Download OpenAPI specification:Download
API documentation for the Calimero Node Server. The server provides endpoints for:
Authentication Modes:
createAuthHeader from the calimero sdk library.
Auth endpoints are provided by an external mero-auth service.Authorization header (e.g., Authorization: Bearer <token>).
Auth endpoints are available at /auth and /admin paths.Installs a new application in the node
| url required | string <uri> URL to download the application |
| hash | string Expected hash of the application (optional) |
| metadata required | Array of integers[ items [ 0 .. 255 ] ] Application metadata as byte array (each element is a byte 0-255) |
| package | string Package name (optional) |
| version | string Version (optional) |
{- "hash": "string",
- "metadata": [
- 255
], - "package": "string",
- "version": "string"
}{- "data": {
- "applicationId": "string"
}
}Installs a development application from local path
| path required | string Local file system path to the application |
| metadata required | Array of integers[ items [ 0 .. 255 ] ] Application metadata as byte array (each element is a byte 0-255) |
| package | string Package name (optional) |
| version | string Version (optional) |
{- "path": "string",
- "metadata": [
- 255
], - "package": "string",
- "version": "string"
}{- "data": {
- "applicationId": "string"
}
}Creates a new context
| protocol required | string |
| applicationId required | string |
| contextSeed | string Optional context seed hash |
| initializationParams required | Array of integers[ items [ 0 .. 255 ] ] Initialization parameters as byte array (each element is a byte 0-255) |
{- "protocol": "string",
- "applicationId": "string",
- "contextSeed": "string",
- "initializationParams": [
- 255
]
}{- "data": {
- "contextId": "string",
- "memberPublicKey": "string"
}
}Invites a user to join a context
| contextId required | string |
| inviterId required | string |
| inviteeId required | string |
{- "contextId": "string",
- "inviterId": "string",
- "inviteeId": "string"
}{- "data": { }
}Creates an open invitation for a context
| contextId required | string |
| inviterId required | string |
| validForBlocks required | integer <int64> |
{- "contextId": "string",
- "inviterId": "string",
- "validForBlocks": 0
}{- "data": { }
}Invites a specialized node (e.g., read-only TEE node) to join a context
| contextId required | string |
| inviterId | string or null Optional inviter identity - defaults to context's default identity if not provided |
{- "contextId": "string",
- "inviterId": "string"
}{- "data": {
- "nonce": "string"
}
}Joins a context using an invitation payload
| invitationPayload required | object Context invitation payload |
{- "invitationPayload": { }
}{- "data": {
- "contextId": "string",
- "memberPublicKey": "string"
}
}Joins a context using an open invitation
| invitation required | object Signed open invitation |
| newMemberPublicKey required | string |
{- "invitation": { },
- "newMemberPublicKey": "string"
}{- "data": {
- "contextId": "string",
- "memberPublicKey": "string"
}
}Updates the application for a context
| context_id required | string |
| applicationId required | string |
| executorPublicKey required | string |
{- "applicationId": "string",
- "executorPublicKey": "string"
}{- "data": { }
}Lists all contexts for a specific application
| application_id required | string |
{- "data": {
- "contexts": [
- {
- "contextId": "string",
- "applicationId": "string",
- "protocol": "string"
}
]
}
}Lists all contexts with executors for a specific application
| application_id required | string |
{- "data": {
- "contexts": [
- {
- "contextId": "string",
- "applicationId": "string",
- "protocol": "string"
}
]
}
}Grants capabilities to a user in a context
| context_id required | string |
| contextId required | string |
| granterId required | string |
| granteeId required | string |
| capability required | string Capability type |
{- "contextId": "string",
- "granterId": "string",
- "granteeId": "string",
- "capability": "string"
}{- "data": { }
}Revokes capabilities from a user in a context
| context_id required | string |
| contextId required | string |
| revokerId required | string |
| revokeeId required | string |
| capability required | string Capability type |
{- "contextId": "string",
- "revokerId": "string",
- "revokeeId": "string",
- "capability": "string"
}{- "data": { }
}Retrieves proposals for a context with pagination
| context_id required | string |
| offset required | integer <int32> |
| limit required | integer <int32> |
{- "offset": 0,
- "limit": 0
}{- "data": [
- { }
]
}Creates a proposal and immediately approves it
| context_id required | string |
| signerId required | string |
| proposal required | object (Proposal) Proposal structure (details depend on implementation) |
{- "signerId": "string",
- "proposal": { }
}{- "data": { }
}Approves an existing proposal
| context_id required | string |
| signerId required | string |
| proposalId required | string |
{- "signerId": "string",
- "proposalId": "string"
}{- "data": { }
}Retrieves a value from context storage by key
| context_id required | string |
| key required | string |
{- "key": "string"
}{- "data": [
- 255
]
}Retrieves context storage entries with pagination
| context_id required | string |
| offset required | integer <int32> |
| limit required | integer <int32> |
{- "offset": 0,
- "limit": 0
}{- "data": [
- { }
]
}Uploads a blob (binary data)
| hash | string Expected hash of the blob for verification |
| context_id | string Context ID to announce the blob to for network discovery |
{- "data": {
- "blob_id": "string",
- "size": 0,
- "hash": "string"
}
}Creates an alias for a context ID
| alias required | string |
| contextId required | string |
{- "alias": "string",
- "contextId": "string"
}{- "data": { }
}Creates an alias for an application ID
| alias required | string |
| applicationId required | string |
{- "alias": "string",
- "applicationId": "string"
}{- "data": { }
}Creates an alias for an identity within a context
| context required | string |
| alias required | string |
| identity required | string |
{- "alias": "string",
- "identity": "string"
}{- "data": { }
}Handles JSON-RPC requests. Supports the execute method for querying and mutating context state.
