HTTP Endpoints Reference
MinIO AIStor Server exposes several HTTP surfaces over the API port (default 9000) and a separate port for the Console Web UI (default dynamic, configurable with --console-address).
This page lists all HTTP endpoints grouped by category and identifies which endpoints must be exposed through a load balancer or ingress, and which are internal only and must not be exposed externally.
Use this page when configuring HAProxy, NGINX, Kubernetes Ingress, a cloud load balancer, or any other reverse proxy in front of an AIStor deployment.
Summary
| Category | Base path | Port | Auth | Expose externally |
|---|---|---|---|---|
| S3 API | / |
9000 | AWS Signature V4 | Yes |
| Admin API | /minio/admin/v3/, /minio/admin/v4/ |
9000 | AWS Signature V4 | Yes |
| STS API | / (POST with Action=) |
9000 | Varies by action | Yes |
| KMS API | /minio/kms/v1/ |
9000 | AWS Signature V4 (admin) | Yes |
| Health probes | /minio/health/ |
9000 | None | Yes |
| Prometheus metrics | /minio/v2/metrics/, /minio/metrics/v3/ |
9000 | Public or JWT | Yes |
| Iceberg REST catalog | /_iceberg/v1/ |
9000 | AWS Signature V4 | Yes (if Tables enabled) |
| Delta Sharing | /minio/admin/v4/delta-sharing/ |
9000 | AWS Signature V4 (admin) | Yes (if Tables enabled) |
| Console Web UI | /api/v1/, /api/v2/ |
Console port | Session cookie | Yes (separate port) |
| Peer-to-peer RPC | /minio/peer/, /minio/storage/, /minio/lock/, /minio/grid/, /minio/bootstrap/ |
9000 | Internal token, mTLS | No |
S3 API
Base path: /
Port: Default 9000, configurable with --address.
Authentication: AWS Signature Version 4 on every request.
Standard Amazon S3 API for bucket and object operations.
Client applications using the AWS SDK, the mc client, or any S3-compatible tooling connect to this endpoint.
Commonly accessed path patterns:
PUT /{bucket}- Create bucketGET /{bucket}- List objects (with?list-type=2,?versions,?uploads)PUT /{bucket}/{object}- Upload object, including multipart (?uploadId=,?partNumber=)GET /{bucket}/{object}- Retrieve objectHEAD /{bucket}/{object}- Object metadataDELETE /{bucket}/{object}- Delete object or abort multipart
Bucket configuration subresources, attached as query parameters:
?acl, ?cors, ?encryption, ?lifecycle, ?notification, ?object-lock, ?policy, ?replication, ?tagging, ?versioning, ?website
See the S3 API documentation for the complete operation list.
Admin API
Base paths: /minio/admin/v3/, /minio/admin/v4/
Port: Default 9000.
Authentication: AWS Signature Version 4 with an access key that has admin-level policy attached.
The Admin API provides cluster and configuration management operations. Most admin operations are invoked through the mc admin CLI, which calls these endpoints.
Functional areas:
- Service:
/service(restart, stop),/update,/cordon - Cluster info:
/info,/cluster,/pool,/storageinfo,/datausageinfo,/cluster-summary - Query (v4):
/query/cluster,/query/services,/query/pools,/query/sets,/query/nodes,/query/drives(see Admin API v4 Query Endpoints) - Users and credentials:
/add-user,/list-users,/user-info,/set-user-status,/remove-user,/accountinfo,/change-my-password - Service accounts:
/add-service-account,/list-service-accounts,/info-service-account,/update-service-account,/delete-service-account - Policies:
/add-canned-policy,/list-canned-policies,/info-canned-policy,/remove-canned-policy,/set-user-or-group-policy - Groups:
/update-group-members,/groups,/group,/set-group-status - Identity providers:
/idp-config/{type}/{name}for LDAP, OpenID, Azure - IAM import/export:
/export-iam,/import-iam,/import-iam-v2 - Configuration:
/config,/get-config-kv,/set-config-kv,/del-config-kv,/help-config-kv,/list-config-history-kv,/restore-config-history-kv - Healing:
/heal/,/heal/{bucket},/background-heal/status - Pools and rebalance:
/pools/list,/pools/status,/pools/decommission,/rebalance/start,/rebalance/status,/rebalance/stop - Batch jobs:
/start-job,/list-jobs,/status-job,/describe-job,/cancel-job,/generate-job - Replication targets:
/list-remote-targets,/set-remote-target,/remove-remote-target,/replication/diff,/replication/mrf - Site replication:
/site-replication/add,/site-replication/info,/site-replication/status,/site-replication/edit,/site-replication/remove - Tiering:
/tier,/tier/{tier},/tier-stats - Quotas:
/get-bucket-quota,/set-bucket-quota - KMS management:
/kms/status,/kms/key/create,/kms/key/status - Logs and tracing:
/trace,/log,/logs/api,/logs/error,/logs/audit - Performance tests:
/speedtest,/speedtest/drive,/speedtest/net,/speedtest/object - Profiling:
/profile,/profiling/start,/profiling/download - Locks:
/top/locks,/force-unlock - Health and license:
/healthinfo,/license-info - STS tokens:
/revoke-tokens/{userProvider} - Notifications:
/list-notification-targets
Refer to the mc admin reference for the corresponding CLI command of each endpoint.
STS API
Base path: / (POST requests with form-encoded body)
Port: Default 9000.
