Conduit

API Reference

The Conduit REST API lets you manage servers, API keys, billing, and access the public trust registry.

Authentication

API endpoints use two authentication methods:

Session cookie (browser)

Used by the web dashboard. Set automatically after login via Supabase Auth.

API key (CLI / programmatic)

Pass in the Authorization header:

Authorization: Bearer cnd_live_xxxxxxxxxxxxxxxxxxxx

Base URL

https://conduitapi.dev

Servers

POST/api/servers

Register a new MCP server.

Auth:Session cookie or API key
Body:
{
  "name": "My MCP Server",
  "upstream_url": "https://my-server.com/mcp",
  "description": "Optional description"
}
Response:
{
  "id": "uuid",
  "name": "My MCP Server",
  "slug": "my-mcp-server",
  "gateway_endpoint": "https://gateway.conduitapi.dev/s/org/my-mcp-server",
  "status": "active",
  "health_status": "unknown",
  "trust_score": null,
  "created_at": "2026-02-08T..."
}

Returns 409 if a server with the same name already exists.

GET/api/servers

List all servers in your organization.

Auth:Session cookie or API key
Response:
[
  {
    "id": "uuid",
    "name": "My MCP Server",
    "slug": "my-mcp-server",
    "status": "active",
    "health_status": "healthy",
    "trust_score": 92,
    "trust_grade": "A",
    ...
  }
]

API Keys

POST/api/keys

Create a new API key.

Auth:Session cookie or API key
Body:
{
  "name": "Production key"
}
Response:
{
  "id": "uuid",
  "name": "Production key",
  "key": "cnd_live_xxxxxxxxxxxxxxxxxxxx",
  "created_at": "2026-02-08T..."
}

The key field is only returned once at creation. Store it securely.

GET/api/keys

List all API keys for your organization.

Auth:Session cookie or API key
Response:
[
  {
    "id": "uuid",
    "name": "Production key",
    "prefix": "cnd_live_xxxx",
    "last_used_at": "2026-02-08T...",
    "created_at": "2026-02-07T..."
  }
]

Key values are never returned after creation. Only the prefix is shown.

DELETE/api/keys/:id

Revoke an API key. Takes effect immediately.

Auth:Session cookie or API key
Response:
{ "success": true }

Scanning

POST/api/servers/:slug/scan

Trigger a trust scan for a server.

Auth:Session cookie or API key
Response:
{
  "scores": {
    "total": 92,
    "grade": "A",
    "breakdown": {
      "security": 95,
      "compliance": 88,
      "auth": 90,
      "performance": 94,
      "runtime": null
    }
  },
  "findingsCount": 2,
  "error": null
}

Scans typically take 10-30 seconds. The response is synchronous.

Public Registry

Registry endpoints are public — no authentication required.

GET/api/registry

List public servers with optional filters.

Auth:None (public)
Response:
{
  "servers": [...],
  "total": 42,
  "limit": 20,
  "offset": 0
}

Query params: ?grade=A&limit=20&offset=0&sort=score

GET/api/registry/:serverId

Get full trust report for a public server.

Auth:None (public)
Response:
{
  "server": { "id": "...", "name": "...", ... },
  "latestScan": { "total_score": 92, "grade": "A", ... },
  "findings": [...],
  "history": [...]
}
GET/api/registry/search

Search public servers by name or description.

Auth:None (public)
Response:
{
  "servers": [...],
  "total": 5
}

Query params: ?q=search+term

Badges

GET/api/badges/:serverId

Get trust score badge as SVG.

Auth:None (public)
Response:
SVG image (image/svg+xml)

Query params: ?style=standard|compact|detailed. Cached for 1 hour.

Billing

POST/api/billing/checkout

Create a Stripe Checkout session to upgrade your platform plan.

Auth:Session cookie
Body:
{
  "plan": "pro"
}
Response:
{
  "url": "https://checkout.stripe.com/c/pay/..."
}

Redirects the user to Stripe Checkout. Valid plans: pro, team, scale.

POST/api/billing/portal

Create a Stripe Customer Portal session to manage subscription.

Auth:Session cookie
Response:
{
  "url": "https://billing.stripe.com/p/session/..."
}

Vendor Billing

POST/api/vendor/billing/checkout

Create a Stripe Checkout session for a vendor plan.

Auth:Session cookie
Body:
{
  "plan": "vendor_starter"
}
Response:
{
  "url": "https://checkout.stripe.com/c/pay/..."
}

Valid plans: vendor_starter ($99/mo), vendor_professional ($499/mo).

GET/api/vendor/billing/usage

Get current billing period usage for a vendor.

Auth:Session cookie or API key
Response:
{
  "plan": "vendor_starter",
  "included_queries": 5000,
  "used_queries": 2341,
  "overage_queries": 0,
  "overage_cost": 0,
  "billing_period_start": "2026-02-01T...",
  "billing_period_end": "2026-03-01T..."
}
POST/api/vendor/billing/portal

Create a Stripe Customer Portal session for vendor subscription management.

Auth:Session cookie
Response:
{
  "url": "https://billing.stripe.com/p/session/..."
}

CLI Authentication

These endpoints support the CLI login flow.

POST/api/auth/cli-token

Generate a short-lived CLI login token.

Auth:Session cookie
Response:
{ "token": "eyJ..." }

Token expires in 5 minutes. Used for the browser-based CLI login flow.

POST/api/auth/cli-verify

Exchange a CLI token for an API key.

Auth:None
Body:
{ "token": "eyJ..." }
Response:
{
  "api_key": "cnd_live_xxxxxxxxxxxxxxxxxxxx",
  "email": "user@example.com",
  "org_name": "My Org"
}
GET/api/auth/cli-whoami

Get identity of the current API key holder.

Auth:API key
Response:
{
  "email": "user@example.com",
  "org_name": "My Org"
}
GET/api/auth/cli-status

Get account status and usage for the CLI.

Auth:API key
Response:
{
  "email": "user@example.com",
  "org_name": "My Org",
  "plan": "pro",
  "server_count": 3,
  "usage_today": 1234,
  "usage_limit": 50000
}
Python SDKCLI Reference