Skip to content

The Hoody Code orchestrator exposes the embedded VS Code interface, manages password-based session authentication, proxies HTTP and WebSocket traffic to local ports, and serves static metadata files (PWA manifest, robots.txt, security policy). Use these endpoints to embed the editor in your own UI, automate sign-in flows, or reverse-proxy local development servers through Hoody.

Returns the standard robots.txt file for the editor deployment. Use this to control search engine indexing.

Terminal window
curl https://code.example.com/robots.txt

Response 200 — The robots file is returned as text/plain:

User-agent: *
Disallow: /

Returns the security.txt file for vulnerability disclosure. Also served at /.well-known/security.txt.

Terminal window
curl https://code.example.com/security.txt

Response 200 — The security policy file is returned as text/plain:

Contact: mailto:security@hoody.com
Expires: 2025-12-31T23:59:59z
Preferred-Languages: en

Serves injected JavaScript files from the extra/injected/ directory. These scripts run automatically on every page when the --hoody-code flag is enabled. The same files are also available under /vscode/hoody-code/injected/{script}.

NameInTypeRequiredDescription
scriptpathstringYesScript filename
Terminal window
curl https://code.example.com/hoody-code/injected/branding.js

Returns the JavaScript file with Content-Type: application/javascript.

Serves static files from the editor’s build directory, including the compiled JavaScript and CSS bundles, icons, images, and the service worker.

In production, files are served with long-lived Cache-Control headers keyed to the current git commit. In development, caching is disabled.

The service worker at /_static/out/browser/serviceWorker.js is served with the special header Service-Worker-Allowed: / so it can register at the root scope.

NameInTypeRequiredDescription
pathpathstringYesPath to static file
Terminal window
curl https://code.example.com/_static/out/browser/workbench.html

Returns the file content. Service-worker files include Service-Worker-Allowed: /.

Returns the Progressive Web App manifest for installing Hoody Code. Configure the app name with the --app-name flag.

This endpoint takes no parameters.

Terminal window
curl https://code.example.com/api/v1/code/manifest.json

Response 200 — The manifest is returned as application/manifest+json:

{
"name": "hoody-code",
"short_name": "hoody-code",
"start_url": ".",
"display": "fullscreen",
"display_override": ["window-controls-overlay"],
"description": "Run Code on a remote server.",
"icons": [
{
"src": "/_static/out/browser/media/icon-192.png",
"type": "image/png",
"sizes": "192x192",
"purpose": "any"
},
{
"src": "/_static/out/browser/media/icon-512.png",
"type": "image/png",
"sizes": "512x512",
"purpose": "maskable"
}
]
}

Returns the main VS Code web interface.

If authentication is enabled and the user is not logged in, the request is redirected to /login with the original URL preserved. Sessions are managed via cookies.

If neither folder nor workspace is provided, the last opened folder (or the value passed on the CLI) is used. Query parameters are persisted to settings for the next session. Both plain folders and .code-workspace files are supported.

Pass ?extension=PUBLISHER.NAME to hide the file explorer and focus the UI on a single extension. This is ideal for embedding extensions as standalone web apps (for example, ms-toolsai.jupyter for notebooks or ms-azuretools.vscode-docker for container management).

NameInTypeRequiredDescription
folderquerystringNoAbsolute path to a folder to open. Takes precedence over workspace.
workspacequerystringNoAbsolute path to a .code-workspace file. Used when folder is not provided.
extensionquerystringNoExtension ID in PUBLISHER.NAME format. Opens in extension-only mode, hiding the file explorer.
ewquerybooleanNoEmpty Window flag. When present, clears the last opened folder or workspace from settings.
localequerystringNoIETF language tag for the UI (e.g. en, fr, de, zh-CN).
Terminal window
curl "https://code.example.com/api/v1/code?folder=/home/user/projects/hoody&locale=en" \
-b "session=$HOODY_SESSION"

Returns the VS Code HTML page with Content-Type: text/html; charset=utf-8. A Content-Security-Policy header is included and is updated automatically when --external-js or --external-css is configured.

