Trigger workflows from your own systems. Fire webhooks, parse plans, stream live phase events, manage credentials. Every surface in the Dispatch UI is just a thin client over this API — and you can build on top of it.
Pick whichever matches the shape of your client. Public endpoints (parse, templates, triggers) skip auth entirely.
Sign in via the UI or via /api/auth/login. The browser stores an httpOnly dispatch_session cookie (JWT, 30-day TTL). Send it on every request.
# Sign in once and persist the cookie:
curl -X POST https://dispatch.app/api/auth/login \
-H "Content-Type: application/json" \
-c cookies.txt \
-d '{"email":"you@example.com","password":"hunter2"}'
# Re-use it for every authenticated call:
curl https://dispatch.app/api/workflows \
-b cookies.txtPaste your token as Authorization: Bearer dsp_… on any request. Tokens carry the same scope as your session and can be revoked from /settings.
# Once API tokens ship:
curl https://dispatch.app/api/workflows \
-H "Authorization: Bearer dsp_live_<dispatch_session>"/api/credentials. We never see your prompts and never charge for tokens — that bill stays with your provider.Every failure returns JSON in the same shape, with an HTTP status that matches its category. Parse the body — never the status alone.
{
"error": string, // human-readable summary
"code": string?, // stable machine identifier (optional)
"details": Record<string, unknown>? // optional debugging payload
}Authenticated APIs are unmetered while we tune capacity. Public endpoints are throttled to keep abusers from torching your quota.
Returns 429 with a retryAfter (seconds) field once exceeded.
We monitor outliers and will reach out before introducing per-account limits.
Open streams beyond this respond 429; close idle EventSources promptly.
Create accounts, sign in, sign out, and resolve the current user from the cookie.
/api/auth/signupCreate a new account. Sets the dispatch_session cookie on success.
{ "email": string, "password": string, "name"?: string }{ "user": { "id": string, "email": string, "name": string } }curl -X POST https://dispatch.app/api/auth/signup -c cookies.txt \
-H "Content-Type: application/json" \
-d '{"email":"you@example.com","password":"hunter2","name":"You"}'/api/auth/loginSign in with email + password. Sets dispatch_session cookie.
{ "email": string, "password": string }{ "user": { "id": string, "email": string, "name": string } }curl -X POST https://dispatch.app/api/auth/login -c cookies.txt \
-H "Content-Type: application/json" \
-d '{"email":"you@example.com","password":"hunter2"}'/api/auth/logoutClear the session cookie. Always returns 200.
{ "ok": true }curl -X POST https://dispatch.app/api/auth/logout -b cookies.txt/api/auth/meReturn the current session user, or { user: null } if not signed in.
{ "user": { "id": string, "email": string, "name": string } | null }curl https://dispatch.app/api/auth/me -b cookies.txtA workflow is a saved, named WorkflowPlan with a trigger config. These endpoints power the dashboard, history, and editor.
/api/workflowsList all workflows belonging to the current user.
{ "workflows": SavedWorkflow[] }curl https://dispatch.app/api/workflows -b cookies.txt/api/workflowsSave a parsed plan as a workflow. Pass the plan returned from /api/parse.
{
"plan": WorkflowPlan, // required, must include id
"schedule"?: "on_demand" | "scheduled" | "webhook" // defaults on_demand
}{ "workflow": SavedWorkflow }curl -X POST https://dispatch.app/api/workflows -b cookies.txt \
-H "Content-Type: application/json" \
-d '{"plan":{"id":"...","name":"...","steps":[...]}}'/api/workflows/{id}Fetch a single workflow by id.
{ "workflow": SavedWorkflow }curl https://dispatch.app/api/workflows/wf_8a23 -b cookies.txt/api/workflows/{id}Partially update a workflow. Omitted fields are left untouched.
{
"name"?: string,
"description"?: string,
"enabled"?: boolean,
"cron"?: string, // 5-field cron expression
"trigger"?: "manual" | "schedule" | "webhook",
"steps"?: WorkflowStep[]
}{ "workflow": SavedWorkflow }curl -X PATCH https://dispatch.app/api/workflows/wf_8a23 -b cookies.txt \
-H "Content-Type: application/json" \
-d '{"enabled":true,"cron":"0 9 * * 1-5","trigger":"schedule"}'/api/workflows/{id}Permanently delete a workflow. Idempotent.
