Music Hub API Reference for Agents
Current reality for automation against the desktop hub.
Defaults
- Base URL:
http://localhost:38472 - Dev URL:
http://localhost:38473 - Protocol: REST + SSE
- Format: JSON
Trust and auth
Agents must not assume LAN access is anonymous anymore.
- Loopback calls are privileged local calls.
- Remote or proxied calls require either:
- bearer tokens from
/api/auth/pairand/api/auth/refresh, or MUSIC_HUB_API_TOKEN
- bearer tokens from
Public unauthenticated routes are intentionally small:
GET /api/pingGET /api/infoPOST /api/auth/pairPOST /api/auth/refresh- share bootstrap routes
- share heartbeat
Fast start
curl http://localhost:38472/api/ping
curl http://localhost:38472/api/infoIf the hub reports a non-healthy databaseHealth.status, expect most /api/* routes to return 503 database_unavailable.
Pairing flow
1. Arm pairing locally
curl -X POST http://localhost:38472/api/auth/arm \
-H 'Content-Type: application/json' \
-d '{"minutes":30}'2. Exchange pairing code for tokens
curl -X POST http://localhost:38472/api/auth/pair \
-H 'Content-Type: application/json' \
-d '{"pairingCode":"abc123","deviceId":"agent-1","deviceName":"automation"}'3. Use the access token
curl http://localhost:38472/api/tracks?limit=5 \
-H "Authorization: Bearer $ACCESS_TOKEN"4. Refresh when needed
curl -X POST http://localhost:38472/api/auth/refresh \
-H 'Content-Type: application/json' \
-d '{"deviceId":"agent-1","refreshToken":"..."}'Useful read endpoints
GET /api/library/statsGET /api/library/filtersGET /api/tracksGET /api/track/:idGET /api/albumsGET /api/album/:idGET /api/artistsGET /api/artist/:idGET /api/search?q=...GET /api/playlistsGET /api/playlists/:idGET /api/playback/sessionGET /api/search/historyGET /api/savedGET /api/browse
Useful write endpoints
PUT /api/playback/sessionPOST /api/playback/history/backPOST /api/media/sessionPOST /api/playlistsPOST /api/playlists/:id/tracksPUT /api/tracks/:id/metadata/overridesPOST /api/tracks/:id/enrichment/apply
Share-specific public routes
These are safe public entrypoints for browser share pages and bots:
GET /api/share/playlist/:id/bootstrapGET /api/share/artist/:id/bootstrapGET /api/share/album/:id/bootstrapGET /api/share/track/:id/bootstrapPOST /api/share/session/heartbeat
The bootstrap response includes shareSessionId and mediaToken. Treat both as short-lived.
SSE feeds
GET /api/scan/progressGET /api/library/events
Local-only admin routes
Only call these from the desktop host itself:
GET /api/auth/statusPOST /api/auth/armGET /api/connect/qrGET /api/tunnel/qrPOST /api/database/rebuild
Recovery note
If the hub is faulted, prefer:
curl http://localhost:38472/api/info
curl -X POST http://localhost:38472/api/database/rebuildDo not script destructive DB deletion as the first response. The current runtime preserves and archives faulted DBs deliberately.