plexd

Appearance

API Types

All request/response types for the 17 control plane API endpoints, organized by endpoint group. All types use JSON struct tags matching the API specification.

Registration

POST /v1/register

RegisterRequest

FieldTypeJSON TagDescription
Tokenstring"token"Bootstrap authentication token
PublicKeystring"public_key"Node's WireGuard public key
Hostnamestring"hostname"Node hostname
Metadatamap[string]string"metadata,omitempty"Optional key-value metadata
Capabilities*CapabilitiesPayload"capabilities,omitempty"Optional initial capabilities

RegisterResponse

FieldTypeJSON TagDescription
NodeIDstring"node_id"Assigned node identifier
MeshIPstring"mesh_ip"Assigned mesh IP address
SigningPublicKeystring"signing_public_key"Control plane signing public key
NodeSecretKeystring"node_secret_key"Node identity secret key
Peers[]Peer"peers"Initial peer list

Peer

FieldTypeJSON TagDescription
IDstring"id"Peer node ID
PublicKeystring"public_key"WireGuard public key
MeshIPstring"mesh_ip"Mesh IP address
Endpointstring"endpoint"WireGuard endpoint
AllowedIPs[]string"allowed_ips"Allowed IP ranges
PSKstring"psk"Pre-shared key

Heartbeat

POST /v1/nodes/{node_id}/heartbeat

HeartbeatRequest

FieldTypeJSON TagDescription
NodeIDstring"node_id"Node identifier
Timestamptime.Time"timestamp"Heartbeat timestamp
Statusstring"status"Node status
Uptimestring"uptime"Node uptime
BinaryChecksumstring"binary_checksum"Running binary checksum
Mesh*MeshInfo"mesh,omitempty"Optional mesh status
NAT*NATInfo"nat,omitempty"Optional NAT information
Bridge*BridgeInfo"bridge,omitempty"Optional bridge status
UserAccess*UserAccessInfo"user_access,omitempty"Optional user access status
Ingress*IngressInfo"ingress,omitempty"Optional ingress status
SiteToSite*SiteToSiteInfo"site_to_site,omitempty"Optional site-to-site status

MeshInfo

FieldTypeJSON TagDescription
Interfacestring"interface"WireGuard interface
PeerCountint"peer_count"Connected peer count
ListenPortint"listen_port"WireGuard listen port

NATInfo

FieldTypeJSON TagDescription
PublicEndpointstring"public_endpoint"Public endpoint
Typestring"type"NAT type

HeartbeatResponse

FieldTypeJSON TagDescription
Reconcilebool"reconcile"Whether to trigger reconciliation
RotateKeysbool"rotate_keys"Whether to rotate keys

State

GET /v1/nodes/{node_id}/state

StateResponse

FieldTypeJSON TagDescription
Peers[]Peer"peers"Desired peer list
Policies[]Policy"policies"Network policies
SigningKeys*SigningKeys"signing_keys,omitempty"Signing key material
Metadatamap[string]string"metadata,omitempty"Node metadata
BridgeConfig*BridgeConfig"bridge_config,omitempty"Bridge configuration
RelayConfig*RelayConfig"relay_config,omitempty"Relay configuration
UserAccessConfig*UserAccessConfig"user_access_config,omitempty"User access configuration
IngressConfig*IngressConfig"ingress_config,omitempty"Ingress configuration
SiteToSiteConfig*SiteToSiteConfig"site_to_site_config,omitempty"Site-to-site VPN configuration
Data[]DataEntry"data"Arbitrary data entries
SecretRefs[]SecretRef"secret_refs"Secret references

Policy

FieldTypeJSON TagDescription
IDstring"id"Policy ID
Rules[]PolicyRule"rules"Policy rules

PolicyRule

FieldTypeJSON TagDescription
Srcstring"src"Source CIDR/ID
Dststring"dst"Destination CIDR/ID
Portint"port"Port number
Protocolstring"protocol"Protocol (tcp/udp)
Actionstring"action"allow/deny

SigningKeys

FieldTypeJSON TagDescription
Currentstring"current"Current signing public key
Previousstring"previous,omitempty"Previous key (during rotation)
TransitionExpires*time.Time"transition_expires,omitempty"When previous key expires

