API Reference

Mezite exposes two API surfaces for programmatic access to the SSH platform.

gRPC API (Auth Service)

The auth service listens on port 3025 and exposes a gRPC API defined in proto/v1/auth.proto. This is the primary API used by all Mezite components (agents, CLI tools, and the web UI) to authenticate, manage resources, and emit audit events.

See the gRPC API reference for the full list of RPCs.

Web / REST API (Proxy Service)

The proxy service listens on port 3080 (HTTPS) and provides a REST-style JSON API under /v1/webapi/. This API powers the web UI and can be used for lightweight integrations that do not require a gRPC client.

See the Web API reference for available endpoints.

Authentication

Both APIs are session-based. Call AuthenticateLocal over gRPC, or POST /v1/webapi/login over HTTPS, to exchange a username and password for a session ID. The web endpoint also sets a mezite_session cookie used by the browser SPA; CLI clients pass the same session ID in an Authorization: Bearer <session_id> header. Once authenticated, call IssueUserCerts over gRPC to receive short-lived SSH certificates for subsequent SSH connections.

Agents authenticate to gRPC via mTLS with certificates issued by the host CA at registration time; admin clients use a session bearer token. gRPC transport TLS is required in production (TLS 1.3 minimum) and the auth interceptor enforces per-RPC role checks — see server/auth/grpc_auth.go for the unauthenticated and admin-only method lists.