API Reference
Developer Reference
This page covers internal implementation details. It is not included in the User Guide.
Escher exposes two internal REST APIs. There is no public-facing API for end users — all interaction goes through the desktop app UI or the ADK CLI.
Services
| Service | Base URL | Purpose |
|---|---|---|
| Context Engine | http://context-engine:8001 | Server-side knowledge resolution — skills, agents, tools, guardrails |
| Analysis Agent | http://analysis-agent:8081 | Infrastructure Q&A over estate context, streamed via SSE |
Who calls what
| Caller | API | When |
|---|---|---|
ADK (adk register) | Context Engine /register/* | At agent package registration time |
| Platform Framework (Gateway) | Context Engine /resolve/* | On every request, at Phase 2C |
| Platform Framework (Agents) | Analysis Agent POST /analyze | When target = "H" |
| Health checks / monitoring | Both /health | Deployment health monitoring |
Authentication
Both APIs use internal network isolation as the security boundary — no service-to-service bearer tokens. In production (ECS), services communicate over a private VPC subnet via AWS Cloud Map DNS (*.escher.internal). Access is controlled at the ECS task security group level.
For end-user authentication, the ALB Cognito listener rule validates JWT tokens before traffic reaches Gateway. See Authentication for full details.
No public API
Escher does not expose a public REST API for end users. All user-facing operations are:
- Through the desktop app UI (Tauri)
- Through the ADK CLI for agent authors
Next steps
- Context Engine API — Full endpoint reference
- Analysis Agent API — Q&A endpoint reference