HTTP API

The dashboard exposes a small HTTP API. Most data endpoints return HTML fragments (consumed by the page's own JavaScript); a handful return JSON, and two return CSV. For programmatic control, prefer the MCP server — it's the supported automation surface.

Auth & CSRF

  • Every request requires a logged-in session except the public paths /login, /signup, /logout, /healthz. Sessions are cookie-based (SameSite=Lax, 12-hour lifetime).
  • State-changing requests (POST/PUT/PATCH/DELETE) must carry the session CSRF token — as the form field _csrf or the header X-CSRF-Token — except the public paths. GET never needs CSRF.
  • A viewer-role user is blocked from all state-changing methods (except logout/profile).

Streaming (Server-Sent Events)

EndpointParamsStream
GET /api/predict_streamsymbolevent: stage progress markers (JSON string labels), then event: done carrying the final result HTML fragment.
GET /api/daytrade_streamevent: card one HTML card per watchlist symbol as scanned, then event: done.

HTML-fragment endpoints (GET, return HTML snippets)

EndpointParamsReturns
GET /api/predictsymbolone-shot forecast fragment (no-SSE fallback)
GET /api/daytradethe whole day-trade scan (fallback)
GET /api/backtestsymbol, back (e.g. 2d/1w/3w)a hindcast chart/panel
GET /api/wheelsymbolwheel recommendation panel
GET /api/pmccsymbolPMCC diagonal analysis panel
GET /api/wheel_council, GET /api/pmcc_councilsymbol just the Roundtable panel (loaded async)

JSON endpoints

EndpointParamsReturns
GET /quotesymbol{"symbol","price"} (or {"symbol","error"})
POST /gen_mcp_token CSRF {"token": "trdc_…"} — a fresh MCP token, shown once
POST /provider_models CSRFbase_url, key_env, protocol{"ok","models","error"} (SSRF-guarded)
POST /test_council_member CSRFbase_url, name, key_env, api_key, protocol, model{"ok","detail"}

CSV exports (GET, attachment)

EndpointParamsColumns
GET /pnl.csvperiod (day/week/month/year)period, trades, wins, losses, win_rate_pct, gross_win, gross_loss, net_pnl
GET /pnl_trades.csvexit_ts_utc, entry_ts_utc, symbol, instrument, side, qty, entry_price, exit_price, pnl_dollars, pnl_pct, exit_reason, source, rationale

Utility

  • GET /healthz — public; returns plain text ok.
  • GET /refresh?next=/ — clears the order-status & account-value caches, then redirects (open-redirect-guarded).
  • POST /revoke_mcp_token CSRF — clears your MCP token.

All the other POST routes (the /set_* settings mutators, /execute_*, /scan, admin actions) are form-driven and respond with an HTML page or a redirect — they require login + CSRF. To automate control, use the MCP server instead.