Reference guide

API Documentation

Everything needed to call FunCall from Power Automate, scripts, or internal tools: authentication, request shapes, function parameters, response envelopes, admin flows, and troubleshooting.

Quick start

  1. Open /tokens, sign in with the configured admin account, and create a token with function:run.
  2. Call POST /api/v1/run with header Authorization: Bearer <token>.
  3. Put the function id in function and the function parameters in input.
{
  "function": "regex.replace",
  "input": {
    "input": "Order 123 ships on 2026-06-22",
    "pattern": "\\d+",
    "flags": "g",
    "replacement": "#"
  }
}

Authentication

Runtime calls

Function execution requires an HTTP header named Authorization with value Bearer <token>. The token needs the function:run scope.

Browser admin session

The /tokens page uses the login session cookie. Configure ADMIN_USERNAME, ADMIN_PASSWORD, and SESSION_SECRET before browser login is available.

Bootstrap admin key

Initial admin automation can use header x-bootstrap-admin-key with the value from BOOTSTRAP_ADMIN_KEY. Use it only to create the first scoped admin token or recover access.

Admin bearer scopes

admin:tokens manages tokens. admin:functions reads admin function state. Function runners should use only function:run.

Endpoint reference

Public and discovery

MethodPathAuthUse
GET/api/healthNo authService readiness check.
GET/api/v1/functionsNo authList callable functions and their input schemas.

Function execution

MethodPathAuthUse
POST/api/v1/runBearer function:runGeneric runner. Body includes function and input.
POST/api/v1/regex/matchBearer function:runConvenience endpoint for regex.match.
POST/api/v1/regex/replaceBearer function:runConvenience endpoint for regex.replace.
POST/api/v1/regex/extractBearer function:runConvenience endpoint for regex.extract.

Browser admin session

MethodPathAuthUse
POST/api/v1/auth/loginAdmin username/passwordCreates the browser session cookie used by /tokens.
POST/api/v1/auth/logoutSession cookieClears the browser session cookie.
GET/api/v1/auth/meSession cookieReports whether the browser session is authenticated.

Admin APIs

MethodPathAuthUse
GET/api/v1/admin/tokensSession, bootstrap, or admin:tokensList token metadata. Plaintext tokens are never returned.
POST/api/v1/admin/tokensSession, bootstrap, or admin:tokensCreate a token. Plaintext token is returned once.
DELETE/api/v1/admin/tokens/:idSession, bootstrap, or admin:tokensDelete a token by id.
GET/api/v1/admin/functionsSession, bootstrap, or admin:functionsList functions through the admin authorization path.

Generic function runner

POST /api/v1/run is the stable contract for all callable functions. Use it when the caller can send a nested JSON object.

Request body

{
  "function": "regex.replace",
  "input": {
    "input": "Order 123 ships on 2026-06-22",
    "pattern": "\\d+",
    "flags": "g",
    "replacement": "#"
  }
}

Success response

{
  "ok": true,
  "data": {
    "result": "Order # ships on #-#-#",
    "count": 4
  },
  "meta": {
    "function": "regex.replace"
  }
}

The function field must be a registered id such asregex.replace. The input object is passed directly to that function and must match its schema.

Regex functions

Regex functions use JavaScript regular expression syntax. pattern is required for all regex functions, flags is optional, and input is the text to inspect.

regex

regex.match

Check whether text matches a regular expression and return matches.

Input schema

{
  "type": "object",
  "required": [
    "input",
    "pattern"
  ],
  "properties": {
    "input": {
      "type": "string"
    },
    "pattern": {
      "type": "string"
    },
    "flags": {
      "type": "string"
    }
  }
}
regex

regex.replace

Replace regular expression matches in text.

Input schema

{
  "type": "object",
  "required": [
    "input",
    "pattern",
    "replacement"
  ],
  "properties": {
    "input": {
      "type": "string"
    },
    "pattern": {
      "type": "string"
    },
    "flags": {
      "type": "string"
    },
    "replacement": {
      "type": "string"
    }
  }
}
regex

regex.extract

Extract numbered and named captures from text.

Input schema

{
  "type": "object",
  "required": [
    "input",
    "pattern"
  ],
  "properties": {
    "input": {
      "type": "string"
    },
    "pattern": {
      "type": "string"
    },
    "flags": {
      "type": "string"
    }
  }
}

regex.match

Returns matched and a matches array. Without g, only the first match is returned. Withg, all matches are returned.

regex.replace

Requires replacement. Returns result and count. Without g, JavaScript replaces only the first match.

replacement is the text written back for each match. Use a literal value like X, an empty string to delete matches, or JavaScript replacement tokens:$1 for the first capture group, $& for the full match, $<name> for a named group, and $$ for a literal dollar sign.

regex.extract

Returns captures. Each item includes match, positional groups, and namedGroups for patterns like (?<id>\d+).

Convenience endpoints

POST /api/v1/regex/match, POST /api/v1/regex/replace, and POST /api/v1/regex/extract accept the function input directly. They are useful for tools that prefer a flat body instead of the generic runner wrapper.

{
  "input": "abc123",
  "pattern": "\\d+",
  "replacement": "X"
}

Token admin

Tokens are created by POST /api/v1/admin/tokens. The response returns the plaintext token, and newly created token records keep that plaintext value visible in later token lists. Token hashes stay hidden from API responses.

Create body

{
  "name": "Power Automate Flow",
  "scopes": [
    "function:run"
  ]
}

Scope selection

  • function:run for Power Automate and runtime API callers.
  • admin:tokens for token automation.
  • admin:functions for admin function reads.

Power Automate setup

  1. Add an HTTP action.
  2. Set Method to POST.
  3. Set URI to {baseUrl}/api/v1/run or one of the regex convenience endpoints.
  4. Add header Content-Type with value application/json.
  5. Add header Authorization with value Bearer <token>.
  6. Paste the JSON request body and map dynamic values.

If a Flow receives UNAUTHORIZED, check for the exactBearer prefix, extra spaces, copied placeholder brackets, disabled tokens, or missing function:run.

Response envelope and errors

Success responses use { ok: true, data, meta? }. Failures use { ok: false, error, status }.

{
  "ok": false,
  "error": {
    "code": "INVALID_REGEX",
    "message": "Invalid regular expression"
  },
  "status": 400
}
CodeMeaning
INVALID_JSONRequest body is missing, not an object, or invalid JSON.
INVALID_INPUTA required field is missing or has the wrong type.
INVALID_REGEXThe pattern or flags cannot create a JavaScript RegExp.
UNAUTHORIZEDBearer token is missing, invalid, disabled, or expired.
FORBIDDENToken is valid but lacks the required scope.
FUNCTION_NOT_FOUNDThe requested function id is not registered.
FUNCTION_DISABLEDThe function exists but is disabled.
TOKEN_NOT_FOUNDThe admin token delete target does not exist.
AUTH_NOT_CONFIGUREDAdmin username, password, or session secret is absent.

FAQ and troubleshooting

Which endpoint should I use?

Use /api/v1/run for a consistent long-term contract. Use regex convenience endpoints when the caller benefits from a flatter body.

Why did replace change only one match?

Add g to flags. JavaScript regex replacement changes only the first match without the global flag.

Can I expose admin scopes to a Flow?

Avoid it. Most Flows need only function:run. Keep admin scopes for operational tooling and recovery.

How do I discover available parameters?

Use GET /api/v1/functions or this page. The function list includes the same input schema shown here.

Why is an older token not visible?

Tokens created before visible token storage kept only a hash. Hashes cannot be reversed, so create a replacement token if an older plaintext value is missing.