HTTP API
The dashboard exposes a small HTTP API. Most data endpoints return HTML fragments (consumed by the
page's own JavaScript); a handful return JSON, and two return CSV. For programmatic control, prefer the
MCP server — it's the supported automation surface.
Auth & CSRF
- Every request requires a logged-in session except the public paths
/login,
/signup, /logout, /healthz. Sessions are cookie-based (SameSite=Lax,
12-hour lifetime).
- State-changing requests (POST/PUT/PATCH/DELETE) must carry the session CSRF token — as the form field
_csrf or the header X-CSRF-Token — except the public paths. GET never needs
CSRF.
- A viewer-role user is blocked from all state-changing methods (except logout/profile).
Streaming (Server-Sent Events)
| Endpoint | Params | Stream |
GET /api/predict_stream | symbol | event: stage
progress markers (JSON string labels), then event: done carrying the final result HTML
fragment. |
GET /api/daytrade_stream | — | event: card one HTML card per
watchlist symbol as scanned, then event: done. |
HTML-fragment endpoints (GET, return HTML snippets)
| Endpoint | Params | Returns |
GET /api/predict | symbol | one-shot forecast fragment (no-SSE
fallback) |
GET /api/daytrade | — | the whole day-trade scan (fallback) |
GET /api/backtest | symbol, back (e.g.
2d/1w/3w) | a hindcast chart/panel |
GET /api/wheel | symbol | wheel recommendation panel |
GET /api/pmcc | symbol | PMCC diagonal analysis panel |
GET /api/wheel_council, GET /api/pmcc_council | symbol
| just the Roundtable panel (loaded async) |
JSON endpoints
| Endpoint | Params | Returns |
GET /quote | symbol | {"symbol","price"} (or
{"symbol","error"}) |
POST /gen_mcp_token CSRF | — |
{"token": "trdc_…"} — a fresh MCP token, shown once |
POST /provider_models CSRF | base_url,
key_env, protocol | {"ok","models","error"} (SSRF-guarded) |
POST /test_council_member CSRF | base_url,
name, key_env, api_key, protocol, model | {"ok","detail"} |
CSV exports (GET, attachment)
| Endpoint | Params | Columns |
GET /pnl.csv | period (day/week/month/year) | period,
trades, wins, losses, win_rate_pct, gross_win, gross_loss, net_pnl |
GET /pnl_trades.csv | — | exit_ts_utc, entry_ts_utc, symbol,
instrument, side, qty, entry_price, exit_price, pnl_dollars, pnl_pct, exit_reason, source,
rationale |
Utility
GET /healthz — public; returns plain text ok.
GET /refresh?next=/ — clears the order-status & account-value caches, then redirects
(open-redirect-guarded).
POST /revoke_mcp_token CSRF — clears your MCP token.
All the other POST routes (the /set_* settings
mutators, /execute_*, /scan, admin actions) are form-driven and respond with an HTML
page or a redirect — they require login + CSRF. To automate control, use the MCP server instead.