Invoke a container service (runtime)
Sends an HTTP request to a container service — either through the gateway tunnel to a docker container (deployed type) or through the gateway tunnel to an external URL via agent egress (external type; ADR-0007). Designed as the structured, MCP-friendly entry point.
The path is /r/invoke/{serviceSlug} rather than
/r/containers/{serviceSlug}/invoke so it doesn’t shadow the
shell-friendly catch-all ANY /r/containers/{serviceSlug}/* — a
user whose container itself exposes /invoke can still reach it
via the catch-all.
The service must be in running state. Hop-by-hop headers
(Authorization, Host, Content-Length, …) are stripped before relay.
Authorization model: the request must have the invoke permission
on container services. JWT and device-credential (dk-) callers are
role-gated — Members and above qualify, Viewers do not. sk-
integration credentials are bound to a team at issue time and carry
team-scoped invoke access by design — they don’t participate in the
role hierarchy.
Documentation Index
Fetch the complete documentation index at: https://docs.cyberun.cloud/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
User session JWT (Bearer ). Must be paired with the X-Team-ID
request header on team-scoped endpoints so the server knows which
team's resources to operate on.
Headers
UUID of the team to scope the request to. Used by dual-auth endpoints (runtime + scoped management):
- JWT callers MUST send it — a user may belong to multiple teams and the runtime cannot otherwise know which one to operate on. Missing header → 400.
- Credential callers (
sk-,dk-) can omit it because the team is derived from the credential row itself. Any value sent is ignored.
"019abc12-4567-7890-abcd-ef1234567891"
Path Parameters
Body
Structured form of "send an HTTP request through the gateway tunnel into the container". The catch-all ANY /r/containers/{slug}/* proxy stays for shell-friendly use; this operation is the MCP-friendly entry point (single operationId, single body shape).
HTTP method to send to the container.
GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS Path on the container, including leading "/". Query strings allowed. Example: "/api/generate" or "/predict?stream=true". Absolute URLs, protocol-relative URLs (leading "//"), and host-containing inputs are rejected at the schema layer so the agent's URL joiner never sees a target that could rewrite the host.
2048^/(?!/)Optional request body, base64-encoded. Use base64 so binary payloads survive JSON transport. Empty / omitted for GET / DELETE.
Optional headers to forward to the container. Hop-by-hop headers (Host, Connection, Upgrade, Transfer-Encoding, TE, Trailer) are stripped server-side. End-to-end headers — including Authorization, Content-Type, and any custom application headers — are forwarded as-is.