API Reference
REST API overview, authentication, and rate limiting
Pramiti exposes a comprehensive REST API with 121+ endpoints across 59 routers, organized by domain. The API supports three deployment modes with different endpoint sets.
API Entry Points
| Entry Point | File | Endpoints | Use Case |
|---|---|---|---|
| Combined | main.py | All routers | Full platform deployment |
| Aegis Only | aegis_main.py | Aegis + platform routers | Action validation only |
| Epistom Only | epistom_main.py | Epistom + platform routers | Semantic intelligence only |
Authentication
The API supports multiple authentication modes:
| Mode | When | How |
|---|---|---|
demo | Local development | X-Demo-User header |
production | Production deployment | JWT tokens via epistom_token cookie or Authorization: Bearer header |
disabled | Testing | EPISTOM_AUTH_DISABLED=true (no auth check) |
API keys (ek_* prefix) are supported for programmatic access with per-key rate limit buckets.
Rate Limiting
Rate limiting is applied per-key with the following priority:
- Demo user header (demo mode only)
- API key hash (SHA-256 prefix)
X-Forwarded-Forheader- Remote IP address
CSRF Protection
CSRF middleware is active when auth_mode != "demo". Frontend clients send X-Epistom-CSRF: 1 on state-mutating methods (POST, PUT, DELETE, PATCH).