Gateway Admin API

Complete reference for the STOA Gateway administrative endpoints. These endpoints are used by the Control Plane to manage routes, policies, and runtime state.

Authentication

All /admin/* endpoints require a Bearer token configured as the gateway's admin API token:

curl -H "Authorization: Bearer ${ADMIN_TOKEN}" \
  "${STOA_GATEWAY_URL}/admin/health"

Response	Meaning
`200 OK`	Authenticated, request processed
`401 Unauthorized`	Missing or invalid admin token
`503 Service Unavailable`	Admin API disabled (no token configured)

Health

GET /admin/health

Returns gateway status and statistics.

curl "${STOA_GATEWAY_URL}/admin/health" \
  -H "Authorization: Bearer ${ADMIN_TOKEN}"

{
  "status": "ok",
  "version": "0.12.0",
  "routes_count": 42,
  "policies_count": 15
}

API Route Management

POST /admin/apis

Create or update an API route (upsert).

curl -X POST "${STOA_GATEWAY_URL}/admin/apis" \
  -H "Authorization: Bearer ${ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "id": "api-123",
    "name": "payments",
    "tenant_id": "acme",
    "path_prefix": "/apis/acme/payments",
    "backend_url": "https://api.example.com",
    "methods": ["GET", "POST", "PUT"],
    "spec_hash": "abc123def456",
    "activated": true
  }'

Status	Meaning
`201 Created`	New route created
`200 OK`	Existing route updated

GET /admin/apis

List all registered API routes.

[
  {
    "id": "api-123",
    "name": "payments",
    "tenant_id": "acme",
    "path_prefix": "/apis/acme/payments",
    "backend_url": "https://api.example.com",
    "methods": ["GET", "POST"],
    "spec_hash": "abc123",
    "activated": true
  }
]

GET /admin/apis/:id

Get a single API route by ID. Returns 404 Not Found if the route doesn't exist.

DELETE /admin/apis/:id

Remove an API route. Returns 204 No Content on success, 404 Not Found if missing. Delete is idempotent — deleting a non-existent route is safe.

Policy Management

POST /admin/policies

Create or update a policy (upsert). Policies apply rate limits, CORS, and other rules to API routes.

curl -X POST "${STOA_GATEWAY_URL}/admin/policies" \
  -H "Authorization: Bearer ${ADMIN_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "id": "policy-123",
    "name": "rate-limit-gold",
    "policy_type": "rate_limit",
    "config": {
      "limit": 1000,
      "window_secs": 60
    },
    "priority": 1,
    "api_id": "api-123"
  }'

Status	Meaning
`201 Created`	New policy created
`200 OK`	Existing policy updated

GET /admin/policies

List all policies.

DELETE /admin/policies/:id

Remove a policy. Returns 204 No Content or 404 Not Found.

Circuit Breaker Management

The gateway uses circuit breakers to protect against backend failures. When a backend fails repeatedly, the circuit opens and requests are rejected fast instead of waiting for timeouts.

GET /admin/circuit-breaker/stats

Get the main circuit breaker statistics (Control Plane API connection).

{
  "name": "cp-api-breaker",
  "state": "closed",
  "success_count": 1234,
  "failure_count": 5,
  "consecutive_failures": 0,
  "open_count": 2,
  "rejected_count": 0
}

State	Meaning
`closed`	Normal operation — requests flow through
`open`	Backend failing — requests rejected immediately
`half_open`	Testing recovery — limited requests allowed

POST /admin/circuit-breaker/reset

Reset the main circuit breaker to closed state.

{
  "status": "ok",
  "message": "Circuit breaker reset to closed"
}

GET /admin/circuit-breakers

List all per-upstream circuit breakers (one per backend URL).

POST /admin/circuit-breakers/:name/reset

Reset a specific upstream circuit breaker. Returns 404 if the named breaker doesn't exist.

Cache Management

The gateway caches API key validations and tool responses to reduce latency.

GET /admin/cache/stats

{
  "hits": 523,
  "misses": 127,
  "entry_count": 45,
  "hit_rate": 0.804
}

POST /admin/cache/clear

Clear all cached entries. Use after key rotations or policy changes that need immediate effect.