Note: When embedded auth mode is enabled, all JSON-RPC requests require authentication
via JWT tokens in the Authorization header.
| jsonrpc required | string Value: "2.0" |
required | (string or null) or (integer or null) |
| method | string Value: "execute" |
object (ExecutionRequest) |
{- "jsonrpc": "2.0",
- "id": "string",
- "method": "execute",
- "params": {
- "contextId": "string",
- "method": "string",
- "argsJson": { },
- "executorPublicKey": "string",
- "substitute": [ ]
}
}{- "jsonrpc": "2.0",
- "id": "string",
- "result": {
- "output": { }
}, - "error": {
- "type": "string",
- "data": "string"
}
}Establishes a WebSocket connection for real-time event subscriptions.
Note: When embedded auth mode is enabled, WebSocket connections require authentication
via JWT tokens in the Authorization header during the initial handshake.
Important: WebSocket connections are unidirectional for events - the server
pushes events to subscribed clients. For executing transactions (mutate) or
reading state (query), clients must use the separate JSON-RPC endpoint.
Message Format:
{"id": 1, "method": "subscribe", "params": {"contextIds": ["context_1"]}}{"id": 2, "method": "unsubscribe", "params": {"contextIds": ["context_1"]}}| upgrade required | string Default: websocket |
{- "error": "string"
}Opens a long-lived HTTP connection for receiving server-sent events.
Note: When embedded auth mode is enabled, SSE connections require authentication
via JWT tokens in the Authorization header when opening the connection.
The very first message received is a connect event containing a session_id.
This session_id must be used for subsequent subscription requests.
Reconnection: Clients can reconnect using the Last-Event-ID header with format {session_id}-{event_number}.
| Last-Event-ID | string Session ID and event number for reconnection (format: {session_id}-{event_number}) |
{- "error": "string"
}Subscribes or unsubscribes the active SSE connection to one or more contexts.
Request Format:
{"id": "session_id", "method": "subscribe", "params": {"contextIds": ["context_1"]}}{"id": "session_id", "method": "unsubscribe", "params": {"contextIds": ["context_1"]}}The id field must be the session_id received from the initial connect event.
| id required | string Session ID received from the initial connect event |
| method required | string Enum: "subscribe" "unsubscribe" |
required | object (SseContextIds) |
{- "id": "string",
- "method": "subscribe",
- "params": {
- "contextIds": [
- "string"
]
}
}{- "body": {
- "result": {
- "status": "subscribed",
- "contexts": [
- "string"
], - "requested": [
- "string"
]
}, - "error": { }
}
}Gets information about an SSE session
| session_id required | string |
{- "body": {
- "result": {
- "sessionId": "string",
- "subscriptions": [
- "string"
], - "eventCounter": 0,
- "status": "active"
}, - "error": { }
}
}Generates a TEE attestation quote
| nonce required | string Client-provided nonce for freshness (32 bytes as hex string) |
| applicationId | string or null Optional application ID to include in attestation |
{- "nonce": "string",
- "applicationId": "string"
}{- "data": {
- "quoteB64": "string",
- "quote": {
- "header": {
- "version": 0,
- "attestationKeyType": 0,
- "teeType": 0,
- "qeVendorId": "string",
- "userData": "string"
}, - "body": {
- "tdxVersion": "string",
- "teeTcbSvn": "string",
- "mrseam": "string",
- "mrsignerseam": "string",
- "seamattributes": "string",
- "tdattributes": "string",
- "xfam": "string",
- "mrtd": "string",
- "mrconfigid": "string",
- "mrowner": "string",
- "mrownerconfig": "string",
- "rtmr0": "string",
- "rtmr1": "string",
- "rtmr2": "string",
- "rtmr3": "string",
- "reportdata": "string",
- "teeTcbSvn2": "string",
- "mrservicetd": "string"
}, - "signature": "string",
- "attestationKey": "string",
- "certificationData": "string"
}
}
}Verifies a TEE attestation quote
| quoteB64 required | string Base64-encoded TDX quote to verify |
| nonce required | string Client-provided nonce that should match report_data[0..32] (64 hex chars = 32 bytes) |
| expectedApplicationHash | string or null Optional expected application hash that should match report_data[32..64] (64 hex chars = 32 bytes) |
{- "quoteB64": "string",
- "nonce": "string",
- "expectedApplicationHash": "string"
}{- "data": {
- "quoteVerified": true,
- "nonceVerified": true,
- "applicationHashVerified": true,
- "quote": {
- "header": {
- "version": 0,
- "attestationKeyType": 0,
- "teeType": 0,
- "qeVendorId": "string",
- "userData": "string"
}, - "body": {
- "tdxVersion": "string",
- "teeTcbSvn": "string",
- "mrseam": "string",
- "mrsignerseam": "string",
- "seamattributes": "string",
- "tdattributes": "string",
- "xfam": "string",
- "mrtd": "string",
- "mrconfigid": "string",
- "mrowner": "string",
- "mrownerconfig": "string",
- "rtmr0": "string",
- "rtmr1": "string",
- "rtmr2": "string",
- "rtmr3": "string",
- "reportdata": "string",
- "teeTcbSvn2": "string",
- "mrservicetd": "string"
}, - "signature": "string",
- "attestationKey": "string",
- "certificationData": "string"
}
}
}Public authentication endpoints (no authentication required). Available when embedded auth mode is enabled.