{ "ok": true }curl -X DELETE https://dispatch.app/api/workflows/wf_8a23 -b cookies.txt/api/workflows/blankCreate an empty Untitled Mission so the user can build it in the visual editor.
{ "workflow": SavedWorkflow }curl -X POST https://dispatch.app/api/workflows/blank -b cookies.txt/api/workflows/{id}/runSynchronously execute a saved workflow. Returns the full run record.
{
"run": {
"id": string, "workflowId": string,
"status": "ok" | "failed",
"durationMs": number, "startedAt": number, "completedAt": number,
"trigger": "manual", "steps": StepResult[]
}
}curl -X POST https://dispatch.app/api/workflows/wf_8a23/run -b cookies.txtParse natural language into a structured plan, then execute it synchronously or stream it phase by phase.
/api/parseTranslate natural language into a structured WorkflowPlan. Used by the composer.
{
"input": string, // required, the brief in plain English
"enabledTools"?: string[] // restrict the planner to these tool ids
}{ "plan": { "id": string, "createdAt": number, "name": string, "steps": WorkflowStep[], ... } }curl -X POST https://dispatch.app/api/parse \
-H "Content-Type: application/json" \
-d '{"input":"Summarize my Gmail every morning into a Notion page."}'/api/executeExecute a plan and stream phase events as SSE.
{ "plan": WorkflowPlan, "workflowId"?: string }text/event-stream
---
event: step_start | data: { "stepId": "...", "tool": "gmail", "op": "search" }
event: step_log | data: { "stepId": "...", "line": "..." }
event: step_done | data: { "stepId": "...", "status": "ok", "durationMs": 412 }
event: run_complete | data: { "status": "ok" | "failed", "runId": "...", "error"?: string }curl -N -X POST https://dispatch.app/api/execute -b cookies.txt \
-H "Content-Type: application/json" \
-d '{"plan":{...}}'/api/public/parsePublic, IP-rate-limited parser used by anonymous demos. No session required.
{ "input": string }{ "plan": WorkflowPlan } | { "error": "rate_limited", "retryAfter": number }curl -X POST https://dispatch.app/api/public/parse \
-H "Content-Type: application/json" \
-d '{"input":"Watch a GitHub repo and ping me on stale PRs."}'Read-only catalogue plus a clone endpoint that drops a fresh, disabled copy into the user's workspace.
/api/templatesList built-in templates. Optional ?category= filter.
{
"templates": [{ "slug": string, "name": string, "tagline": string, "category": string,
"icon": string, "highlightTools": ToolName[], "estimatedRuntime": number }]
}curl "https://dispatch.app/api/templates?category=Productivity"/api/templates/{slug}Fetch a single template, including its full step graph.
{ "template": Template }curl https://dispatch.app/api/templates/morning-inbox-digest/api/templates/{slug}/cloneClone a template into the user’s workspace as a fresh, disabled workflow.
{ "workflow": SavedWorkflow }curl -X POST https://dispatch.app/api/templates/morning-inbox-digest/clone -b cookies.txtSave, test, and switch between OpenAI, Anthropic, and Google keys. Keys are encrypted at rest and never returned in plaintext.
/api/credentialsList saved LLM provider credentials. Keys are returned masked.
{
"default": "openai" | "anthropic" | "google" | null,
"providers": [{ "provider": Provider, "maskedKey": string, "model"?: string,
"createdAt": number, "updatedAt": number }]
}curl https://dispatch.app/api/credentials -b cookies.txt/api/credentials/{provider}Save or replace the API key for a provider.
{ "apiKey": string, "model"?: string }{ "provider": string, "maskedKey": string, "model"?: string, "createdAt": number, "updatedAt": number }curl -X PUT https://dispatch.app/api/credentials/openai -b cookies.txt \
-H "Content-Type: application/json" \
-d '{"apiKey":"sk-...","model":"gpt-4o"}'/api/credentials/{provider}Remove a stored provider key.