{
  "status": "ok",
  "message": "Cache cleared"
}

Session Management

SSE sessions for MCP protocol connections are tracked by the gateway.

GET /admin/sessions/stats

{
  "active_sessions": 42,
  "zombie_count": 2,
  "tracked_sessions": 44
}

Field	Description
`active_sessions`	Sessions with recent activity
`zombie_count`	Sessions past TTL, pending cleanup
`tracked_sessions`	Total sessions in memory

mTLS Configuration

GET /admin/mtls/config

Get current mTLS configuration.

{
  "enabled": true,
  "require_client_cert": true,
  "trusted_proxies": "[redacted]"
}

GET /admin/mtls/stats

Get mTLS validation statistics.

{
  "total_requests": 1000,
  "cert_validated": 950,
  "cert_missing": 30,
  "cert_invalid": 20
}

Quota Management

GET /admin/quotas

List quota statistics for all consumers.

[
  {
    "consumer_id": "user-123",
    "daily_count": 450,
    "daily_limit": 1000,
    "monthly_count": 12500,
    "monthly_limit": 50000,
    "daily_remaining": 550,
    "monthly_remaining": 37500
  }
]

GET /admin/quotas/:consumer_id

Get quota statistics for a specific consumer. Returns 404 if the consumer has no quota data.

POST /admin/quotas/:consumer_id/reset

Reset quota counters for a consumer (daily and monthly counts reset to zero).

{
  "status": "ok",
  "message": "Quota reset for consumer 'user-123'"
}

Health Probes

These endpoints are for Kubernetes liveness and readiness probes (no authentication required):

Endpoint	Purpose
`GET /health/ready`	Readiness probe — gateway can serve traffic
`GET /health/live`	Liveness probe — gateway process is alive

Endpoint Summary

Endpoint	Method	Description
`/admin/health`	GET	Gateway health + statistics
`/admin/apis`	POST	Create/update API route
`/admin/apis`	GET	List all API routes
`/admin/apis/:id`	GET	Get single API route
`/admin/apis/:id`	DELETE	Remove API route
`/admin/policies`	POST	Create/update policy
`/admin/policies`	GET	List all policies
`/admin/policies/:id`	DELETE	Remove policy
`/admin/circuit-breaker/stats`	GET	Main CB statistics
`/admin/circuit-breaker/reset`	POST	Reset main CB
`/admin/circuit-breakers`	GET	List per-upstream CBs
`/admin/circuit-breakers/:name/reset`	POST	Reset specific CB
`/admin/cache/stats`	GET	Cache statistics
`/admin/cache/clear`	POST	Clear all cache
`/admin/sessions/stats`	GET	SSE session statistics
`/admin/mtls/config`	GET	mTLS configuration
`/admin/mtls/stats`	GET	mTLS statistics
`/admin/quotas`	GET	List consumer quotas
`/admin/quotas/:consumer_id`	GET	Get consumer quota
`/admin/quotas/:consumer_id/reset`	POST	Reset consumer quota
`/health/ready`	GET	K8s readiness probe
`/health/live`	GET	K8s liveness probe

MCP Gateway API — MCP protocol endpoints
Control Plane API — Management API
Quota Enforcement — Quota model and enforcement
RBAC Permissions — Access control

Authentication​

Health​

GET /admin/health​

API Route Management​

POST /admin/apis​

GET /admin/apis​

GET /admin/apis/:id​

DELETE /admin/apis/:id​

Policy Management​

POST /admin/policies​

GET /admin/policies​

DELETE /admin/policies/:id​

Circuit Breaker Management​

GET /admin/circuit-breaker/stats​

POST /admin/circuit-breaker/reset​

GET /admin/circuit-breakers​

POST /admin/circuit-breakers/:name/reset​

Cache Management​

GET /admin/cache/stats​

POST /admin/cache/clear​

Session Management​

GET /admin/sessions/stats​

mTLS Configuration​

GET /admin/mtls/config​

GET /admin/mtls/stats​

Quota Management​

GET /admin/quotas​

GET /admin/quotas/:consumer_id​

POST /admin/quotas/:consumer_id/reset​

Health Probes​

Endpoint Summary​

Related​