HTTP Endpoints Reference

MinIO AIStor Server exposes several HTTP surfaces over the API port (default 9000) and a separate port for the Console Web UI (default dynamic, configurable with --console-address).

This page lists all HTTP endpoints grouped by category and identifies which endpoints must be exposed through a load balancer or ingress, and which are internal only and must not be exposed externally.

Use this page when configuring HAProxy, NGINX, Kubernetes Ingress, a cloud load balancer, or any other reverse proxy in front of an AIStor deployment.

Summary

Category Base path Port Auth Expose externally
S3 API / 9000 AWS Signature V4 Yes
Admin API /minio/admin/v3/, /minio/admin/v4/ 9000 AWS Signature V4 Yes
STS API / (POST with Action=) 9000 Varies by action Yes
KMS API /minio/kms/v1/ 9000 AWS Signature V4 (admin) Yes
Health probes /minio/health/ 9000 None Yes
Prometheus metrics /minio/v2/metrics/, /minio/metrics/v3/ 9000 Public or JWT Yes
Iceberg REST catalog /_iceberg/v1/ 9000 AWS Signature V4 Yes (if Tables enabled)
Delta Sharing /minio/admin/v4/delta-sharing/ 9000 AWS Signature V4 (admin) Yes (if Tables enabled)
Console Web UI /api/v1/, /api/v2/ Console port Session cookie Yes (separate port)
Peer-to-peer RPC /minio/peer/, /minio/storage/, /minio/lock/, /minio/grid/, /minio/bootstrap/ 9000 Internal token, mTLS No

S3 API

Base path: /

Port: Default 9000, configurable with --address.

Authentication: AWS Signature Version 4 on every request.

Standard Amazon S3 API for bucket and object operations. Client applications using the AWS SDK, the mc client, or any S3-compatible tooling connect to this endpoint.

Commonly accessed path patterns:

  • PUT /{bucket} - Create bucket
  • GET /{bucket} - List objects (with ?list-type=2, ?versions, ?uploads)
  • PUT /{bucket}/{object} - Upload object, including multipart (?uploadId=, ?partNumber=)
  • GET /{bucket}/{object} - Retrieve object
  • HEAD /{bucket}/{object} - Object metadata
  • DELETE /{bucket}/{object} - Delete object or abort multipart

Bucket configuration subresources, attached as query parameters:

?acl, ?cors, ?encryption, ?lifecycle, ?notification, ?object-lock, ?policy, ?replication, ?tagging, ?versioning, ?website

See the S3 API documentation for the complete operation list.

Admin API

Base paths: /minio/admin/v3/, /minio/admin/v4/

Port: Default 9000.

Authentication: AWS Signature Version 4 with an access key that has admin-level policy attached.

The Admin API provides cluster and configuration management operations. Most admin operations are invoked through the mc admin CLI, which calls these endpoints.

Functional areas:

  • Service: /service (restart, stop), /update, /cordon
  • Cluster info: /info, /cluster, /pool, /storageinfo, /datausageinfo, /cluster-summary
  • Query (v4): /query/cluster, /query/services, /query/pools, /query/sets, /query/nodes, /query/drives (see Admin API v4 Query Endpoints)
  • Users and credentials: /add-user, /list-users, /user-info, /set-user-status, /remove-user, /accountinfo, /change-my-password
  • Service accounts: /add-service-account, /list-service-accounts, /info-service-account, /update-service-account, /delete-service-account
  • Policies: /add-canned-policy, /list-canned-policies, /info-canned-policy, /remove-canned-policy, /set-user-or-group-policy
  • Groups: /update-group-members, /groups, /group, /set-group-status
  • Identity providers: /idp-config/{type}/{name} for LDAP, OpenID, Azure
  • IAM import/export: /export-iam, /import-iam, /import-iam-v2
  • Configuration: /config, /get-config-kv, /set-config-kv, /del-config-kv, /help-config-kv, /list-config-history-kv, /restore-config-history-kv
  • Healing: /heal/, /heal/{bucket}, /background-heal/status
  • Pools and rebalance: /pools/list, /pools/status, /pools/decommission, /rebalance/start, /rebalance/status, /rebalance/stop
  • Batch jobs: /start-job, /list-jobs, /status-job, /describe-job, /cancel-job, /generate-job
  • Replication targets: /list-remote-targets, /set-remote-target, /remove-remote-target, /replication/diff, /replication/mrf
  • Site replication: /site-replication/add, /site-replication/info, /site-replication/status, /site-replication/edit, /site-replication/remove
  • Tiering: /tier, /tier/{tier}, /tier-stats
  • Quotas: /get-bucket-quota, /set-bucket-quota
  • KMS management: /kms/status, /kms/key/create, /kms/key/status
  • Logs and tracing: /trace, /log, /logs/api, /logs/error, /logs/audit
  • Performance tests: /speedtest, /speedtest/drive, /speedtest/net, /speedtest/object
  • Profiling: /profile, /profiling/start, /profiling/download
  • Locks: /top/locks, /force-unlock
  • Health and license: /healthinfo, /license-info
  • STS tokens: /revoke-tokens/{userProvider}
  • Notifications: /list-notification-targets

Refer to the mc admin reference for the corresponding CLI command of each endpoint.

STS API

Base path: / (POST requests with form-encoded body)

Port: Default 9000.

The Security Token Service (STS) endpoint issues temporary credentials. Clients submit a POST request with an Action parameter identifying the credential exchange type.

