": "@types",
  "version": "18.15.0",
  "purl": "pkg:npm/%40types/node@18.15.0",
  "versions": ["18.15.0", "18.14.0"],
  "projects": [
    {
      "id": 1,
      "name": "my-application",
      "title": "my-application"
    }
  ]
}

Fields:

Field	Type	Description
`id`	integer	Unique component identifier
`type`	string	Component type (library, application, framework, etc.)
`manager`	string	Package manager (npm, cargo, deb, etc.)
`name`	string	Component name
`namespace`	string	Optional namespace (e.g., @types for npm)
`version`	string	Specific version (context-dependent)
`purl`	string	Package URL (PURL) identifier
`versions`	array	All versions found across projects
`projects`	array	Associated projects (omitted in snapshot context)

Alert Object

{
  "id": 1,
  "name": "CVE-2024-1234",
  "severity": "high",
  "description": "Buffer overflow vulnerability...",
  "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1234",
  "dependency": {
    "id": 42,
    "type": "library",
    "manager": "npm",
    "name": "vulnerable-package",
    "version": "1.0.0"
  }
}

Fields:

Field	Type	Description
`id`	integer	Unique alert identifier
`name`	string	Alert name (often CVE ID)
`severity`	string	Severity level (critical, high, medium, low, informational, unmaintained, malware, unknown)
`description`	string	Detailed description of the vulnerability
`url`	string	Reference URL for more information
`dependency`	object	Affected dependency details

SBOM Upload Format

Konarr accepts SBOMs in CycloneDX format (version 1.5 or 1.6). Upload SBOMs to the POST /api/snapshots/{id}/bom endpoint.

Example CycloneDX SBOM:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "version": 1,
  "metadata": {
    "timestamp": "2024-01-01T00:00:00Z",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
        "version": "v0.96.0"
      }
    ],
    "component": {
      "type": "container",
      "name": "nginx",
      "version": "1.21"
    }
  },
  "components": [
    {
      "type": "library",
      "name": "openssl",
      "version": "1.1.1",
      "purl": "pkg:deb/debian/openssl@1.1.1"
    }
  ]
}

Supported Fields:

bomFormat: Must be "CycloneDX"
specVersion: "1.5" or "1.6"
metadata.component: Main component (container image, application, etc.)
components: Array of dependency components with PURL identifiers

After uploading, Konarr automatically processes the SBOM to extract dependencies and match them against security advisories.

Error Responses

API errors return consistent JSON responses with HTTP status codes:

{
  "message": "Project with ID 999 not found",
  "details": "Additional context about the error",
  "status": 404
}

HTTP Status Codes:

Status Code	Description
`401 Unauthorized`	Missing or invalid authentication token/session
`404 Not Found`	Requested resource doesn't exist
`429 Too Many Requests`	Rate limit exceeded
`500 Internal Server Error`	Server-side error occurred

Common Error Scenarios:

Authentication Errors: Returned when Authorization header or session cookie is missing/invalid
Not Found: Returned when accessing non-existent projects, snapshots, or other resources
Unauthorized (Admin): Returned when non-admin users attempt admin-only operations
Validation Errors: Returned via KonarrError when request data is invalid

Rate Limiting

Rate limiting is applied to authentication endpoints to prevent abuse:

Login endpoint: Rate limited (specific limit configured via RocketGovernor)
Registration endpoint: Rate limited (specific limit configured via RocketGovernor)
Other endpoints: No explicit rate limiting (protected by authentication)

Rate limiting uses the rocket-governor crate with a custom RateLimit guard.

Integration Examples

Using the API with curl

Creating a snapshot and uploading an SBOM:

# 1. Login and get session cookie
curl -c cookies.txt -X POST http://localhost:9000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": "yourpassword"}'

# 2. Create a snapshot for a project
curl -b cookies.txt -X POST http://localhost:9000/api/snapshots \
  -H "Content-Type: application/json" \
  -d '{"project_id": 1}'

# 3. Upload SBOM to the snapshot
curl -b cookies.txt -X POST http://localhost:9000/api/snapshots/123/bom \
  -H "Content-Type: application/json" \
  -d @sbom.json

Agent authentication:

# Get agent token from admin panel, then use it
export AGENT_TOKEN="your-agent-token-here"

# List projects as agent
curl -H "Authorization: Bearer $AGENT_TOKEN" \
  http://localhost:9000/api/projects

# Upload SBOM as agent
curl -H "Authorization: Bearer $AGENT_TOKEN" \
  -X POST http://localhost:9000/api/snapshots/123/bom \
  -H "Content-Type: application/json" \
  -d @sbom.json

Python Example

import requests

class KonarrClient:
    def __init__(self, base_url, agent_token=None):
        self.base_url = base_url
        self.session = requests.Session()
        if agent_token:
            self.session.headers['Authorization'] = f'Bearer {agent_token}'
    
    def login(self, username, password):
        response = self.session.post(
            f'{self.base_url}/api/auth/login',
            json={'username': username, 'password': password}
        )
        return response.json()
    
    def get_projects(self):
        response = self.session.get(f'{self.base_url}/api/projects')
        return response.json()
    
    def upload_sbom(self, snapshot_id, sbom_data):
        response = self.session.post(
            f'{self.base_url}/api/snapshots/{snapshot_id}/bom',
            json=sbom_data
        )
        return response.json()

# Usage
client = KonarrClient('http://localhost:9000')
client.login('admin', 'password')
projects = client.get_projects()

For CLI-based interaction with Konarr, see the Agent Configuration documentation.

Konarr Documentation