Skip to main content

Introduction

LibreChat provides a comprehensive REST API built on Express.js that powers all client-server interactions. The API follows RESTful principles and supports multiple authentication methods for flexible integration.

Base URL Configuration

The API server can be configured through environment variables: 
PORT=3080              # Default: 3080, use PORT=0 for automatic assignment
HOST=localhost         # Default: localhost
DOMAIN_CLIENT=http://localhost:3090
DOMAIN_SERVER=http://localhost:3080
The default API base URL is: 
http://localhost:3080/api
When HOST=0.0.0.0, the server listens on all network interfaces but should be accessed via http://localhost:{PORT}.

API Architecture

LibreChat’s API is organized into logical route groups:

Core Routes

RoutePurposeAuthentication
/api/authAuthentication endpointsPublic/JWT
/api/userUser managementJWT Required
/api/messagesMessage operationsJWT Required
/api/convosConversation managementJWT Required
/api/presetsPreset configurationsJWT Required
/api/promptsPrompt managementJWT Required

Advanced Features

RoutePurposeAuthentication
/api/assistantsAI Assistants APIJWT Required
/api/agentsAgent systemJWT Required
/api/filesFile upload/managementJWT Required
/api/searchSearch functionalityJWT Required
/api/modelsModel configurationJWT Required
/api/endpointsEndpoint managementJWT Required

Administration

RoutePurposeAuthentication
/api/adminAdmin operationsJWT + Admin Role
/api/keysAPI key managementJWT Required
/api/api-keysAgent API keysJWT Required
/api/rolesRole managementJWT Required
/api/permissionsAccess permissionsJWT Required
/api/balanceToken balanceJWT Required

Integration & Social

RoutePurposeAuthentication
/oauthOAuth providersPublic
/api/shareShare conversationsJWT Required
/api/actionsCustom actionsJWT Required
/api/mcpMCP integrationJWT Required
/api/memoriesMemory managementJWT Required
/api/tagsTag systemJWT Required

System Routes

// Health check endpoint
GET /health
// Returns: 200 OK

// Static image serving
GET /images/:path
// Requires: Valid image token or authentication

// API 404 handler
GET /api/*
// Returns: 404 for unmatched routes

Request/Response Format

Content Type

All API requests should use JSON: 
Content-Type: application/json

Request Body Limits

app.use(express.json({ limit: '3mb' }));
app.use(express.urlencoded({ extended: true, limit: '3mb' }));
Requests exceeding 3MB will be rejected with a 413 Payload Too Large error.

Middleware Stack

The API employs several security and processing middleware:

Security Middleware

// MongoDB query sanitization
app.use(mongoSanitize());

// CORS support
app.use(cors());

// Cookie parsing
app.use(cookieParser());

// Trust proxy headers
app.set('trust proxy', 1);

Compression

Response compression is enabled by default: 
DISABLE_COMPRESSION=false  # Set to true to disable

Error Handling

The API uses a centralized error controller: 
// Error handler (must be last middleware)
app.use(ErrorController);

Standard Error Response

{
  "message": "Error description",
  "code": "ERROR_CODE",
  "status": 400
}

Common HTTP Status Codes

CodeMeaningUsage
200SuccessRequest completed successfully
201CreatedResource created successfully
400Bad RequestInvalid request parameters
401UnauthorizedMissing or invalid authentication
403ForbiddenInsufficient permissions
404Not FoundResource not found
422Unprocessable EntityValidation failed
429Too Many RequestsRate limit exceeded
500Internal Server ErrorServer-side error

Rate Limiting

LibreChat implements rate limiting on sensitive endpoints: 
// Login endpoint
router.post('/login', middleware.loginLimiter, ...);

// Registration endpoint
router.post('/register', middleware.registerLimiter, ...);

// Password reset
router.post('/requestPasswordReset', middleware.resetPasswordLimiter, ...);
Rate limits help protect against brute force attacks and abuse. Limits vary by endpoint type.

CORS Configuration

CORS is enabled for cross-origin requests: 
app.use(cors());
For production deployments, configure CORS appropriately: 
DOMAIN_CLIENT=https://your-client-domain.com
DOMAIN_SERVER=https://your-api-domain.com

Sub-Directory Deployment

LibreChat supports serving the application from a sub-directory: 
if (process.env.DOMAIN_CLIENT) {
  const clientUrl = new URL(process.env.DOMAIN_CLIENT);
  const baseHref = clientUrl.pathname.endsWith('/')
    ? clientUrl.pathname
    : `${clientUrl.pathname}/`;
  // Updates base href in index.html
}
Set DOMAIN_CLIENT=https://yourdomain.com/chat to serve from the /chat path.

Database Connection

The API connects to MongoDB on startup: 
await connectDb();
logger.info('Connected to MongoDB');

// Background index synchronization
indexSync().catch((err) => {
  logger.error('[indexSync] Background sync failed:', err);
});

Startup Sequence

The server initialization follows this sequence:
  1. Database Connection - Connect to MongoDB
  2. Database Seeding - Initialize required collections
  3. Configuration Loading - Load app configuration
  4. File Storage - Initialize file storage system
  5. Startup Checks - Validate system requirements
  6. Permissions - Update interface permissions
  7. Middleware Setup - Configure Express middleware
  8. Authentication - Initialize Passport strategies
  9. Routes Registration - Mount API routes
  10. Server Start - Listen on configured port
  11. Post-Startup Tasks - Initialize MCP, OAuth managers, migrations

Environment Variables

Key environment variables for API configuration: 
# Server Configuration
PORT=3080
HOST=localhost
TRUST_PROXY=1

# Domains
DOMAIN_CLIENT=http://localhost:3090
DOMAIN_SERVER=http://localhost:3080

# Features
ALLOW_SOCIAL_LOGIN=true
DISABLE_COMPRESSION=false
CONTINUE_ON_UNCAUGHT_EXCEPTION=false

# Authentication
JWT_SECRET=your-secret-key
JWT_REFRESH_SECRET=your-refresh-secret
SESSION_EXPIRY=900000        # 15 minutes in ms
REFRESH_TOKEN_EXPIRY=604800000 # 7 days in ms

# Email
ALLOW_UNVERIFIED_EMAIL_LOGIN=false

# Monitoring
MEM_DIAG=false

Next Steps