API Reference
SaberTools exposes three API surfaces:
| Surface | Base path | Auth | For |
|---|---|---|---|
| Web app API | /api/* | JWT (HttpOnly cookies) | The React web app |
| Service API | /service/v1/* | API keys (st_live_*) | External apps & integrations |
| Registry API | /api/registry/* | Public reads · API key for writes | Agents, tools, anyone |
Live base URL: https://sabertools-production.up.railway.app
Registry API (public)
The most broadly useful surface — verified knowledge, no auth required for reads. Full endpoint list and examples are on Query the Registry:
- Search & answer —
/api/registry/search,/search/semantic,/search/hybrid,/answer - Packets —
/api/registry/packets,/packets/:id,/packets/by-cid/:cid - Graph —
/entities,/entities/:name/relations,/entities/:name/authority,/canonical/:name,/consensus/:name - Coverage & stats —
/coverage,/stats
Writes (POST /api/registry/packets, takedown, revert) require an API key — see Publish & sign.
Authentication
- JWT — 15-minute access tokens + 30-day refresh tokens, in HttpOnly cookies, for the web app.
- API keys —
st_live_*, SHA-256 hashed at rest, scoped to projects and permissions (read,write,export,webhook), for external apps.
Where AI keys live
AI provider keys are server-side only — they are never exposed to the browser. Frontend AI calls route through an authenticated server proxy.
Web app API (/api/*, JWT)
| Resource | What |
|---|---|
| Authentication | register · login · refresh · profile · API keys |
| Projects | project CRUD |
| Sources | source CRUD · scrape · verify links · dedup · KB toggle |
| Research | run the agent (SSE) · saved runs |
| Intelligence | synthesis · semantic knowledge graph |
| Connectors | dynamic connector CRUD · generate from an API |
| Ingest | ingest jobs · embeddings · OAI-PMH harvest |
| Webhooks | webhook CRUD · test delivery |
Also under /api/* (JWT): settings (GET/PUT user settings), search (per-user source search), ai (POST /api/ai/call — the server-side AI proxy), and admin (JWT + admin role).
Service API (/service/v1/*, API key)
For external apps and integrations — read projects, export knowledge, register webhooks with a scoped st_live_* key. See Service API.
→ Related: Query the Registry · Platform · Authentication