HTTP/JSON
Primary command and query surface for native deployments. The server exposes generated OpenAPI and supports request body limits, timeouts, CORS, metrics, and auth middleware.
HTTP, WebSocket, and Cap'n Proto share the same authentication configuration. The server speaks plain HTTP/WebSocket/TCP, so production deployments should terminate TLS upstream.
Primary command and query surface for native deployments. The server exposes generated OpenAPI and supports request body limits, timeouts, CORS, metrics, and auth middleware.
Subscription transport for live geofence events. Clients authenticate with the same auth model and subscribe to channels with collection-scoped subscription permissions.
Async RPC transport for command/query flows and native replication. Enable it with capnp_enabled and expose capnp_listen_addr when RPC or followers need network access.
jwt_secret.jwt_public_key_pem.jwks_url.
Exactly one JWT verification source may be configured. For production, prefer JWT or JWKS, set require_auth = true, and disable the static bearer token.
{
"sub": "user-123",
"iss": "https://id.example.com",
"aud": "latlng",
"exp": 4102444800,
"latlng_permissions": [
{
"collections": ["fleet-eu"],
"actions": ["collections:list", "objects:read", "queries:read"]
}
]
} | Name | Description |
|---|---|
collections:list | List collections visible to the principal. The /collections response is filtered by this permission. |
collections:create | Create new collections in the instance. |
collections:delete | Delete collections and their stored objects. |
collections:inspect | Read collection metadata and inspection endpoints. |
objects:read | Fetch objects and object data from permitted collections. |
objects:write | Create, replace, or update objects in permitted collections. |
objects:delete | Remove objects from permitted collections. |
queries:read | Run spatial and text query routes. This is separate from live subscriptions. |
subscriptions:read | Subscribe to live collection events over WebSocket subscribe and psubscribe flows. |
hooks:manage | Create, list, update, and delete webhook hooks. List responses are filtered to manageable resources. |
channels:manage | Create, list, update, and delete event channels. List responses are filtered to manageable resources. |
metrics:read | Read the Prometheus metrics endpoint without granting broader admin access. |
admin:* | Use operational and administrative routes. |