API overview
The Midcore backend is a FastAPI application for automation, CI, and integrations: agent runs, gates, evidence, tenancy, and the large autonomy module surface.
OpenAPI and interactive docs
Non-production deployments expose machine-readable and browsable API documentation on the same origin as the API (not the Next.js site). Production disables Swagger/ReDoc/OpenAPI JSON to reduce IP exposure:
GET /openapi.json— OpenAPI 3 schemaGET /docs— Swagger UIGET /redoc— ReDoc
Example: if your API base is https://api.example.com, open https://api.example.com/docs. From the web app in the browser, API calls are usually proxied via /api/backend/* (see App vs autonomy API).
Automation and agent surface
Agent orchestration, studio runs, streaming, smart gates, and reliability helpers live under the /api/v1/autonomy/ prefix on the FastAPI server. Examples (all require auth in normal deployments):
| Method | Path (on API server) | Purpose |
|---|---|---|
| POST | /api/v1/autonomy/run | Full automation run (optional stream, budget_seconds) |
| POST | /api/v1/autonomy/vibe/run | Vibe coding run |
| GET | /api/v1/autonomy/streaming/{session_id}/events | SSE for a run session |
| GET | /api/v1/autonomy/smart-gates | Gate readiness snapshot |
| GET | /api/v1/autonomy/reliability-context | Budget / concurrency hints for the studio |
| GET | /api/v1/autonomy/evidence-pack | Evidence pack snapshot |
| POST | /api/v1/autonomy/voice/transcribe | Voice transcription |
Shorthand in UI copy
POST /autonomy/run as shorthand; the full server path is /api/v1/autonomy/run.Run vs vibe (security review)
RBAC, streaming, and audit behavior for /autonomy/run vs /autonomy/vibe/run are documented in your internal readiness and parity artifacts. Static HTML report bundles are not published on the public product site — see Readiness report (resources).
When to use the API
- Automating agent runs from scripts or CI/CD
- Integrating with external tools (ticketing, dashboards)
- Running gates and reading evidence from your own services
Authentication
API access uses cookies/session, API keys, or SSO depending on your deployment. Store secrets in environment variables or a secrets manager. See Authentication and Security.
Main use cases
- Triggering agent runs — Start a task remotely; use streaming endpoints for live output.
- Running gates — Same gate set as the CLI (
midcore gates run) with pass/fail and evidence. - Reading evidence — Query the evidence ledger and related autonomy snapshots.
App vs autonomy API · SDK and client libraries · CLI reference · Authentication