Skip to main content
The HTTP Transport Layer in Palyra provides the primary surface for the Web Console, administrative operations, and sandboxed Canvas interactions. Built on the axum framework, it manages three distinct API namespaces, implements critical security middleware (CSRF, Rate Limiting, Session Management), and serves the compiled React frontend.

Core Router Architecture

The central entry point for the HTTP server is the build_router function. It organizes the system into hierarchical route groups, each with specialized middleware stacks.
API SurfacePath PrefixPurpose
Admin/admin/v1Low-level system diagnostics, journal inspection, and manual run management.
Console/console/v1Backend for the React Web Console (Sessions, Agents, Auth, Settings).
Canvas/canvas/v1Sandboxed environment for agent-generated UI components (A2UI).
Health/healthzLiveness and readiness probes.
Web UI/Static file serving for the React dashboard.
Diagram: HTTP Request Flow and Routing Sources: crates/palyra-daemon/src/transport/http/router.rs#17-300, crates/palyra-daemon/src/transport/http/middleware.rs#28-107

API Surface Areas

1. Admin API (/admin/v1)

The Admin API is designed for operators and automated scripts. It provides access to the JournalStore and orchestration state.

2. Console API (/console/v1)

The Console API powers the React-based management interface. It relies heavily on session-based authentication and CSRF protection.

3. Canvas API (/canvas/v1)

The Canvas API provides the backend for the “Agent-to-User Interface” (A2UI). It serves assets and state to sandboxed iframes. Sources: crates/palyra-daemon/src/transport/http/router.rs#18-240, crates/palyra-daemon/src/transport/http/handlers/console/mod.rs#1-28

Security Middleware and Authentication

The HTTP layer enforces security through a multi-layered middleware approach.
MiddlewareFile ReferenceFunctionality
CSRF Protectionmiddleware.rsEnforced via console_session_cookie_refresh_middleware which validates and rotates session tokens crates/palyra-daemon/src/transport/http/middleware.rs#87-107.
Rate Limitingmiddleware.rsadmin_rate_limit_middleware tracks IP buckets using Instant to enforce request quotas crates/palyra-daemon/src/transport/http/middleware.rs#172-204.
Security Headersmiddleware.rsapply_admin_console_security_headers injects no-store, nosniff, and frame-ancestors 'none' crates/palyra-daemon/src/transport/http/middleware.rs#37-52.
Observabilitymiddleware.rsconsole_observability_middleware records all mutations (POST/PUT/DELETE) into the ObservabilityState crates/palyra-daemon/src/transport/http/middleware.rs#54-85.
Diagram: Authentication and Session Issuance Sources: crates/palyra-daemon/src/transport/http/handlers/console/auth.rs#19-111, crates/palyra-daemon/src/transport/http/middleware.rs#99-107

Web UI Serving

The web_ui_entry_handler is responsible for serving the React application. It supports multiple resolution strategies to find the dashboard assets, prioritized as follows:
  1. PALYRA_WEB_DIST_DIR environment variable crates/palyra-daemon/src/transport/http/handlers/web_ui.rs#13-13.
  2. Colocated web/ directory relative to the executable crates/palyra-daemon/src/transport/http/handlers/web_ui.rs#135-135.
  3. Development path apps/web/dist within the repository structure crates/palyra-daemon/src/transport/http/handlers/web_ui.rs#138-138.
The handler implements a “Single Page Application” (SPA) fallback: if a requested path does not exist as a file and lacks a file extension, it serves index.html to allow client-side routing crates/palyra-daemon/src/transport/http/handlers/web_ui.rs#187-192. Sources: crates/palyra-daemon/src/transport/http/handlers/web_ui.rs#16-34, crates/palyra-daemon/src/transport/http/handlers/web_ui.rs#125-148