The backend exposes 37 JSON endpoints under /api/v1. Routes are generated
from Go handler annotations in internal/server/handlers.go. The canonical
spec is internal/server/openapi.gen.json. The typed TypeScript client is
frontend/src/shared/api/api.gen.ts. Generated files are not hand-edited.
Route registration
Each handler in internal/server/handlers.go carries a comment marker:
//api:route POST /api/v1/simulation/run
//api:header Remote-User={user}
func ( s * Server) RunSimulation ( user string , simCtx simulator.SimContext) ( * simulator.DecisionResult, error ) { ... }
go run ./apigen parses these markers and generates:
Output Purpose internal/server/routes.gen.goGin route registration. internal/server/openapi.gen.jsonOpenAPI 3.1 document. frontend/src/shared/api/models.gen.tsTypeScript types for every Go type used. frontend/src/shared/api/api.gen.tsTyped fetch wrappers.
Header-source parameters (Remote-User, etc.) are stripped from the
TypeScript client. The proxy sets them. Trust model: see
auth .
Routes
Index and search
Method Path Returns GET /api/v1/indexFull in-memory index snapshot. GET /api/v1/search?q=...SearchResult[] across every resource type.GET /api/v1/segment/{segmentID}/policiesPolicyCoverage[] for one segment.GET /api/v1/reachability?q=hostnameReachabilityResult (segments + policies covering the hostname).
Reports (legacy quick views)
Method Path Returns GET /api/v1/reports/orphansOrphanReport[] (segments without policy coverage).GET /api/v1/reports/overlapsOverlapReport[] (domains in multiple segments).
Simulator
Method Path Returns POST /api/v1/simulation/runRuns the FSM, persists when valid, returns DecisionResult. GET /api/v1/simulationSimulationRun[] paginated list.GET /api/v1/simulation/{id}One historical run. DELETE /api/v1/simulation/{id}Removes one run. GET /api/v1/simulation/countTotal run count.
Method Path Returns GET /api/v1/meIdentity from Remote-* headers (post-strip).GET /api/v1/aboutBuild version, commit, date. POST /api/v1/telemetryBrowser telemetry batch (page views + errors). GET /metricsPrometheus metrics (in-cluster only).
Flow graph
Method Path Returns POST /api/v1/graphFlowGraph filtered by the body’s selection.GET /api/v1/routesFull RouteMatrix (every reachable user-group to segment path).
Analytics
Method Path Returns GET /api/v1/analytics/blast-radius?id=...&type=...BlastRadiusReportGET /api/v1/analytics/policy-shadowsPolicyShadowReport[]GET /api/v1/analytics/orphan-clustersOrphanCluster[] (orphans grouped by segment group)GET /api/v1/analytics/domain-overlapsDomainOverlapDetail[]GET /api/v1/analytics/connector-loadConnectorLoadEntry[]GET /api/v1/analytics/scim-reachScimReachEntry[]
Raw ZPA passthrough
Returns the resource list as the SDK delivers it. Use cases: debugging,
custom tooling on top of the index.
Method Path GET /api/v1/zpa/segmentsGET /api/v1/zpa/segment-groupsGET /api/v1/zpa/access-policiesGET /api/v1/zpa/app-connectorsGET /api/v1/zpa/app-connector-groupsGET /api/v1/zpa/server-groupsGET /api/v1/zpa/scim-groupsGET /api/v1/zpa/scim-attribute-headersGET /api/v1/zpa/scim-attribute-values?idp_id=...&header_id=...GET /api/v1/zpa/idp-controllersGET /api/v1/zpa/trusted-networksGET /api/v1/zpa/posture-profilesGET /api/v1/zpa/certificatesGET /api/v1/zpa/client-typesGET /api/v1/zpa/platforms
OpenAPI
The full spec is internal/server/openapi.gen.json. Compatible with
Swagger UI, Insomnia, and standard OpenAPI client generators. Regenerated
on every go run ./apigen and committed.
Header Set by Used by X-Request-IdServer middleware (UUID per request, echoed in response). Every log line and every response. Remote-User, Remote-Email, Remote-Groups, Remote-NameForward-auth proxy (Authelia via Caddy). RunSimulation, GetMe, access log user field.
Remote-* headers from untrusted peers are stripped in middleware before
any handler runs.
