API reference
The Restura server exposes these HTTP endpoints. The same Hono app runs in the Cloudflare Worker (api.restura.dev) and in the Node / Docker self-hosted process.
Endpoints
Section titled “Endpoints”| Method | Path | Purpose |
|---|---|---|
GET | /health | Liveness check. Returns 200 + { status: 'ok' }. |
GET | /ready | Readiness check. |
POST | /api/proxy | HTTP upstream proxy. SSRF-guarded, body normalisation, auth signing. |
POST | /api/grpc | gRPC unary + streaming via Connect protocol. |
POST | /api/grpc/reflection | gRPC reflection requests. |
POST | /api/mcp | MCP server proxy (HTTP-SSE and streamable-HTTP). |
POST | /api/telemetry/error | Renderer error reports (when enabled). |
GET | /api/feature-flags | Feature flag values. |
POST | /api/ws-ticket | Mint a short-lived ticket for the WebSocket proxy. |
GET | /api/ws | WebSocket proxy endpoint. |
Authentication
Section titled “Authentication”Production requires one of:
X-Worker-Token: <WORKER_PROXY_TOKEN>header on each request, or- A valid
Cf-Access-Authenticated-User-Emailheader from a trusted reverse proxy (whenREQUIRE_CF_ACCESS=true).
Local dev bypasses auth when running under Miniflare or when DEV_BYPASS_AUTH=true is set in .dev.vars.
Rate limiting
Section titled “Rate limiting”Cloudflare deployment: rate-limiting binding in the Worker.
Self-hosted: per-replica in-memory token bucket. For multi-replica setups, put a rate limiter in your reverse proxy.
Related
Section titled “Related”- Architecture / Shared protocol layer — how these endpoints map to the protocol cores.
- Security model — auth gate, SSRF guard.