API Reference

The Exekra Orchestrator exposes a REST API over HTTPS. All endpoints (except those marked Public) require authentication via a JWT token stored in an HTTP-only cookie.

PropertyValue
Base URLhttps://{orchestrator-host}:{port}/api
Content-Typeapplication/json
AuthenticationJWT token in `token` cookie
Rate Limit100 requests per minute per client

Authentication

POST/api/auth/loginPublic

Authenticate a user and receive a session token.

Request
{
  "email": "[email protected]",
  "password": "securepassword"
}
Response 200
{
  "user": {
    "id": "clx1abc2300001",
    "email": "[email protected]",
    "name": "Admin User",
    "role": "ADMIN"
  }
}

Sets cookie: token (HttpOnly, Secure, SameSite=Lax, 7-day expiry). Returns 401 on invalid credentials.

POST/api/auth/registerAuthenticated (ADMIN)

Register a new user. Role defaults to OPERATOR if not specified.

Request
{
  "email": "[email protected]",
  "password": "securepassword",
  "name": "Jane Developer",
  "role": "DEVELOPER"
}
POST/api/auth/logoutAuthenticated

End the current session. Clears the token cookie.

GET/api/auth/meAuthenticated

Get the current authenticated user.

Executions

POST/api/executionsAuthenticated (ADMIN, DEVELOPER, OPERATOR)

Create a new execution (trigger a workflow run). Requires a published version.

Request
{
  "workflowId": "clx1wf0001"
}
Response 200
{
  "execution": {
    "id": "clx1exec001",
    "workflowId": "clx1wf0001",
    "workflow": { "id": "clx1wf0001", "name": "Invoice Processing" },
    "runnerId": null,
    "triggeredBy": "clx1abc2300001",
    "versionId": "clx1ver001",
    "status": "QUEUED",
    "logs": null,
    "startedAt": null,
    "completedAt": null,
    "createdAt": "2025-01-15T10:00:00.000Z"
  }
}
GET/api/executionsAuthenticated

List executions with optional filters.

ParameterTypeDescription
workflowIdstringFilter by workflow
runnerIdstringFilter by runner
statusstringQUEUED, ASSIGNED, RUNNING, COMPLETED, FAILED, STOPPED
pagenumberPage number (default: 1)
limitnumberItems per page (default: 50)
from / tostringISO 8601 date range
GET/api/executions/statsAuthenticated

Get aggregate execution counts (total, queued, running, completed, failed, stopped).

GET/api/executions/:idAuthenticated

Get a single execution by ID.

PATCH/api/executions/:id/statusPublic (Runner)

Update execution status. Called by runners to report progress.

Request
{
  "status": "COMPLETED",
  "logs": "[2025-01-15T10:00:05Z] Starting workflow...\n...",
  "metrics": {
    "cpuAvg": 35.2,
    "cpuPeak": 78.5,
    "memAvgMB": 512,
    "memPeakMB": 1024
  }
}

Runners

POST/api/runners/registerAuthenticated (ADMIN)

Register a new runner. Returns machine credentials (secret shown only once).

Request
{
  "name": "PROD-Runner-01",
  "type": "UNATTENDED"
}
Response 200
{
  "id": "clx1runner01",
  "name": "PROD-Runner-01",
  "machineKey": "FC-a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4",
  "machineSecret": "e5f6a1b2c3d4...64 hex chars...",
  "type": "UNATTENDED"
}
POST/api/runners/authenticatePublic

Authenticate with machine credentials and receive a JWT token (24h expiry).

Request
{
  "machineKey": "FC-a1b2c3d4...",
  "machineSecret": "e5f6a1b2c3d4..."
}
POST/api/runners/heartbeatPublic

Send heartbeat with metrics. Sets runner status to ONLINE. TTL: 120 seconds.

Request
{
  "machineKey": "FC-a1b2c3d4...",
  "machineSecret": "e5f6a1b2c3d4...",
  "ipAddress": "10.0.1.50",
  "metrics": {
    "cpu": 45.2,
    "memTotalMB": 16384,
    "memUsedMB": 8192,
    "memUsage": 50.0
  }
}
POST/api/runners/pollPublic

Poll for assigned work. Returns hasWork: false if no assignment, or the execution with graphJson if work is available.