The Security Token Service (STS) endpoint issues temporary credentials. Clients submit a POST request with an Action parameter identifying the credential exchange type.
Supported actions:
AssumeRole- Trade long-term credentials for temporary onesAssumeRoleWithWebIdentity- Web identity federation (OIDC)AssumeRoleWithClientGrants- OAuth2 client credentialsAssumeRoleWithLDAPIdentity- LDAP username and passwordAssumeRoleWithCertificate- Client X.509 certificateAssumeRoleWithCustomToken- External token authorization
See Security Token Service for configuration and usage.
KMS API
Base path: /minio/kms/v1/
Port: Default 9000.
Authentication: AWS Signature Version 4 with admin policy.
Key management operations for Server-Side Encryption (SSE-KMS).
POST /enable- Enable KMS integrationGET /status- KMS statusGET /metrics- KMS metricsGET /version- KMS versionPOST /key/create- Create a KMS key (?key-id=)POST /key/rotate- Rotate a key (?key-id=)GET /key/list- List KMS keysGET /key/status- Key status
KMS operations are typically invoked through mc admin kms key.
Health probes
Base path: /minio/health/
Port: Default 9000.
Authentication: None. All health endpoints are unauthenticated and expose only HTTP status codes.
| Endpoint | Purpose |
|---|---|
GET /minio/health/live |
Liveness probe. 200 OK if the server process is running. |
GET /minio/health/ready |
Readiness probe. 200 OK if the server is ready to serve requests. |
GET /minio/health/cluster |
Write quorum readiness. 200 OK if the cluster can accept writes. |
GET /minio/health/cluster/read |
Read quorum readiness. 200 OK if the cluster can serve reads. |
GET /minio/health/cluster?maintenance=true |
Safe-to-drain check. Returns 412 Precondition Failed if draining this node would break quorum. |
See Healthcheck Probes for full details and response codes.
Prometheus metrics
Base paths:
/minio/v2/metrics/(v2, legacy)/minio/metrics/v3/(v3, current)
Port: Default 9000.
Authentication: Controlled by MINIO_PROMETHEUS_AUTH_TYPE:
jwt(default): Requires a bearer token obtained throughmc admin prometheus generatepublic: No authentication, suitable for internal networks only
v2 endpoints:
/minio/v2/metrics/cluster/minio/v2/metrics/node/minio/v2/metrics/bucket/minio/v2/metrics/resource
v3 endpoints are organized hierarchically under /minio/metrics/v3/ (for example /minio/metrics/v3/system/process, /minio/metrics/v3/api/requests).
See Metrics and Alerts for the complete metrics catalog.
Iceberg REST catalog (AIStor Tables)
Base path: /_iceberg/v1/
Port: Default 9000.
Authentication: AWS Signature Version 4.
Apache Iceberg REST catalog endpoints for AIStor Tables warehouse management: /warehouses, /namespaces, /tables, /views, and related catalog operations.
See AIStor Tables for configuration.
Delta Sharing
Base path: /minio/admin/v4/delta-sharing/
Port: Default 9000.
Authentication: AWS Signature Version 4 with admin policy.
Administrative endpoints for creating and managing Delta Sharing shares and access tokens: /shares, /shares/{share}, /shares/{share}/tokens, /tokens/{tokenId}.
See Delta Sharing for configuration.
Console Web UI
Base paths: /api/v1/, /api/v2/
Port: Separate port from the S3 API. By default the server selects a dynamic port at startup. Use --console-address to pin a fixed port.
Authentication: Session cookie issued after login.
The Console Web UI is a separate HTTP service on its own port. The browser loads static assets and issues API calls to /api/v1/ and /api/v2/ endpoints, and establishes WebSocket connections for interactive features (object browser, trace viewer, log viewer).
Notable WebSocket endpoints:
/api/v2/objectManager- Object browser live view/api/v2/trace- Interactive HTTP trace stream/api/v2/log- Live log stream
When the Console Web UI is served behind a reverse proxy (HAProxy, NGINX, ingress):
-
Set
MINIO_BROWSER_REDIRECT_URLon every MinIO server node to the external URL the browser sees:MINIO_BROWSER_REDIRECT_URL=https://console.example.netWithout this, the console rejects WebSocket upgrade requests with HTTP 403 due to origin validation mismatch.
-
Configure the proxy to forward WebSocket upgrades and apply a long tunnel timeout. For HAProxy, add
timeout tunnel 1hto the console backend. Without it, WebSocket connections are killed after the regular HTTP timeout and the UI shows repeated disconnects. -
Route the S3 API and Console on separate frontends or paths: they are served on separate ports on the server side, so the proxy configuration should reflect that separation.
Internal peer-to-peer endpoints
The following endpoints are used for node-to-node communication within a distributed deployment. They are authenticated with internal tokens and (when TLS is enabled) mTLS.
These endpoints must never be exposed to external networks or through a public load balancer.
/minio/peer/- Inter-node operations: metadata, metrics, healing coordination/minio/storage/- Inter-node storage operations (erasure read/write)/minio/lock/- Distributed lock manager/minio/grid/- Internal binary RPC transport/minio/bootstrap/- Cluster bootstrap and initial formation
In a Kubernetes deployment the AIStor Operator configures a headless Service for inter-node traffic and a separate LoadBalancer or ClusterIP Service for client traffic, so this separation is handled automatically. In bare-metal deployments behind a load balancer, restrict the proxy configuration to the public endpoints listed above and do not route requests matching any of the peer path prefixes.