{ "default": ... , "providers": [...] } // sanitized credentialscurl -X DELETE https://dispatch.app/api/credentials/openai -b cookies.txt/api/credentials/{provider}Test a provider key. Pass apiKey to test a candidate, or send empty body to test the saved key.
{ "apiKey"?: string }{ "ok": boolean, "info"?: string, "error"?: string }curl -X POST https://dispatch.app/api/credentials/openai -b cookies.txt \
-H "Content-Type: application/json" \
-d '{"apiKey":"sk-..."}'/api/credentials/defaultSet the default LLM provider used when a workflow does not specify one.
{ "provider": "openai" | "anthropic" | "google" }{ "default": string, "providers": [...] }curl -X PUT https://dispatch.app/api/credentials/default -b cookies.txt \
-H "Content-Type: application/json" \
-d '{"provider":"anthropic"}'Each tool has its own field shape (declared by the integration registry). PUT to save, POST to test, DELETE to remove.
/api/integrationsList saved integrations plus the catalogue of available tools.
{ "integrations": Integration[], // sanitized — secrets redacted
"available": IntegrationDef[] } // catalog: tool id, label, fieldscurl https://dispatch.app/api/integrations -b cookies.txt/api/integrations/{tool}Save or replace integration fields. Optionally test before saving.
{
"fields": { [key: string]: string }, // all required fields must be present
"test"?: boolean // if true, tested before saving
}{ "integration": SanitizedIntegration, "test"?: { "ok": boolean, "info"?: string } }curl -X PUT https://dispatch.app/api/integrations/slack -b cookies.txt \
-H "Content-Type: application/json" \
-d '{"fields":{"botToken":"xoxb-..."},"test":true}'/api/integrations/{tool}Remove a saved integration.
{ "integrations": Integration[], "available": IntegrationDef[] }curl -X DELETE https://dispatch.app/api/integrations/slack -b cookies.txt/api/integrations/{tool}Test an integration. Pass fields to test new credentials, or send empty body to test the saved record.
{ "fields"?: { [key: string]: string } }{ "ok": boolean, "info"?: string, "error"?: string }curl -X POST https://dispatch.app/api/integrations/slack -b cookies.txt \
-H "Content-Type: application/json" \
-d '{"fields":{"botToken":"xoxb-..."}}'A workflow fires when its webhook URL is hit, when its cron expression matches, or when a user clicks Run.
/api/triggers/{secret}Public webhook entry. Fires the workflow associated with the opaque secret.
{ "accepted": true, "runId": string, "status": "ok" | "failed", "durationMs": number, "workflowId": string }curl -X POST https://dispatch.app/api/triggers/8a23-... \
-H "Content-Type: application/json" \
-d '{"orderId":"ord_42"}'/api/triggers/{secret}Health-check / browser-friendly variant. Fires the same run.
{ "accepted": true, "runId": ..., "status": ..., "durationMs": ..., "workflowId": ... }curl https://dispatch.app/api/triggers/8a23-.../api/cronInternal Vercel Cron entry. Fires every workflow whose cron matches the current minute.
{
"timestamp": string, "scheduled": number, "fired": number,
"runs": [{ "workflowId": string, "runId"?: string, "status": "ok" | "failed" | "error" }]
}curl https://dispatch.app/api/cron -H "Authorization: Bearer $CRON_SECRET"Every run is recorded with input, output, latency, and outcome. Replay or retry from the dashboard or via API.
/api/historyMost recent 50 run records for the current user. Optional ?workflowId= filter.
{
"history": [{ "id": string, "workflowId": string,
"status": "ok" | "failed",
"trigger": "manual" | "scheduled" | "webhook",
"durationMs": number, "startedAt": number, "completedAt": number,
"steps": StepResult[] }]
}curl "https://dispatch.app/api/history?workflowId=wf_8a23" -b cookies.txt/api/runs/{id}/replayRe-run an exact past execution with the same inputs. Useful for debugging idempotent workflows.
