Developers
Build on G8.
Every flow you can run in the workspace, you can run from code. A Bearer-authenticated REST API, an MCP endpoint for agents, and HMAC-signed webhooks for everything that happens.
API-key auth
Authenticate with Authorization: Bearer g8_live_…. Keys are scoped and shown once at creation. A missing or invalid key returns 401.
REST API
JSON over /api/v1: list flows, trigger runs, and read executions with per-step status and timing.
MCP endpoint
POST /api/mcp speaks tools/list and tools/call so agents can operate G8 directly.
Outbound webhooks
Subscribe to events and verify each delivery with the x-g8-signature HMAC-SHA256 header.
01 / REST API
The REST API
The API lives under /api/v1 and is scoped to the workspace that owns the key. Every response is JSON, wrapped in a data field.
List flows — GET /api/v1/flows
Requires the flows:read scope.
curl https://your-g8-domain.com/api/v1/flows \
-H "Authorization: Bearer g8_live_xxxxxxxxxxxxxxxxxxxxxxxx"Trigger a run — POST /api/v1/flows/{flowId}/runs
Requires flows:run. Returns 202 with the new executionId. Pass an Idempotency-Key header to make a retried trigger safe, or {"mode":"simulation"} to dry-run.
curl -X POST https://your-g8-domain.com/api/v1/flows/FLOW_ID/runs \
-H "Authorization: Bearer g8_live_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{"payload":"hello"}'Get an execution — GET /api/v1/executions/{id}
Requires executions:read. Returns the run’s status, mode, trigger, and an array of steps with status, duration, and any error.
curl https://your-g8-domain.com/api/v1/executions/EXECUTION_ID \
-H "Authorization: Bearer g8_live_xxxxxxxxxxxxxxxxxxxxxxxx"02 / MCP
The MCP endpoint
POST /api/mcpexposes G8’s core nouns as MCP-style tools, so an agent can discover and call them. It requires the mcp scope.
List the available tools
curl -X POST https://your-g8-domain.com/api/mcp \
-H "Authorization: Bearer g8_live_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{"method":"tools/list"}'Call a tool
curl -X POST https://your-g8-domain.com/api/mcp \
-H "Authorization: Bearer g8_live_xxxxxxxxxxxxxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{"method":"tools/call","name":"trigger_run","arguments":{"flowId":"FLOW_ID"}}'The catalog:
- list_flows — flows in the workspace with status and mode.
- get_flow— a flow’s blueprint summary, compiled steps, and latest execution.
- trigger_run — start a live run; returns the execution id and status.
- get_execution — one execution with per-step status, output, and timing.
03 / Webhooks
Outbound webhooks
Register an endpoint and G8 will POST a JSON envelope when subscribed events fire. Available events are run.completed, run.failed, and approval.needed.
Every delivery includes an x-g8-signature header — the hex HMAC-SHA256 digest of the raw request body, keyed by your per-endpoint secret. Verify it before trusting the payload:
import crypto from "node:crypto";
// rawBody is the exact bytes G8 POSTed; secret is your endpoint secret.
function verify(rawBody, signatureHeader, secret) {
const expected = crypto
.createHmac("sha256", secret)
.update(rawBody)
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(expected),
Buffer.from(signatureHeader),
);
}
// Express handler:
// verify(req.rawBody, req.headers["x-g8-signature"], secret)Manage endpoints, rotate secrets, and send a test delivery from your developer console.
Get a key and make your first call.
Create a scoped API key in the developer console, then list your flows in one curl.
Open the developer console