Supported actions:

  • AssumeRole - Trade long-term credentials for temporary ones
  • AssumeRoleWithWebIdentity - Web identity federation (OIDC)
  • AssumeRoleWithClientGrants - OAuth2 client credentials
  • AssumeRoleWithLDAPIdentity - LDAP username and password
  • AssumeRoleWithCertificate - Client X.509 certificate
  • AssumeRoleWithCustomToken - External token authorization

See Security Token Service for configuration and usage.

KMS API

Base path: /minio/kms/v1/

Port: Default 9000.

Authentication: AWS Signature Version 4 with admin policy.

Key management operations for Server-Side Encryption (SSE-KMS).

  • POST /enable - Enable KMS integration
  • GET /status - KMS status
  • GET /metrics - KMS metrics
  • GET /version - KMS version
  • POST /key/create - Create a KMS key (?key-id=)
  • POST /key/rotate - Rotate a key (?key-id=)
  • GET /key/list - List KMS keys
  • GET /key/status - Key status

KMS operations are typically invoked through mc admin kms key.

Health probes

Base path: /minio/health/

Port: Default 9000.

Authentication: None. All health endpoints are unauthenticated and expose only HTTP status codes.

Endpoint Purpose
GET /minio/health/live Liveness probe. 200 OK if the server process is running.
GET /minio/health/ready Readiness probe. 200 OK if the server is ready to serve requests.
GET /minio/health/cluster Write quorum readiness. 200 OK if the cluster can accept writes.
GET /minio/health/cluster/read Read quorum readiness. 200 OK if the cluster can serve reads.
GET /minio/health/cluster?maintenance=true Safe-to-drain check. Returns 412 Precondition Failed if draining this node would break quorum.

See Healthcheck Probes for full details and response codes.

Prometheus metrics

Base paths:

  • /minio/v2/metrics/ (v2, legacy)
  • /minio/metrics/v3/ (v3, current)

Port: Default 9000.

Authentication: Controlled by MINIO_PROMETHEUS_AUTH_TYPE:

  • jwt (default): Requires a bearer token obtained through mc admin prometheus generate
  • public: No authentication, suitable for internal networks only

v2 endpoints:

  • /minio/v2/metrics/cluster
  • /minio/v2/metrics/node
  • /minio/v2/metrics/bucket
  • /minio/v2/metrics/resource

v3 endpoints are organized hierarchically under /minio/metrics/v3/ (for example /minio/metrics/v3/system/process, /minio/metrics/v3/api/requests).

See Metrics and Alerts for the complete metrics catalog.

Iceberg REST catalog (AIStor Tables)

Base path: /_iceberg/v1/

Port: Default 9000.

Authentication: AWS Signature Version 4.

Apache Iceberg REST catalog endpoints for AIStor Tables warehouse management: /warehouses, /namespaces, /tables, /views, and related catalog operations.

See AIStor Tables for configuration.

Delta Sharing

Base path: /minio/admin/v4/delta-sharing/

Port: Default 9000.

Authentication: AWS Signature Version 4 with admin policy.

Administrative endpoints for creating and managing Delta Sharing shares and access tokens: /shares, /shares/{share}, /shares/{share}/tokens, /tokens/{tokenId}.

See Delta Sharing for configuration.

Console Web UI

Base paths: /api/v1/, /api/v2/

Port: Separate port from the S3 API. By default the server selects a dynamic port at startup. Use --console-address to pin a fixed port.

Authentication: Session cookie issued after login.

The Console Web UI is a separate HTTP service on its own port. The browser loads static assets and issues API calls to /api/v1/ and /api/v2/ endpoints, and establishes WebSocket connections for interactive features (object browser, trace viewer, log viewer).

Notable WebSocket endpoints:

  • /api/v2/objectManager - Object browser live view
  • /api/v2/trace - Interactive HTTP trace stream
  • /api/v2/log - Live log stream
Reverse proxy and WebSocket configuration

When the Console Web UI is served behind a reverse proxy (HAProxy, NGINX, ingress):

  1. Set MINIO_BROWSER_REDIRECT_URL on every MinIO server node to the external URL the browser sees:

    MINIO_BROWSER_REDIRECT_URL=https://console.example.net
    

    Without this, the console rejects WebSocket upgrade requests with HTTP 403 due to origin validation mismatch.

  2. Configure the proxy to forward WebSocket upgrades and apply a long tunnel timeout. For HAProxy, add timeout tunnel 1h to the console backend. Without it, WebSocket connections are killed after the regular HTTP timeout and the UI shows repeated disconnects.

  3. Route the S3 API and Console on separate frontends or paths: they are served on separate ports on the server side, so the proxy configuration should reflect that separation.

Internal peer-to-peer endpoints

The following endpoints are used for node-to-node communication within a distributed deployment. They are authenticated with internal tokens and (when TLS is enabled) mTLS.

These endpoints must never be exposed to external networks or through a public load balancer.

  • /minio/peer/ - Inter-node operations: metadata, metrics, healing coordination
  • /minio/storage/ - Inter-node storage operations (erasure read/write)
  • /minio/lock/ - Distributed lock manager
  • /minio/grid/ - Internal binary RPC transport
  • /minio/bootstrap/ - Cluster bootstrap and initial formation

In a Kubernetes deployment the AIStor Operator configures a headless Service for inter-node traffic and a separate LoadBalancer or ClusterIP Service for client traffic, so this separation is handled automatically. In bare-metal deployments behind a load balancer, restrict the proxy configuration to the public endpoints listed above and do not route requests matching any of the peer path prefixes.