Run a published automation
The product’s single callable endpoint per automation (docs/10 §7.3): POST /v1/run/:flow where :flow is the automation’s name. The handler, in order: (1) an optional pre-auth, IP-scoped rate limit; (2) bearer auth resolves the key’s org; (3) a per-org rate limit (every response carries X-RateLimit-*); (4) org ownership — the org must own a non-draft automation named :flow, AND the key’s scope (if scoped) must allow it — an out-of-scope call gets the SAME 403 forbidden as a missing/draft automation, so scope can’t be probed by response shape; (5) resolves the live digest via the org’s active rest deploy and the FlowSpec by that digest; (6) the test/live boundary — a jbt_test_* key is REJECTED with 403 test_key_forbidden if the automation declares ANY secret-typed input, even if that input isn’t supplied; (7) validates { inputs } against the published input contract (400 invalid_inputs); (8) dispatches — SYNC mode runs inline and returns the completed result; QUEUE mode (JT_RUN_DISPATCH=queue) enqueues and returns {status:"queued"} immediately, pollable via GET /api/runs/:id.
承認
An org-scoped API key, format jbt_live_<rand> or jbt_test_<rand> (packages/service/src/auth.ts's issueApiKey). Minted via POST /api/keys; the plaintext is shown exactly once. Two boundaries are enforced on every call: (1) test/live — a jbt_test_* key is rejected with 403 test_key_forbidden on any automation that declares a secret-typed input, even unsupplied; only a jbt_live_* key can exercise production credentials. (2) per-key scope — an optional automation-name allowlist set at mint time; an unscoped key (the default) reaches every published automation in its org. Used ONLY on POST /v1/run/:flow and POST /mcp — every other route uses cookieAuth.
パスパラメータ
The automation's name — the URL-safe slug chosen at creation, e.g. get-order-status.
ボディ
The automation's typed, non-secret inputs, wrapped in { inputs }. An empty/absent body is the no-inputs shorthand. Secret-typed slots are never supplied here — they are resolved server-side from the caller's org secret store.
The automation's typed, non-secret inputs by name.
レスポンス
The run's result — either a completed run (sync dispatch) or a queued acknowledgment (queue dispatch). Both are HTTP 200; discriminate on status.
- Option 1
- Option 2
A synchronous run's result.
The engine Run id.
pending, running, succeeded, failed, canceled The automation's output, or null until/unless the run succeeds.
Present only when status === "failed" — the terminal error projected from the journal's last step_failed entry.