Skip to main content



This is a mini-spec on a HTTP API which can be used by browser based clients to do operations with devices.

Why protobufs

  • No need for JSON parsing on the resource constrained embedded server.
  • Small.
  • Already in use for all other transports (so shared testing/tooling coverage).
  • Backwards and forward compatible.

Request headers

  • Content-Type: application/x-protobuf
  • Cookie: session=ABAD1D (this header is added automatically by the browser client, not implemented yet)

Response headers

  • Content-Type: application/x-protobuf (indicates meshtatics protobufs)
  • X-Protobuf-Schema: <URI to the .proto schema file> (not required but recommended for documentation/reflection purposes)

(not implemented) All clients (if their request did not include a session cookie) will be assigned a random and unique session key. The cookie will not be set if the client already has one. Example response:

  • Set-Cookie: session=ABAD1D;path=/

(FIXME - check how this relates to XSS attacks)


Two endpoints are specified:

PUT /api/v1/toradio

A PUT to this endpoint will be expected to contain a series of ToRadio protobuf payloads. For the initial implementation only one ToRadio message per PUT is supported, but future optimizations to improve throughput might add support for multiple ToRadios in a single PUT.

The protobufs will be sent in binary as the body for the request.

A request with OPTIONS to this endpoint will return status 204 and just the headers.

GET /api/v1/fromradio?chunked=false|true&all=true|false

A GET from this endpoint will return a series of FromRadio protobufs.

  • chunked=false|true (not implemented)
    • If the query parameter "chunked" is false (or unset), the GET will simply return all the protobufs which can currently be delivered for this clients session (this would allow the client to poll by doing a series of GETs). This is the only option that is supported in the initial release.
    • Eventually if chunked=true, the response will be a stream of chunks that the server will keep open as long as the client wants. This will allow efficient streaming of new FromRadio protobufs as they are generated by the radio.
  • all=true|false
    • If this query is false (or unset), the GET will return just one protobuf. If set to true, will return all the available protobufs.

The protobufs will be sent in binary as the body for the request.


The initial release will not have any user authentication. i.e. we assume access to the HTTP server is enough to establish trust.

Since authentication is also eventually needed for our other transports (TCP and eventually open BLE), we will be adding authentication in-band. When added in the second release there will be a new payload supported inside ToRadio for SignIn <userid> <usersecret>. The server will respond with a FromRadio SignInResponse okay|fail. Also, in the case of the REST API, that SignIn status will then be associated with the current session key. Most (all?) ToRadio packets will be ignored if the client is not signed in. Most (all?) FromRadio packets will be sent to clients that are not signed in.




A reference client written in JavaScript will provide a JavaScript API for using this transport. That client will do HTTP connections, use the generated protobuf JavaScript code and provide an API that hides all of this REST plumbing. The two key methods will be "sendToRadio(packet) and onFromRadio(callback)".



Protoman is able to interface with the Meshtastic REST API out of the box. This is useful for manual testing of the endpoints.


HTTP and HTTPS are both supported on the ESP32 using self signed certificates on HTTPS.