Skip to main content

API Server Early Access

The API Server is the REST API gateway for k8shell. It is the single entry point for the k8shell CLI, the browser-based Console, and any external automation or integration. Incoming requests are authenticated, authorized, and routed to the appropriate backend service — Identity, Provisioner, Session, or k8shelld — over gRPC or NATS.

The diagram below shows the API Server's position in the overall platform architecture and its integration points.

The following outlines the key interaction patterns the API Server is involved in:

  • CLI and Console access. The k8shell CLI and the browser-based Console communicate exclusively through the API Server for all platform operations.
  • User onboarding. When a user is not yet known, the API Server initiates an OAuth web flow via Identity to onboard the user and create their account.
  • Session storage. After authentication, the API Server retrieves the user's JWT from Identity and creates session memory in the NATS KV store for subsequent requests.
  • Authorization. The API Server delegates policy evaluation to the Authz service to enforce access controls on every incoming request.
  • Workspace provisioning. The API Server looks up available workspaces and forwards provisioning requests to the Provisioner, which creates or tears down workspace pods in Kubernetes.
  • Session management. The API Server records active user sessions and retrieves previous sessions from the Session service for audit and resume workflows.
  • Workspace connectivity. The API Server establishes a connection to the workspace's k8shelld daemon, translates WebSocket traffic from the downstream web app into k8shelld gRPC calls, and acts as a reverse proxy for HTTP access to apps running inside the workspace.
  • In-workspace API calls. Processes running inside a workspace call the API Server directly for platform-aware operations, such as retrieving the user's previous sessions or invoking credential helper backends.