Skip to content

Backend API

HomeHarbor.Api serves JSON APIs, WebDAV, and the release frontend static files. In development it also exposes OpenAPI.

Startup and Middleware

API startup:

  1. Reads HomeHarbor:* configuration.
  2. Optionally listens on a Unix socket from HomeHarbor:Api:UnixSocketPath.
  3. Configures Valkey-backed distributed cache, with an in-memory fallback only in Development when the configured Unix socket is unavailable.
  4. Registers the EF Core Npgsql HomeHarborDbContext.
  5. Configures JWT bearer auth, Basic Auth, and the authorization fallback policy.
  6. Registers CORS, controllers, OpenAPI, and core services.
  7. Creates the data root.
  8. Enables default files, static files, exception-to-JSON handling, CORS, the pre-storage request gate, auth, controllers, and SPA fallback.

Database migrations and automation-token generation are handled by the explicit migration command:

bash
dotnet run --project src/HomeHarbor.Api/HomeHarbor.Api.csproj -- database-migrate

Configuration Sections

SettingDefaultPurpose
HomeHarbor:Api:UnixSocketPathemptyOptional API Unix socket listener
HomeHarbor:Api:HttpUpstream127.0.0.1:5181TCP upstream used when no Unix socket is configured
HomeHarbor:Storage:DataRoot/homeharbor-dataFamily data root
HomeHarbor:Storage:MaxUploadBytes21474836480WebDAV upload limit
HomeHarbor:Database:ConnectionStringUnix socket PostgreSQLAPI database
HomeHarbor:Cache:UnixSocketPath/run/valkey/homeharbor.sockValkey Unix socket for distributed cache
HomeHarbor:Cache:InstanceNamehomeharbor:Distributed cache key prefix
HomeHarbor:Cache:OverviewTtlSeconds30Dashboard overview cache TTL
HomeHarbor:Jwt:IssuerHomeHarborJWT issuer
HomeHarbor:Jwt:AudienceHomeHarbor.FrontendJWT audience
HomeHarbor:Jwt:SigningKeyPath/var/lib/homeharbor/jwt-signing.keyLocal JWT signing key
HomeHarbor:Jwt:AccessTokenDays30User token lifetime
HomeHarbor:Automation:TokenPath/run/homeharbor/automation.jwtAutomation token output
HomeHarbor:Automation:TokenDays365Automation token lifetime
HomeHarbor:Runtime:RequestDirectory/run/homeharborRuntime request directory
HomeHarbor:Runtime:SmbCredentialDirectory/run/homeharbor/smb-credentialsSMB credential material
HomeHarbor:Runtime:DataUnlockMetadataPath/var/lib/homeharbor/security/data-unlock.jsonStorage unlock metadata
HomeHarbor:StorageOobe:StateDirectory/var/lib/homeharbor/storageStorage OOBE state directory
HomeHarbor:StorageOobe:OneShotPassphrasePath/run/homeharbor/storage-apply.passphraseOne-shot storage apply passphrase
HomeHarbor:StorageOobe:RequestPath/run/homeharbor/storage-apply.requestAgent storage apply request
HomeHarbor:StorageOobe:MinimumInstallableBytes34359738368Minimum installable storage target size
HomeHarbor:Frontend:AllowedOriginslocal Vite originsCORS origins for the frontend dev server

Development settings override the data root, database connection string, cache socket/key prefix, JWT key path, automation token path, and runtime directories to relative locations. In Development, if the configured Valkey socket is absent, the API logs a warning and uses in-memory distributed cache.

Before storage OOBE is ready, the pre-storage gate allows only /api/setup* and /api/system/health. Other /api and /dav requests return 503 with a setup hint.

Identity

POST /api/identity/login is anonymous. On success it returns a bearer token, expiration time, member, and family.

User token validation has two layers:

  • JWT issuer, audience, signature, and lifetime validation.
  • Database member session lookup, where the JWT jti hash must match the stored session token hash and the session must not be expired.

POST /api/identity/logout deletes the current session. GET /api/identity/session returns the current session.

Setup

Setup endpoints are anonymous because a first-boot device has no user yet:

  • GET /api/setup: initialization state, pairing information, and storage OOBE status.
  • GET /api/setup/pairing: create or read a pairing ticket.
  • GET /api/setup/pairing.svg: pairing QR SVG.
  • POST /api/setup: create the family, owner, device, initial WebDAV token, and recovery code after encrypted storage is ready.
  • GET /api/setup/storage/inventory: enumerate disks, mounts, explicit OOBE storage targets, and filesystem capabilities.
  • POST /api/setup/storage/recommendation: recommend a layout from the family usage profile.
  • POST /api/setup/storage/plan: generate a destructive storage plan with target kinds, filesystem, RAID mode/backend, resolved profile/layout metadata, warnings, and unlock mode.
  • POST /api/setup/storage/apply: confirm and apply a storage plan with a one-shot recovery passphrase.
  • GET /api/setup/storage/status: read apply status.

User Control APIs

After login, the frontend mainly uses these resources:

  • /api/home/overview
  • /api/family/members
  • /api/devices
  • /api/backups/*
  • /api/media/*
  • /api/remote/wireguard/*
  • /api/vault/items
  • /api/webdav-tokens
  • /api/smb/*
  • /api/apps/*
  • /api/containers
  • /api/networking/*
  • /api/ota/*
  • /api/security/policy
  • /api/storage/health
  • /api/sync/states

See API Routes for the complete route table.

Automation APIs

Automation endpoints only accept automation tokens. They are for appliance-internal services and should not be reused as ordinary user flows. The automation token is written by the database-migrate command to HomeHarbor:Automation:TokenPath.

EndpointConsumerPurpose
GET /api/networking/proxy/caddyfileHomeHarbor.Agent render-caddyfileRender a Caddyfile from reverse proxy routes
GET /api/smb/config/smb.confHomeHarbor.Agent apply-smbRender Samba configuration
GET /api/smb/reconcile/desiredSMB reconcileRead share/credential desired state
POST /api/smb/reconcile/resultSMB reconcileWrite runtime state back
GET /api/containers/reconcile/desiredcontainer reconcileRead desired containers
POST /api/containers/reconcile/resultcontainer reconcileWrite runtime state back
GET /api/apps/reconcile/desiredsystem app reconcileRead signed system app desired state
POST /api/apps/reconcile/resultsystem app reconcileWrite download/activation state back
POST /api/storage/health/checkstorage timer/serviceExecute a storage health check

WebDAV

WebDAV paths use:

text
/dav/{area}/{*path}

area maps to StorageArea: files, photos, or backups. Paths are validated for percent-encoding, normalized away from backslashes, rejected for ./.. and NUL bytes, and resolved with physical path containment checks.

WebDAV uses Basic Auth. Usernames and tokens come from setup or /api/webdav-tokens; token scope determines access.

Error Handling

Path-related InvalidOperationException becomes 400 JSON. UnauthorizedAccessException becomes 403 JSON. Authentication and authorization failures are handled by ASP.NET Core and return 401 or 403.

HomeHarbor appliance control plane documentation.