Response (work available)
{
  "hasWork": true,
  "execution": {
    "id": "clx1exec001",
    "workflowId": "clx1wf0001",
    "workflowName": "Invoice Processing",
    "graphJson": "{\"nodes\":[...],\"edges\":[...]}"
  }
}
POST/api/runners/executionsPublic

Create execution directly from an attended runner. Execution created with status RUNNING (bypasses queue).

POST/api/runners/processesPublic

Get all published workflows available for execution on this runner.

GET/api/runnersAuthenticated

List all runners. Filter by status (ONLINE, OFFLINE, BUSY) or type (ATTENDED, UNATTENDED).

POST/api/runners/:id/regenerate-secretAuthenticated (ADMIN)

Generate a new machine secret. Invalidates the previous secret immediately.

DELETE/api/runners/:idAuthenticated (ADMIN)

Delete a runner registration.

Workflows

POST/api/workflowsAuthenticated (ADMIN, DEVELOPER)

Create a new workflow.

Request
{
  "name": "Invoice Processing",
  "description": "Processes incoming invoices from the shared mailbox"
}
GET/api/workflowsAuthenticated

List all workflows. Supports page and limit query parameters.

GET/api/workflows/:idAuthenticated

Get a single workflow with its versions, triggers, and execution count.

PUT/api/workflows/:idAuthenticated (ADMIN, DEVELOPER)

Update workflow name or description.

DELETE/api/workflows/:idAuthenticated (ADMIN)

Delete a workflow and all its versions (cascade).

POST/api/workflows/:id/draftAuthenticated (ADMIN, DEVELOPER)

Save a draft version. Each save creates a new version with auto-incremented number.

Request
{
  "graphJson": "{\"nodes\":[...],\"edges\":[...]}",
  "metadata": "Added browser opening step"
}
POST/api/workflows/:id/publishAuthenticated (ADMIN, DEVELOPER)

Publish the latest draft. Supersedes any previously published version. Returns 400 if no draft exists.

GET/api/workflows/:id/versionsAuthenticated

List all versions of a workflow (drafts and published).

GET/api/workflows/:id/versions/latestAuthenticated

Get the latest version (may be a draft).

Triggers

POST/api/triggersAuthenticated (ADMIN, DEVELOPER)

Create a trigger for a workflow.

Request (Schedule)
{
  "workflowId": "clx1wf0001",
  "type": "SCHEDULE",
  "config": "{\"cron\": \"0 9 * * 1-5\"}",
  "enabled": true
}
Request (Webhook)
{
  "workflowId": "clx1wf0001",
  "type": "WEBHOOK",
  "config": "{}",
  "enabled": true
}
GET/api/triggersAuthenticated

List all triggers. Supports page and limit query parameters.

PUT/api/triggers/:idAuthenticated (ADMIN, DEVELOPER)

Update trigger config or enabled status. Schedule triggers are rescheduled automatically.

DELETE/api/triggers/:idAuthenticated (ADMIN)

Delete a trigger. Stops the cron job if it is a schedule trigger.

POST/api/triggers/webhook/:idPublic

Invoke a webhook trigger. Validates the trigger exists, is type WEBHOOK, and is enabled.

Response 200
{
  "success": true,
  "executionId": "clx1exec003"
}

System

GET/api/statusPublic

Check system state: UNACTIVATED, ACTIVATED, BOOTSTRAPPED, or OPERATIONAL.

GET/api/healthPublic

Health check. Returns status: ok with a timestamp.

POST/api/license/activatePublic

Activate the platform license. Requires system state UNACTIVATED.

GET/api/license/statusAuthenticated

Get license status: activated flag, status (ACTIVE/GRACE_PERIOD/EXPIRED/INVALID), limits, and days remaining.

POST/api/license/validateAuthenticated (ADMIN)

Force revalidation of the current license.

GET/api/usersAuthenticated (ADMIN)

List all registered users. Supports page and limit query parameters.

GET/api/analytics/process-performanceAuthenticated

Get per-workflow performance metrics including execution counts, success/failure rates, CPU/memory averages, and duration.