EdgeletAPI v1
The EdgeletAPI is the on-device operator API exposed by the Edgelet daemon. The edgelet CLI is a thin transport client over this API. It does not implement daemon runtime logic.
Remote Controller REST lives at /api/v3/... on your controllerUrl. EdgeletAPI is localhost-only administration under /v1/....
Browse the full OpenAPI spec on this site: API reference.
Base URL and transport
| Transport | URL | Notes |
|---|---|---|
| HTTPS (default) | https://127.0.0.1:54321 | TLS required; trust /etc/edgelet/edgeletapi-ca.crt |
| Unix socket | http+unix:///run/edgelet/edgelet.sock | Same router as HTTPS; preferred for CLI on-node |
| WebSocket | wss://127.0.0.1:54321 | Log stream, exec attach, microservice control channel |
TLS server name (SNI): edgelet.default.svc.bridge.local.
Both HTTPS and Unix socket listeners share the same route table and middleware.
Unauthenticated probes
These routes skip JWT auth (for orchestrators and monitoring):
| Route | Purpose |
|---|---|
GET /health/live | Process liveness |
GET /health/ready | Readiness (daemon modules up) |
GET /metrics | Prometheus metrics |
Authentication
Send the bearer token from /etc/edgelet/edgelet-api:
TOKEN=$(sudo cat /etc/edgelet/edgelet-api)
curl -sk --cacert /etc/edgelet/edgeletapi-ca.crt \
-H "Authorization: Bearer ${TOKEN}" \
https://127.0.0.1:54321/v1/system/status
JWT modes
| Edgelet node state | Token policy |
|---|---|
| Unprovisioned (bootstrap) | Unsigned bootstrap JWT accepted on all EdgeletAPI routes |
| Provisioned | Unsigned JWT rejected; signed Ed25519 JWT required |
| Deprovisioned | Reverts to bootstrap mode |
CLI admin tokens use claim tokenUse: edgeletapi and audience aud: edgelet://edgeletapi/v1.
Service account and microservice workload tokens carry additional claims (for example iofog.org.microservice.uuid for self-scoped routes). Use GET /v1/auth/whoami to inspect the caller identity.
Authorization (RBAC)
Authorization is deny-by-default. Every /v1/... route must be mapped to an RBAC resource and verb; unmapped routes return 403 FORBIDDEN.
| HTTP method | RBAC verb |
|---|---|
GET | get |
POST | create |
PATCH, PUT | update |
DELETE | delete |
Local admin tokens typically carry broad rules such as system:localadmin:*. Microservice self routes (/v1/microservices/config, /v1/microservices/control) bind identity from the JWT claim iofog.org.microservice.uuid.
Response envelope
Successful responses:
{
"success": true,
"data": { }
}
Errors:
{
"success": false,
"error": {
"code": "INVALID_ARGUMENT",
"message": "human-readable detail",
"details": { }
}
}
Long-running applies (ControlPlane, RuntimeClass, some image pulls) may return HTTP 202 with an operationId. Poll status endpoints (for example GET /v1/deploy/controlplane:apply/{operationId}). Terminal failure on a known operation still returns HTTP 200 with success=true and data.status=failed plus nested data.error.
Error codes
| Code | Meaning |
|---|---|
INVALID_ARGUMENT | Malformed payload, unsupported field/value, validation error |
UNAUTHORIZED | Missing or invalid authentication token |
FORBIDDEN | Authenticated but RBAC denied |
NOT_FOUND | Requested resource does not exist |
CONFLICT | State conflict prevents the operation |
NOT_IMPLEMENTED | Endpoint or operation not implemented |
EXEC_START_TIMEOUT | Local exec shell did not start within 15s (HTTP 504) |
INTERNAL | Unexpected server-side failure |
| Error code | CLI exit code |
|---|---|
INVALID_ARGUMENT | 2 |
UNAUTHORIZED, FORBIDDEN | 3 |
NOT_FOUND | 4 |
CONFLICT | 5 |
NOT_IMPLEMENTED | 6 |
| All others | 1 |
Daemon unreachable (connection failure) uses exit code 10 (not an API error code).
RuntimeClass endpoints require full linux build flavor and containerEngine=edgelet. Other combinations return HTTP 400 with INVALID_ARGUMENT.
Route groups
/v1/system/*
Daemon administration: status, info, version, provision/deprovision, config get/patch/switch, reload, stop, prune, GPS, controller certificate upload, controller connection status, ControlPlane get/restart/delete, daemon logs (HTTP and :stream WebSocket).
Notable behaviors:
POST /v1/system/reload- SIGHUP-style config reload; rejected changes do not mutate on-disk configPOST /v1/system/provision/DELETE /v1/system/provision- Edgelet node lifecycle; affects JWT modeGET /v1/system/controlplane- local Controller deployment status (see Control plane on node)POST /v1/system/controlplane/restart- bounce the controller container; optional?pull=true