Rensei docs
API ReferenceWorker Protocol

List daemon mutation history for a host

List daemon mutation history for a host - Rensei REST API operation reference.

GET
/api/daemon/mutations

Authorization

rsk_Bearer
AuthorizationBearer <token>

Rensei API key. Format: rsk_live_<random>. Generated in Settings or via POST /api/org/{orgId}/keys. Used by CLI (af), daemon, and programmatic integrations.

In: header

Query Parameters

workerHostId*string

Worker host ID (must belong to the caller's org).

limit?integer
Default100
Range1 <= value <= 500

Response Body

application/json

application/json

application/json

application/json

curl -X GET "https://example.com/api/daemon/mutations?workerHostId=string"
{
  "mutations": [
    {
      "id": "string",
      "orgId": "string",
      "workerHostId": "string",
      "op": "project.add",
      "params": {},
      "status": "pending",
      "requestedBy": "string",
      "deliveredAt": "2019-08-24T14:15:22Z",
      "cancelledAt": "2019-08-24T14:15:22Z",
      "createdAt": "2019-08-24T14:15:22Z"
    }
  ]
}
{
  "error": "Session not found"
}
{
  "error": "Session not found"
}
{
  "error": "Session not found"
}

Trigger credential rotation fan-out

Called by the operator (CLI or admin UI) after rotating an upstream credential (Vault, 1Password, encrypted DB row, …). Re-resolves the `(orgId, kind)` tuple via the credential provider registry and fans the fresh value out to every live `rotate-stream` SSE subscriber for that org. Zero live subscribers is not an error. Auth: `Bearer rsk_*` via `getCliOrSessionAuth`. The `orgId` in the body must match the authenticated org. For `session` / `user_token` auth the caller must have `admin` or `owner` role; for `api_key` auth the cross-tenant guard is sufficient. The audit write is deferred (`after()`) and failures are non-fatal - the fan-out already fired.

Enqueue a daemon-config mutation

Enqueues a configuration mutation for delivery to a specific daemon host on its next heartbeat. Supported ops: - `project.add` - add project to daemon allowlist - `project.remove` - remove project from allowlist - `pool.deleted` - notify daemon of a deleted resource pool - `modelAccess.set` - write a machine-scoped model-access policy - `modelAccess.clear` - clear a workload-specific access policy Requires org admin/owner role. The cancel window closes as soon as the daemon's next heartbeat stamps `deliveredAt`.