HTTP API Reference
Built-in endpoints on every Resuma and Flow app. Flow also serves /robots.txt and /sitemap.xml.
Runtime assets
| Method | Path | Description |
|---|
GET | /_resuma/loader.js | Event bootstrap (~1-2 KB gzipped). First script on interactive pages. |
GET | /_resuma/core.js | Resumability core, lazy-loaded on first interaction. |
GET | /_resuma/runtime.js | Legacy combined loader and core. |
GET | /_resuma/benchmark.json | Bundle metrics. Hidden in production mode. |
Server actions
| Method | Path | Description |
|---|
POST | /_resuma/action/:name | #[server] RPC. JSON body with args array. CSRF required. |
Action request example
POST /_resuma/action/add_todo
Content-Type: application/json
X-Resuma-CSRF: <token>
{"args": ["Buy milk"]}
Action response shape
// 200 OK
{"ok": true, "value": [...], "error": null}
// 401 / 403 / 429 / 422
{"ok": false, "value": null, "error": "Forbidden"}
Form submits (Flow only)
| Method | Path | Description |
|---|
POST | /_resuma/submit/:name | #[submit] handler. Form or JSON. CSRF required. |
See Flow endpoints.
Lazy chunks
| Method | Path | Description |
|---|
GET | /_resuma/handler/:chunk | Handler JS, lazy on first event |
GET | /_resuma/island/:chunk | Island bundle for #[island] |
SEO routes (Flow only)
| Method | Path | Description |
|---|
GET | /robots.txt | Crawler rules and sitemap link |
GET | /sitemap.xml | XML sitemap from Flow SEO config |
Security headers
Applied by default. Configure via SecurityConfig.
- CSP with per-request nonce on HTML pages
Strict-Transport-Security when HTTPS is detectedX-Frame-Options: DENYX-Content-Type-Options: nosniff- Rate limiting on POST actions and submits
CSRF
SSR embeds csrf_token in the resuma state script and sets the __resuma-csrf cookie. Send header X-Resuma-CSRF on mutations (automatic in client runtime).