HTTP API server
The HTTP API for working with a SeqLens project from external tools.
NOTE
The HTTP API is an Experimental feature. Endpoints, response shapes, and behavior may change in future releases without notice.
SeqLens includes a local HTTP API server for working with a project from external tools. Besides reading sequence information and frame metadata, you can also call write operations such as rescanning, exporting, and job actions. You can use it from shell scripts, job-management tools, CI, and applications like Houdini / Nuke.
It is off by default. Turn it on from Preferences → Server, or from Server → Enable Server.
Settings
| Item | Description |
|---|---|
| Enable Server | Toggles the server on and off. |
| Address | The listen port. The default is 5397 (a nod to SEQL). |
| Allowed IPs | The list of IPs allowed to connect. By default only connections from the same machine are allowed. |
| Require token | Enables Bearer token authentication. |
| Token | A read-only token generated automatically when enabled. Use the Copy / Regenerate buttons. |
When Require token is on, you supply the token on each request with an Authorization: Bearer <token> header. You don’t type the token yourself; it is generated automatically when you turn the option on. If you suspect it has leaked, you can recreate it with Regenerate.
While the server is running, the port, allowed IPs, and token cannot be changed (the settings are locked). To change them, stop the server first.
The server status is shown on the settings tab and in the Server menu. While running it shows the address, for example Status: Running (127.0.0.1:5397); other states are Status: Starting… / Status: Failed / Status: Stopped.
Endpoints
The following is a selection of the main endpoints. For the full list and details (parameters, response shapes, request bodies for write operations, and so on), see the built-in API reference (/docs).
Operations that target a project live under /api/v1/projects/current, which points at the currently open project.
| Path | Purpose |
|---|---|
GET /api/health |
Health check (no auth required; returns the app version, API version, whether a project is open, and the open project’s key) |
GET /api/v1/projects/current |
Metadata for the currently open project |
GET /api/v1/projects/current/sequences |
The list of sequences |
GET /api/v1/projects/current/sequences/{key} |
Identifying information for a single sequence |
GET /api/v1/projects/current/sequences/{key}/scan |
The latest scan state (missing frames, total size, mtime, and so on) |
GET /api/v1/projects/current/sequences/{key}/frames |
Per-frame metadata |
POST /api/v1/projects/current/rescan |
Rescan the project |
GET /api/v1/projects/current/exports/... |
Exports such as CSV / JSON / MHL / OpenTimelineIO / MP4 / ZIP |
GET /api/v1/projects/current/raw-keys |
The list of keypaths available under raw |
The sequence list (/sequences) supports query parameters: paging (offset / limit) plus filtering, sorting, and include (extra information such as scan / anomaly). See /docs for the list of accepted values.
Docs and logs
While the server is running, an OpenAPI 3.1 document is published at http://<host>:<port>/openapi.json, and the API reference UI (Scalar) is available at http://<host>:<port>/docs. Opening http://<host>:<port>/ redirects to /docs. You can open it in the browser immediately from the Server → Open API Docs menu.
Server-specific logs are written to userData/logs/api-server.log and can be opened from the Server → Show Server Logs menu.
Security notes
WARNING
The default “same machine only” setting is the safest. If you expose the server to your LAN, always enable authentication.
- The token is generated automatically when you enable it. If you suspect it has leaked, use Regenerate.
- Do not expose the server directly to the internet. If you need external access, use a VPN or another secure relay.
- If you leave authentication off while the allowed IPs include a non-loopback address, your project becomes readable remotely without authentication. The UI shows a warning, and the server refuses to start with this configuration.
- Against browser-based DNS rebinding attacks, requests that carry an
Originheader are checked against theHostto block cross-origin access.