HTTP API Overview

Monibuca V6 provides APIs through a built-in shared HTTP server. All plugin HTTP endpoints are registered on the same server and differentiated by route prefixes.

Server Address

The default listening address is :8080, which can be changed via configuration:

http:
  listen: ":8080"
  cors: true

Route Prefix Categories

All APIs are organized by functional modules with different route prefixes:

Core API

Prefix	Module	Description
`/api/`	Engine Core	Stream management, system info, plugin management
`/config/`	Configuration	Config read/write, schema query, hot reload

Protocol API

Prefix	Plugin	Description
`/rtmp/`	RTMP	RTMP connection management
`/rtsp/`	RTSP	RTSP session management
`/flv/`	HTTP-FLV	FLV streaming endpoint
`/hls/`	HLS	HLS playlist and segments
`/webrtc/`	WebRTC	WHIP/WHEP signaling endpoint
`/srt/`	SRT	SRT connection management
`/webtransport/`	WebTransport	WebTransport sessions
`/gb28181/`	GB28181	Device management and control

Utility API

Prefix	Plugin	Description
`/mp4/`	MP4 Recording	Recording control and VOD
`/snap/`	Snapshot Service	Snapshots and MJPEG
`/transcode/api/`	Audio Transcoding	Transcoding task management
`/cluster/`	Cluster	Cluster status and node management

Room API

Prefix	Service/Plugin	Description
`/room/`	Room Service	Room management
`/room_report/`	Room Reporting	Room statistics data
`/live/`	Live Plugin	Live room management
`/meeting/api/`	Meeting Plugin	Meeting room REST (rooms, reservations, templates, …)

Meeting REST

This section documents the Meeting plugin HTTP API and is kept in sync with section 14.2 Meeting in the repository root docs/http-api.md. When routes change, update both places so this page and the repo-side doc stay aligned.

Like other plugins, Meeting REST is mounted under {plugin}/api, i.e. /meeting/api. After the engine registers the meeting/api prefix, the handler sees sub-paths such as /rooms, /reservations, etc. (same pattern as gb28181/api, /users/api, …).

Route prefix

Prefix	Purpose	Handler
`/meeting/api`	Meeting room REST	MeetingApiHandler

Full paths (client requests)

Method	Path	Description
GET	`/meeting/api/rooms`	List meeting rooms
POST	`/meeting/api/rooms`	Create room (JSON body: `room_id`)
GET	`/meeting/api/rooms/{room_id}`	Room summary; legacy alias `GET /meeting/api/room/{room_id}`
DELETE	`/meeting/api/rooms/{room_id}`	Delete room
GET	`/meeting/api/rooms/{room_id}/users`	Users in room
POST	`/meeting/api/rooms/{room_id}/lock`	Lock room
POST	`/meeting/api/rooms/{room_id}/unlock`	Unlock room
POST	`/meeting/api/control/mute`	Chat mute (JSON: `room_id`, `user_id`)
POST	`/meeting/api/control/unmute`	Remove chat mute
POST	`/meeting/api/control/kick`	Remove user from room
GET	`/meeting/api/stats`	Meeting statistics
GET	`/meeting/api/features`	Registered feature metadata
GET	`/meeting/api/reservations`	List reservations
POST	`/meeting/api/reservations`	Create reservation
GET	`/meeting/api/templates`	List templates
POST	`/meeting/api/templates`	Create template
PUT	`/meeting/api/templates/{id}`	Update template
DELETE	`/meeting/api/templates/{id}`	Delete template
GET	`/meeting/api/recordings`	Recording catalog (may be empty until persistence is wired)
GET	`/meeting/api/recordings/{id}/play`	Play URL (404 if not found)
GET	`/meeting/api/recordings/{id}/download`	Download
DELETE	`/meeting/api/recordings/{id}`	Delete recording

Note: Agenda, transcription, and in-session control are primarily WebSocket (/room/{room_id}?type=meeting). Do not use the legacy /room/meeting/... prefix for Meeting REST. For concepts and signaling, see the Meeting Room plugin page.

Common Request Conventions

Request Format

Content-Type: application/json (for POST/PUT requests)
Character encoding: UTF-8
URL encoding: Special characters in paths use standard URL encoding

Common Response Format

Most APIs return a unified JSON structure:

{
  "code": 0,
  "message": "success",
  "data": { ... }
}

Field	Type	Description
`code`	int	Status code, `0` indicates success
`message`	string	Status description
`data`	object	Response data (optional)

HTTP Status Codes

Status Code	Description
`200`	Request successful
`400`	Invalid request parameters
`401`	Unauthorized (authentication required)
`403`	Forbidden
`404`	Resource not found
`500`	Internal server error
`501`	Not implemented
`503`	Service unavailable

Authentication

Monibuca V6 supports API authentication via JWT (JSON Web Token).

Enable Authentication

auth:
  enabled: true
  secret: "your-jwt-secret-key"
  expire: 86400              # Token validity period (seconds)
  exclude:                   # Paths exempt from authentication
    - "/api/login"
    - "/flv/"
    - "/hls/"

Obtain Token

POST /api/login
Content-Type: application/json

{
  "username": "admin",
  "password": "password"
}

Response:

{
  "code": 0,
  "token": "eyJhbGciOiJIUzI1NiIs..."
}

Use Token

Include the token in subsequent request headers:

GET /api/streams
Authorization: Bearer eyJhbGciOiJIUzI1NiIs...

Auth Secret API

Generates v5-compatible stream auth signatures (secret + expire):

GET /api/secret/{publish|subscribe}/{streamPath...}?expire=<hex>&plugin=<pluginName>

type: publish or subscribe
streamPath: stream path (URL-encoded supported)
expire: optional hex Unix timestamp; defaults to now + 30 minutes
plugin: optional plugin name; default global

Response example:

{
  "code": 0,
  "message": "success",
  "data": {
    "type": "publish",
    "plugin": "rtmp",
    "streamPath": "live/test",
    "expire": "6610f4a0",
    "secret": "0123456789abcdef0123456789abcdef"
  }
}

CORS Support

CORS is enabled by default, allowing cross-origin access. It can be configured:

http:
  cors: true
  cors_origins:
    - "http://localhost:3000"
    - "https://your-domain.com"

Meeting REST — Full Meeting plugin route table (aligned with docs/http-api.md §14.2)
Stream Management API — Stream listing, details, and control
Configuration Management API — Configuration read/write and hot reload
GB28181 API — GB/T 28181 device management and control
Advanced: Stream Authentication — algorithm, custom handler, and signing endpoint