These endpoints pass caller requests through to an upstream data source. They exist to:
- Hide upstream API keys server-side
- Work around CORS
- Add caching + per-IP rate limiting
- Normalize response shapes
Most proxies are intended for our own dashboard and are lightly gated. They are not part of the public API contract and may change or be removed without notice. Prefer the domain RPC services (/api/<domain>/v1/*) for stable integrations.
Raw-data passthroughs
| Endpoint | Upstream | Purpose |
|---|
GET /api/opensky | OpenSky Network | Live ADS-B state vectors. Used by the flights layer. |
GET /api/polymarket | Polymarket gamma-api | Active event contracts. |
GET /api/gpsjam | gpsjam.org | GPS interference hotspot reports. |
GET /api/oref-alerts | OREF (Israel Home Front Command) | Tzeva Adom rocket alert mirror. |
GET /api/supply-chain/hormuz-tracker | Internal AIS + registry | Real-time Hormuz transit dashboard data. |
- Respect the origin CORS allowlist.
- Apply per-IP rate limits via
_ip-rate-limit.js (~ 60 req/min/IP default).
- Cache aggressively (
s-maxage varies by upstream).
Content proxies
Fetches an RSS/Atom feed and returns the parsed JSON. The URL must match one of the patterns in _rss-allowed-domains.js — arbitrary URLs are refused to prevent SSRF.
Skills registry
GET /api/skills/fetch-agentskills
Returns the catalog of “skills” (agent capabilities) the WorldMonitor chat analyst can invoke. Used internally by chat-analyst.ts and the widget agent.
Legacy / internal
POST /api/fwdstart
Forward-starting scenario helper used by the desktop app during first-run. Internal.
GET /api/mcp-proxy
Legacy MCP shim — forwards to the current MCP route. Deprecated; use /api/mcp directly. 