Skip to main content

Overview

When server.admin: true is set, Proxy Hopper starts a second HTTP server on port 8081 (configurable). This server exposes:
EndpointAuth requiredDescription
GET /healthNoLiveness check — always returns {"status": "ok"}
POST /auth/loginNoExchange admin credentials for a JWT
GET /api/v1/statusReadCurrent target list and server state
GET /graphqlReadGraphQL playground (browser UI)
POST /graphqlRead / WriteGraphQL API
The GraphQL API lets you query and mutate targets, IP pools, and providers at runtime — without restarting the server and without editing the config file.

Enabling the admin server

server:
  admin: true
  adminPort: 8081        # default — omit to accept the default
Or via environment variable: 
PROXY_HOPPER_ADMIN=true
PROXY_HOPPER_ADMIN_PORT=8081
The admin server runs on 0.0.0.0 by default. In production, restrict access at the network level — bind it to an internal interface or place it behind a firewall/ingress that only your operations tooling can reach.

Authentication

If auth.enabled: true is set, every request to protected endpoints must include an Authorization: Bearer <token> header. The token can be:
  • A JWT obtained from POST /auth/login (requires auth.admin to be configured)
  • An API key declared in auth.apiKeys
  • An OIDC token (when auth.oidc is configured)
The /health endpoint is always public. When auth is disabled, all endpoints are accessible without credentials. This is acceptable for internal-only deployments where the admin port is not exposed outside your network.

Obtaining a JWT

curl -X POST http://localhost:8081/auth/login \
  -d "username=admin&password=mypassword"
Returns: 
{
  "access_token": "eyJ...",
  "token_type": "bearer"
}
Pass the token in subsequent requests: 
curl -H "Authorization: Bearer eyJ..." \
     http://localhost:8081/api/v1/status

GraphQL playground

With the admin server running, open http://localhost:8081/graphql in a browser to access the interactive GraphQL playground. You can explore the schema, run queries, and test mutations directly from the browser. If auth is enabled, add your token via the playground’s “Headers” panel: 
{
  "Authorization": "Bearer eyJ..."
}
See GraphQL API for the full query and mutation reference.

Ports summary

PortPurposeConfig keyEnv var
8080Proxy (client traffic)server.portPROXY_HOPPER_PORT
8081Admin serverserver.adminPortPROXY_HOPPER_ADMIN_PORT
9090Prometheus metricsserver.metricsPortPROXY_HOPPER_METRICS_PORT