<!DOCTYPE html>
<html lang="en">
<head>
<title>VS Code</title>
<meta charset="utf-8">
</head>
<body>
<div data-hoody-loader>
<div class="hdyldr-spinner"></div>
<div class="hdyldr-changing-text">Loading…</div>
</div>
</body>
</html>

Generates or retrieves the server’s web key half used by VS Code for secure communications. The key is 256 bits (32 bytes) and is generated once on first use, then reused across restarts. It is stored at user-data-dir/serve-web-key-half.

This endpoint takes no parameters.

Terminal window
curl -X POST https://code.example.com/api/v1/code/mint-key

Response 200 — Returns the raw 32-byte key with Content-Type: application/octet-stream. The body is binary and must be treated as a key, not text.

Password-based authentication is only available when the server was started with a password source (--password or --hashed-password).

Returns the login page HTML. If the user is already authenticated, the request is redirected to the target URL.

NameInTypeRequiredDescription
toquerystringNoURL to redirect to after successful login. Default: "/".
Terminal window
curl https://code.example.com/api/v1/code/login?to=/projects/hoody

Returns the login form HTML with Content-Type: text/html.

Submits credentials to authenticate the user. On success, a session cookie is set and the user is redirected. On failure, the login page is returned with an inline error message.

Login attempts are rate limited: 2 attempts per minute and 12 attempts per hour. Exceeding these limits returns a RATE_LIMITED error.

Passwords configured with --hashed-password are verified with argon2. Passwords configured with --password are verified against a SHA-256 hash. Failed attempts are logged with the source IP and User-Agent.

NameInTypeRequiredDescription
toquerystringNoURL to redirect to after successful login

application/x-www-form-urlencoded form data:

NameTypeRequiredDescription
passwordstringYesPassword to authenticate with.
Terminal window
curl -X POST "https://code.example.com/api/v1/code/login?to=/projects/hoody" \
-d "password=yourPassword"

Returned when authentication fails. The body is the login page HTML with an inline error.

<!DOCTYPE html>
<html>
<head><title>Sign in</title></head>
<body>
<form method="POST">
<p class="error">Invalid password</p>
<input type="password" name="password" />
</form>
</body>
</html>
Error CodeTitleDescriptionResolution
INVALID_PASSWORDInvalid passwordThe password provided is incorrectCheck your password and try again
RATE_LIMITEDToo many login attemptsRate limit exceeded (2 attempts/min or 12 attempts/hour)Wait a few minutes before trying again

Clears the session cookie and redirects to the home page. Only available when authentication is enabled.

This endpoint takes no parameters.

Terminal window
curl https://code.example.com/api/v1/code/logout

Response 302 — Returned on success. The Location header is /, and Set-Cookie clears the session cookie by setting it to an expired date.

Hoody Code can forward HTTP and WebSocket traffic to local ports so that web apps running on the host (dev servers, dashboards, custom tools) are reachable through the editor URL.

  • /proxy/:port/* strips the proxy prefix before forwarding.
  • /absproxy/:port/* keeps the full path including /absproxy/:port/. Use this when the proxied app needs to know it is running under a subpath. The base path can be customized with --abs-proxy-base-path.

Both endpoints require authentication unless --skip-auth-preflight is set for OPTIONS requests. WebSocket upgrades are supported.

Proxies the request to an HTTP service on a local port, stripping /proxy/:port from the path. For example, /api/v1/code/proxy/3000/api/users is forwarded to http://localhost:3000/api/users.

NameInTypeRequiredDescription
portpathintegerYesLocal port to proxy to
pathpathstringYesPath to append to the proxied request
Terminal window
curl https://code.example.com/api/v1/code/proxy/3000/api/users \
-b "session=$HOODY_SESSION"

Returns the proxied response from the target service. The body, headers, and status code are passed through unchanged.

Like /proxy/:port/*, but preserves the full path including /absproxy/:port/. The target app must be configured to serve from this base path.

NameInTypeRequiredDescription
portpathintegerYesLocal port to proxy to
pathpathstringYesPath (preserved in forwarded request)
Terminal window
curl https://code.example.com/api/v1/code/absproxy/8080/dashboard \
-b "session=$HOODY_SESSION"

Returns the proxied response from the target service. The body, headers, and status code are passed through unchanged.