Workspace Internal API

The Workspace Internal API is the HTTP server running inside each workspace on port 9990. It exposes file operations, search, terminal sessions, and command execution - everything needed to interact with a workspace's runtime programmatically.

This is the same API regardless of how you reach it:

Via the gateway at workspace.oblien.com - authenticates your JWT and routes to the Workspace
Via private IP (10.x.x.x:9990) - workspace-to-workspace calls over the internal network

This is different from the Oblien API at api.oblien.com, which manages workspace lifecycle (create, start, stop, delete). The Internal API operates inside the running workspace itself.

Architecture

┌─────────────────────────────────────────────────────────┐
│  Gateway access                                         │
│                                                         │
│  Your App ──► workspace.oblien.com ──► Workspace:9990   │
│               (gateway, JWT auth)      (internal API)   │
└─────────────────────────────────────────────────────────┘

┌─────────────────────────────────────────────────────────┐
│  Direct access (workspace-to-workspace)                 │
│                                                         │
│  Workspace A ──► 10.x.x.x:9990 ──► Workspace B         │
│                  (private IP, raw token)                 │
└─────────────────────────────────────────────────────────┘

Both paths hit the same HTTP server with the same endpoints. The only difference is authentication:

Access method	Auth	Network requirement	How you get it
Gateway (`workspace.oblien.com`)	Gateway JWT (`Authorization: Bearer`)	`public_access: true` on the target	Enable server on the Oblien API
Direct (private IP)	Raw connection token (`Authorization: Bearer`)	Private link from caller to target	Get raw token on the Oblien API

How it works - end to end

Gateway access

Enable public_access on the target workspace via the Network API - this allows the gateway to reach the Workspace through the firewall
Enable the server on the target workspace via the Oblien API - this starts port 9990 inside the Workspace and returns a signed Gateway JWT
The JWT embeds the Workspace's private IP, port, and workspace ID - you never need to know the IP yourself
Make requests to workspace.oblien.com with Authorization: Bearer <jwt> - the gateway unpacks the JWT and routes to the Workspace
The Internal API handles your request and returns the response

Direct access (workspace-to-workspace)

Enable the server on the target workspace
Add a private link from the calling workspace to the target via the Network API - this whitelists the caller's IP in the target's firewall
Get the raw connection token and private IP of the target workspace
Call http://10.x.x.x:9990/endpoint with Authorization: Bearer <raw_token> directly from the calling workspace
No gateway involved - direct Workspace-to-Workspace over the internal network

Workspaces are network-dark by default. Every Workspace has a firewall that blocks all inbound traffic unless explicitly allowed. No workspace can reach any other workspace until you create a private link - even workspaces in the same account are fully isolated.

Quick start

import { OblienClient } from 'oblien';
import { Workspace } from 'oblien/workspace';

const client = new OblienClient({
  clientId: process.env.OBLIEN_CLIENT_ID!,
  clientSecret: process.env.OBLIEN_CLIENT_SECRET!,
});
const ws = new Workspace(client);

// 1. Enable the internal API server
const access = await ws.apiAccess.enable('ws_a1b2c3d4');

// 2. Use the workspace runtime APIs
const files = await ws.files.list('ws_a1b2c3d4', { dirPath: '/app' });
const content = await ws.files.get('ws_a1b2c3d4', { filePath: '/app/index.js' });
await ws.terminal.create('ws_a1b2c3d4', { shell: '/bin/bash' });

const result = await ws.exec.run('ws_a1b2c3d4', {
  cmd: ['node', '-e', 'console.log("hello")'],
});

Endpoint map

Files

Endpoint	Method	Description
`/files`	`GET`	List directory
`/files/list`	`GET`	List directory (alias)
`/files/stream`	`GET`	Stream directory as NDJSON
`/files/read`	`GET`	Read file content
`/files/write`	`POST/PUT`	Write file
`/files/mkdir`	`POST`	Create directory
`/files/stat`	`GET`	File/directory info
`/files/delete`	`DELETE/POST`	Delete file or directory

Search

Endpoint	Method	Description
`/files/search`	`GET`	Content search (ripgrep)
`/files/search/files`	`GET`	Filename search
`/files/search/init`	`POST`	Install ripgrep
`/files/search/init`	`GET`	Check ripgrep status

Terminal

Endpoint	Method	Description
`/terminals`	`POST`	Create terminal session
`/terminals`	`GET`	List active sessions
`/terminals/:id`	`DELETE`	Close session
`/terminals/:id/scrollback`	`GET`	Get scrollback buffer

Exec

Endpoint	Method	Description
`/exec`	`POST`	Run a command
`/exec`	`GET`	List tasks
`/exec/:id`	`GET`	Get task status
`/exec/:id`	`DELETE`	Kill a running task
`/exec`	`DELETE`	Delete all tasks
`/exec/:id/input`	`POST`	Send stdin input
`/exec/stream`	`GET/POST`	Stream task output (SSE)

File Watcher

Endpoint	Method	Description
`/watchers`	`POST`	Create a file watcher
`/watchers`	`GET`	List active watchers
`/watchers/:id`	`GET`	Get watcher info
`/watchers/:id`	`DELETE`	Stop and remove a watcher

WebSocket

Endpoint	Description
`/ws`	Multiplexed WebSocket for terminal I/O and file watcher events

Health

Endpoint	Method	Description
`/health`	`GET`	Server health check (no auth required)

Oblien API vs Internal API

	Oblien API	Workspace Internal API
Base URL	`api.oblien.com`	`workspace.oblien.com` or `10.x.x.x:9990`
Auth	API Key (`X-Client-ID` + `X-Client-Secret`)	Gateway JWT or raw connection token
Purpose	Workspace lifecycle (create, start, stop)	Runtime operations (files, exec, terminal)
Runs on	Oblien control plane	Inside each Workspace
Scope	All your workspaces	Single workspace
File access	Base64 encoded via API	Direct filesystem (plaintext)
Search	-	Content + filename search
Terminal	Indirect (via Oblien API)	Direct PTY sessions
Latency	Higher (multiple hops)	Lower (gateway → Workspace or Workspace → Workspace)

Next steps

Connection & Auth - Enable the server, get tokens, set up access
Files - List, read, write, stream files
Search - Content and filename search
Terminal - Interactive shell sessions
Exec - Run commands
File Watcher - Watch for file changes in real time
Workspace Networking - Workspace-to-Workspace communication patterns and security model

On this page