Conduit
Conduit
Docsllms.txtHostingGitHubIntroduction

Getting Started

OverviewInstall ConduitMCP SetupYour First AppStart with AI

Learn

ArchitectureClient vs Admin APIConfiguration

Modules

OverviewAuthenticationAuthorizationDatabaseStorageCommunicationsChatRouterFunctions

Guides

Next.js IntegrationReBAC Team ScopingGitOps State Export

Deployment

Deployment OverviewDocker ComposeKubernetes and HelmLocal from SourceContainer Images

Reference

CLI ReferenceClient APIAdmin APIEnvironment VariablesMCP Tools

Resources

Migration v0.16 → v0.17Legacy DocumentationChangelogFAQGlossaryContributing

Admin API

REST, GraphQL, and WebSocket admin surface on core — auth, scope, and MCP relationship.

The Admin API runs on core (default ADMIN_BASE_URL → port 3030). It powers the Conduit Admin Panel, CI provisioning scripts, and the MCP server. Application code must not call it from user-facing paths.

For AI agents

Apps use the Client API on the router (:3000) with user bearer tokens. See Client vs Admin API.

Comparison

Admin APIClient API
HostCore (:3030)Router module (:3000)
ConsumersAdmin panel, MCP, operators, CIWeb/mobile apps, user-scoped server routes
Authmasterkey header, admin JWT (Bearer), or cdt_ API tokensUser tokens from authentication module
DatabaseSchema/endpoint/index admin, extensions/database/{Schema}, /database/function/{name}
Response shapePaginated lists, admin metadata, detailed errorsStreamlined payloads for app consumption
MCPSubset exposed as MCP toolsNot exposed through MCP

Response formats are not interchangeable between Admin and Client APIs.

Authentication

MethodUsage
masterkeyHeader on trusted bootstrap/ops scripts
Admin JWTAuthorization: Bearer <token> after admin login
cdt_ API tokensLong-lived tokens for automation and MCP clients

Never embed admin credentials in application code, browser env vars, or client bundles.

Surfaces

Core exposes Admin API over:

  • REST — module routes registered via RoutingManager (e.g. /database/schemas, /config/{module})
  • GraphQL — admin schema aggregation
  • WebSockets — admin realtime where modules register handlers

Interactive reference: Admin API Swagger (available on a running instance). MCP also exposes conduit://docs/admin-api/swagger as a resource when connected.

MCP relationship

The MCP server at {ADMIN_BASE_URL}/mcp wraps a subset of Admin API operations as tools. Authentication is handled by the MCP connection — tools run with admin privileges.

  • Call list_modules to see loaded modules
  • Enable more tools via /mcp?modules=authentication,database,storage
  • Tool naming: HTTP method + path with / → _ (see MCP tools)

MCP is for development and deploy-time provisioning only. Do not substitute MCP calls for Client API calls in application runtime.

When to use Admin API

TaskSurface
Create or patch schemas, indexes, custom endpointsAdmin API or MCP
Patch module config (auth providers, storage buckets, email templates)Admin API or MCP
Manage admin users, API tokens, teams (operator workflows)Admin API or MCP
Export/import platform state (GitOps)GET /state/export, POST /state/import — GitOps guide
End-user login, CRUD, permission checksClient API only
Application file upload/downloadClient API with user token

Rules

  1. Never call Admin API from user-facing request paths.
  2. Never expose masterkey, admin JWTs, or cdt_ tokens to browsers.
  3. Provision schemas, endpoints, and config at dev/deploy time — not on app startup or per user action.
  4. For filtered or authorization-sensitive queries in apps, provision custom endpoints and call them on the Client API.

Client API

REST and GraphQL surface on the router — user-scoped application runtime.

Environment Variables

Core and module environment variable reference.

On this page

ComparisonAuthenticationSurfacesMCP relationshipWhen to use Admin APIRules