Exchanges a signed challenge for a root key JWT token. The client must sign the challenge
received from /auth/challenge and include the signature in the request.
| auth_method required | string Enum: "near_wallet" "user_password" "eth_wallet" "starknet_wallet" "icp_wallet" Authentication method to use |
| public_key required | string Public key of the authenticating user |
| client_name required | string Name of the client application |
| timestamp required | integer <int64> Timestamp of the request |
| provider_data required | object Provider-specific authentication data (signature, wallet address, etc.) |
| permissions | Array of strings Requested permissions (optional) |
{- "auth_method": "near_wallet",
- "public_key": "string",
- "client_name": "string",
- "timestamp": 0,
- "provider_data": { },
- "permissions": [
- "string"
]
}{- "data": {
- "access_token": "string",
- "refresh_token": "string",
- "expires_in": 0
}
}Refreshes an expired access token using a refresh token.
| access_token required | string The expired access token |
| refresh_token required | string Refresh token to exchange for new access token |
{- "access_token": "string",
- "refresh_token": "string"
}{- "data": {
- "access_token": "string",
- "refresh_token": "string",
- "expires_in": 0
}
}Validates a JWT token. Designed for auth proxy use. Returns empty string on success (200 OK). Auth info in headers: X-Auth-User, X-Auth-Permissions. If response is not 401, the token is valid.
| Authorization required | string Bearer token to validate |
{- "error": "string"
}Validates a JWT token. Designed for auth proxy use. Returns empty string on success (200 OK). Auth info in headers: X-Auth-User, X-Auth-Permissions. If response is not 401, the token is valid.
| token required | string JWT token to validate |
{- "token": "string"
}{- "error": "string"
}Protected authentication endpoints (require JWT token). Available when embedded auth mode is enabled.
Lists all root keys associated with the authenticated user.
{- "data": [
- {
- "key_id": "string",
- "public_key": "string",
- "client_name": "string",
- "created_at": "2019-08-24T14:15:22Z",
- "permissions": [
- "string"
]
}
]
}Creates a new root key.
| public_key required | string Public key for the root key |
| client_name required | string Name of the client |
| permissions | Array of strings Permissions for the root key |
{- "public_key": "string",
- "client_name": "string",
- "permissions": [
- "string"
]
}{- "data": {
- "key_id": "string",
- "public_key": "string",
- "client_name": "string",
- "created_at": "2019-08-24T14:15:22Z",
- "permissions": [
- "string"
]
}
}{- "data": [
- {
- "key_id": "string",
- "root_key_id": "string",
- "context_id": "string",
- "context_identity": "string",
- "permissions": [
- "string"
], - "created_at": "2019-08-24T14:15:22Z"
}
]
}Generates a new client key with specified permissions and context associations.
| context_id required | string Context ID to associate with the client key |
| context_identity required | string Context identity for the client key |
| permissions required | Array of strings Permissions for the client key |
{- "context_id": "string",
- "context_identity": "string",
- "permissions": [
- "string"
]
}{- "data": {
- "key_id": "string",
- "root_key_id": "string",
- "context_id": "string",
- "context_identity": "string",
- "permissions": [
- "string"
], - "created_at": "2019-08-24T14:15:22Z"
}
}Updates the permissions for a specific key.
| key_id required | string |
| permissions required | Array of strings New permissions to set |
{- "permissions": [
- "string"
]
}{- "data": [
- "string"
]
}