DataEntry

FieldTypeJSON TagDescription
Keystring"key"Entry key
ContentTypestring"content_type"MIME content type
Payloadjson.RawMessage"payload"Arbitrary JSON payload
Versionint"version"Entry version
UpdatedAttime.Time"updated_at"Last update timestamp

SecretRef

FieldTypeJSON TagDescription
Keystring"key"Secret key name
Versionint"version"Secret version

Secrets

GET /v1/nodes/{node_id}/secrets/{key}

SecretResponse

FieldTypeJSON TagDescription
Keystring"key"Secret key name
Ciphertextstring"ciphertext"Encrypted secret value
Noncestring"nonce"Encryption nonce
Versionint"version"Secret version

Drift

POST /v1/nodes/{node_id}/drift

DriftReport

FieldTypeJSON TagDescription
Timestamptime.Time"timestamp"Report timestamp
Corrections[]DriftCorrection"corrections"Applied corrections

DriftCorrection

FieldTypeJSON TagDescription
Typestring"type"Correction type
Detailstring"detail"Correction details

Reports

POST /v1/nodes/{node_id}/report

ReportSyncRequest

FieldTypeJSON TagDescription
Entries[]ReportEntry"entries"Report entries to sync
Deleted[]string"deleted"Deleted entry keys

ReportEntry

FieldTypeJSON TagDescription
Keystring"key"Entry key
ContentTypestring"content_type"MIME content type
Payloadjson.RawMessage"payload"Arbitrary JSON payload
Versionint"version"Entry version
UpdatedAttime.Time"updated_at"Last update timestamp

Executions

POST /v1/nodes/{node_id}/executions/{execution_id}/ack

ExecutionAck

FieldTypeJSON TagDescription
ExecutionIDstring"execution_id"Execution identifier
Statusstring"status"Acknowledgement status
Reasonstring"reason"Status reason

POST /v1/nodes/{node_id}/executions/{execution_id}/result

ExecutionResult

FieldTypeJSON TagDescription
ExecutionIDstring"execution_id"Execution identifier
Statusstring"status"Final status
ExitCodeint"exit_code"Process exit code
Stdoutstring"stdout"Standard output
Stderrstring"stderr"Standard error
Durationstring"duration"Execution duration
FinishedAttime.Time"finished_at"Completion timestamp
TriggeredBy*TriggeredBy"triggered_by,omitempty"Who triggered it

TriggeredBy

FieldTypeJSON TagDescription
Typestring"type"Trigger type
SessionIDstring"session_id"Session ID
UserIDstring"user_id"User ID
Emailstring"email"User email

Observability

POST /v1/nodes/{node_id}/metrics

MetricBatch — type alias for []MetricPoint

MetricPoint

FieldTypeJSON TagDescription
Timestamptime.Time"timestamp"Measurement time
Groupstring"group"Metric group name
PeerIDstring"peer_id,omitempty"Optional peer ID
Datajson.RawMessage"data"Metric data payload

POST /v1/nodes/{node_id}/logs

LogBatch — type alias for []LogEntry

LogEntry

FieldTypeJSON TagDescription
Timestamptime.Time"timestamp"Log timestamp
Sourcestring"source"Log source
Unitstring"unit"Systemd unit
Messagestring"message"Log message
Severitystring"severity"Log level
Hostnamestring"hostname"Origin hostname

POST /v1/nodes/{node_id}/audit

AuditBatch — type alias for []AuditEntry

AuditEntry

FieldTypeJSON TagDescription
Timestamptime.Time"timestamp"Event timestamp
Sourcestring"source"Audit source
EventTypestring"event_type"Audit event type
Subjectjson.RawMessage"subject"Who performed it
Objectjson.RawMessage"object"What was affected
Actionstring"action"Action performed
Resultstring"result"Action result
Hostnamestring"hostname"Origin hostname
Rawstring"raw"Raw audit record

Capabilities

PUT /v1/nodes/{node_id}/capabilities

CapabilitiesPayload

FieldTypeJSON TagDescription
Binary*BinaryInfo"binary,omitempty"Binary version info
BuiltinActions[]ActionInfo"builtin_actions"Built-in actions
Hooks[]HookInfo"hooks"Registered hooks

