Security enhancements to IP Vault and new Gemini 3.1 Flash Live STS model for Convo mode
API Documentation
Runtime API
Administrator API
curl --request POST \
--url https://pria.praxislxp.com/api/agents/workspace/ticket \
--header 'Content-Type: application/json' \
--header 'x-access-token: <api-key>' \
--data '
{
"workspaceId": "pria-ws-7a3f9"
}
'{
"success": true,
"workspaceId": "<string>",
"vncUrl": "wss://pria.praxislxp.com/api/agents/workspace/vnc/pria-ws-7a3f9?ticket=eyJhbGciOi...",
"vncPassword": "<string>",
"expiresInSec": 60
}Issue a short-lived ticket for the caller's KasmVNC desktop
Mints a single-use, 60-second JWT ticket the browser uses to open a
WebSocket to the in-band desktop proxy at
/api/agents/workspace/vnc/<workspaceId>. The endpoint enforces:
- Sec-Fetch-Site: same-origin only — cross-site invocation is rejected.
- Per-user rate limiting via
createWorkspaceTicketLimiter()(keyed onreq.user._id; IP only as fallback for unauthenticated requests). - Ownership: the workspace must belong to the caller and be in
status: 'ready'.
The returned vncPassword is the RFB-protocol password KasmVNC requires
during the WebSocket handshake (separate from the HTTP Basic auth the
proxy applies server-side). Both the ticket and the password are
short-lived; obtain a fresh pair for each desktop session.
This route is not super-only — it is mounted under
/api/agents/workspace ahead of the super gate that fronts the rest
of /api/agents/*.
curl --request POST \
--url https://pria.praxislxp.com/api/agents/workspace/ticket \
--header 'Content-Type: application/json' \
--header 'x-access-token: <api-key>' \
--data '
{
"workspaceId": "pria-ws-7a3f9"
}
'{
"success": true,
"workspaceId": "<string>",
"vncUrl": "wss://pria.praxislxp.com/api/agents/workspace/vnc/pria-ws-7a3f9?ticket=eyJhbGciOi...",
"vncPassword": "<string>",
"expiresInSec": 60
}Documentation Index
Fetch the complete documentation index at: https://docs.praxis-ai.com/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
JWT token passed in x-access-token header
Body
Caller's own workspace runtime id (matches
agent.workspace.runtime.workspaceId returned by
GET /api/agents/workspace/me). The endpoint only issues
tickets for a workspace owned by req.user._id and in
status: 'ready'.
"pria-ws-7a3f9"
Response
Ticket issued.
true
Echo of the validated workspace id.
Fully-qualified WebSocket URL (ws:// or wss://, matching the
current request scheme) that the browser opens to reach the
KasmVNC desktop. Includes the single-use ticket query param.
"wss://pria.praxislxp.com/api/agents/workspace/vnc/pria-ws-7a3f9?ticket=eyJhbGciOi..."
RFB-protocol password required by KasmVNC during the WebSocket handshake. This is in addition to the HTTP Basic auth handled server-side by the proxy. The browser never persists it — single use per RFB handshake for the lifetime of the ticket.
Ticket TTL in seconds (currently fixed at 60).
60
Was this page helpful?