Server API Overview

The Toolshed API server is built with Hono and deployed to Vercel. All endpoints are under the /api base path.

Authentication

All routes require a Bearer token in the Authorization header, validated against the TOOLSHED_API_SECRET environment variable.

Authorization: Bearer <TOOLSHED_API_SECRET>

Exceptions (no auth required):

Group	Path prefix	Description	Status
Auth	`/api/auth`	OAuth2 login, callback, disconnect, list connections	Implemented
Tokens	`/api/tokens`	Vend short-lived access tokens for plugins	Implemented
Registry	`/api/registry`	Tool catalog, source registration, search	Implemented
Policy	`/api/policy`	Role management and access resolution	Stub
Audit	`/api/audit`	Audit trail for tool invocations	Stub
Elicitation	`/api/elicitation`	Pending approval storage and resolution	Stub

GET /api/health
→ { "ok": true }