BinaryInfo

FieldTypeJSON TagDescription
Versionstring"version"Binary version
Checksumstring"checksum"Binary checksum

ActionInfo

FieldTypeJSON TagDescription
Namestring"name"Action name
Descriptionstring"description"Action description
Parameters[]ActionParam"parameters"Action parameters

ActionParam

FieldTypeJSON TagDescription
Namestring"name"Parameter name
Typestring"type"Parameter type
Requiredbool"required"Whether required
Descriptionstring"description"Parameter description

HookInfo

FieldTypeJSON TagDescription
Namestring"name"Hook name
Descriptionstring"description"Hook description
Sourcestring"source"Hook source path
Checksumstring"checksum"Source checksum
Parameters[]ActionParam"parameters"Hook parameters
Timeoutstring"timeout"Execution timeout
Sandboxstring"sandbox"Sandbox type

NAT Endpoint

PUT /v1/nodes/{node_id}/endpoint

EndpointReport

FieldTypeJSON TagDescription
PublicEndpointstring"public_endpoint"Public endpoint
NATTypestring"nat_type"NAT type

EndpointResponse

FieldTypeJSON TagDescription
PeerEndpoints[]PeerEndpoint"peer_endpoints"Updated peer endpoints

PeerEndpoint

FieldTypeJSON TagDescription
PeerIDstring"peer_id"Peer node ID
Endpointstring"endpoint"Peer endpoint

Key Rotation

POST /v1/keys/rotate

KeyRotateRequest

FieldTypeJSON TagDescription
NodeIDstring"node_id"Node identifier
NewPublicKeystring"new_public_key"New WireGuard key

KeyRotateResponse

FieldTypeJSON TagDescription
UpdatedPeers[]Peer"updated_peers"Peers with updated keys

Artifacts

GET /v1/artifacts/plexd/{version}/{os}/{arch}

Returns io.ReadCloser with the binary stream. No request/response struct — path parameters only.

SSE Events

GET /v1/nodes/{node_id}/events

Returns text/event-stream with signed event envelopes.

SignedEnvelope

FieldTypeJSON TagDescription
EventTypestring"event_type"Event type constant
EventIDstring"event_id"Unique event identifier
IssuedAttime.Time"issued_at"Event timestamp
Noncestring"nonce"Replay protection nonce
Payloadjson.RawMessage"payload"Event-specific JSON payload
Signaturestring"signature"Ed25519 signature

Event Types

ConstantValueDescription
EventPeerAddedpeer_addedNew peer joined mesh
EventPeerRemovedpeer_removedPeer left mesh
EventPeerKeyRotatedpeer_key_rotatedPeer rotated WireGuard key
EventPeerEndpointChangedpeer_endpoint_changedPeer endpoint updated
EventPolicyUpdatedpolicy_updatedNetwork policy changed
EventActionRequestaction_requestRemote action requested
EventSessionRevokedsession_revokedSession revoked
EventSSHSessionSetupssh_session_setupSSH session initiated
EventRotateKeysrotate_keysKey rotation requested
EventSigningKeyRotatedsigning_key_rotatedSigning key rotated
EventNodeStateUpdatednode_state_updatedNode state changed
EventNodeSecretsUpdatednode_secrets_updatedNode secrets changed
EventBridgeConfigUpdatedbridge_config_updatedBridge configuration changed
EventRelaySessionAssignedrelay_session_assignedRelay session assigned
EventRelaySessionRevokedrelay_session_revokedRelay session revoked
EventUserAccessConfigUpdateduser_access_config_updatedUser access config changed
EventUserAccessPeerAssigneduser_access_peer_assignedUser access peer assigned
EventUserAccessPeerRevokeduser_access_peer_revokedUser access peer revoked
EventIngressConfigUpdatedingress_config_updatedIngress config changed
EventIngressRuleAssignedingress_rule_assignedIngress rule assigned
EventIngressRuleRevokedingress_rule_revokedIngress rule revoked
EventSiteToSiteConfigUpdatedsite_to_site_config_updatedSite-to-site config changed
EventSiteToSiteTunnelAssignedsite_to_site_tunnel_assignedSite-to-site tunnel assigned
EventSiteToSiteTunnelRevokedsite_to_site_tunnel_revokedSite-to-site tunnel revoked