API Overview
ADP exposes three API domains over HTTP: Debug (stored debug entries), Inspector (live application state), and Ingestion (external data intake).
Base URLs
| Domain | Base Path | Purpose |
|---|---|---|
| Debug | /debug/api | Access stored debug entries and SSE stream |
| Inspector | /inspect/api | Query live application state (routes, config, database, files) |
| Ingestion | /debug/api/ingest | Accept debug data from external applications |
Response Format
All responses (except SSE and MCP) are wrapped in a standard envelope:
json
{
"id": "debug-entry-id",
"data": { ... },
"error": null,
"success": true
}On error, success is false, error contains the error message, and data is null.
Middleware Chain
Every API request passes through:
- CorsMiddleware
AppDevPanel\Api\Middleware\CorsMiddlewareCors HTTP middleware. -- adds permissive CORS headers - IpFilterMiddleware
AppDevPanel\Api\Middleware\IpFilterMiddlewareIp Filter HTTP middleware. -- validates request IP against allowed IPs (default:127.0.0.1,::1) - TokenAuthMiddleware
AppDevPanel\Api\Debug\Middleware\TokenAuthMiddlewareToken Auth HTTP middleware. -- optional token-based authentication - ResponseDataWrapper
AppDevPanel\Api\Debug\Middleware\ResponseDataWrapperClass ResponseDataWrapper. -- wraps responses in the standard envelope
Inspector endpoints additionally pass through:
- InspectorProxyMiddleware
AppDevPanel\Api\Inspector\Middleware\InspectorProxyMiddlewareInspector Proxy HTTP middleware. -- routes?service=<name>requests to registered external services
Authentication
By default, the API is restricted to localhost via IP filtering. An optional auth_token can be configured for additional security.