{ "run": RunRecord }curl -X POST https://dispatch.app/api/runs/run_8a23/replay -b cookies.txt/api/runs/{id}/retryRetry a failed run from the first failing step. Earlier successful steps are skipped.
{ "run": RunRecord }curl -X POST https://dispatch.app/api/runs/run_8a23/retry -b cookies.txt/api/execute is a Server-Sent Events stream. Each phase emits structured events; consume them with EventSource or fetch + a reader.
async function runPlan(plan) {
const res = await fetch('/api/execute', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
credentials: 'include',
body: JSON.stringify({ plan }),
})
if (!res.body) throw new Error('No stream')
const reader = res.body
.pipeThrough(new TextDecoderStream())
.getReader()
let buffer = ''
while (true) {
const { value, done } = await reader.read()
if (done) break
buffer += value
const parts = buffer.split('\n\n')
buffer = parts.pop() ?? ''
for (const chunk of parts) {
const lines = chunk.split('\n')
const event = lines.find(l => l.startsWith('event: '))?.slice(7)
const data = lines.find(l => l.startsWith('data: '))?.slice(6)
if (!event || !data) continue
handleEvent(event, JSON.parse(data))
}
}
}step_startstep_logstep_donestep_modephase_completerun_completeerrorimport EventSource from 'eventsource'
const es = new EventSource('https://dispatch.app/api/execute', {
method: 'POST',
headers: { Cookie: 'dispatch_session=' + token },
payload: JSON.stringify({ plan }),
})
es.addEventListener('step_done', (e) => console.log('done', JSON.parse(e.data)))
es.addEventListener('run_complete', (e) => { es.close() })
es.addEventListener('error', (e) => { es.close() })When you create a webhook trigger, the URL ends with …/api/triggers/{secret}. Treat the secret as opaque — do not log it, do not put it in error reports, do not commit it to source.
Every outbound delivery from Dispatch carries a signature header. Verify it on your end before trusting the body.
X-Dispatch-Signature — HMAC-SHA256 of the raw body, hex-encoded.X-Dispatch-Timestamp — Unix ms. Reject anything more than 5 minutes off.X-Dispatch-Event — event name, e.g. run.completed.import crypto from 'node:crypto'
export function verify(req, secret) {
const sig = req.headers['x-dispatch-signature']
const ts = req.headers['x-dispatch-timestamp']
if (!sig || !ts) return false
// Reject replays older than 5 minutes.
if (Math.abs(Date.now() - Number(ts)) > 5 * 60 * 1000) {
return false
}
const expected = crypto
.createHmac('sha256', secret)
.update(req.rawBody)
.digest('hex')
return crypto.timingSafeEqual(
Buffer.from(expected, 'hex'),
Buffer.from(sig, 'hex'),
)
}Until first-party SDKs ship, native fetch and requests work great. The surface area is small — five-ish endpoints will cover most use cases.
// npm: native fetch — no dependencies
const base = 'https://dispatch.app'
async function login(email: string, password: string) {
const r = await fetch(`${base}/api/auth/login`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email, password }),
credentials: 'include',
})
if (!r.ok) throw new Error((await r.json()).error)
return r.json()
}
async function listWorkflows() {
const r = await fetch(`${base}/api/workflows`, {
credentials: 'include',
})
return r.json()
}
async function plan(input: string) {
const r = await fetch(`${base}/api/parse`, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ input }),
})
return r.json()
}# pip install requests
import requests
base = 'https://dispatch.app'
s = requests.Session()
def login(email, password):
r = s.post(f'{base}/api/auth/login',
json={'email': email, 'password': password})
r.raise_for_status()
return r.json()
def list_workflows():
return s.get(f'{base}/api/workflows').json()
def plan(prompt):
r = s.post(f'{base}/api/parse', json={'input': prompt})
return r.json()
def run(workflow_id):
return s.post(f'{base}/api/workflows/{workflow_id}/run').json()TypeScript and Python first. Want one in your language? Open an issue with your stack and use case.
Free forever. BYOK. Five minutes from sign-up to a curl that actually does something.