Docs
Registry API
Everything the website and the lean-ctx CLI do goes through
this API — and it is open to your tools too. The protocol itself is an open standard:
ctxpkg.org/registry.
Public endpoints
No authentication. Anonymous traffic is rate-limited per IP.
GET /api/v1/index.json Full catalog. Every package with scoped_name, latest_version, description, tags, downloads, quality score, ROI metrics, price (null = free) and verified flag.
curl -s https://ctxpkg.com/api/v1/index.json | jq '.packages[0].scoped_name'GET /api/v1/search?q={query} Full-text search over names, descriptions and tags. Returns { count, query, results[] } with the same package shape as the catalog.
curl -s 'https://ctxpkg.com/api/v1/search?q=axum' | jq '.count'GET /api/v1/packages/{ns}/{name}/index.json Package detail: all versions with integrity hashes and signer keys, readme, quality breakdown, ROI (source/distilled/saved tokens), price.
curl -s https://ctxpkg.com/api/v1/packages/leanctx/rust-axum-patterns/index.json | jq '.latest'GET /api/v1/packages/{ns}/{name}/{version}/download The .ctxpkg artifact. Free packages: anonymous, rate-limited. Paid packages: 402 with a buy_url unless authenticated and entitled (ctxr_ token or session). The artifact SHA-256 is exposed via header for independent verification.
curl -sLO https://ctxpkg.com/api/v1/packages/leanctx/lean-ctx-project-context/1.0.0/downloadGET /api/v1/packages/{ns}/{name}/{version}/trust The trust report — the audit document recorded when this exact version was published: schema validation, integrity recompute, signature binding and secret-scan outcome. Public for public packages, so anyone can audit any version at any time.
curl -s https://ctxpkg.com/api/v1/packages/leanctx/rust-axum-patterns/1.0.0/trust | jq '.trust_report'GET /api/v1/badge/{ns}/{name} SVG badge with the current version — embed it in READMEs.
[](https://ctxpkg.com/@leanctx/rust-axum-patterns)GET /api/v1/publishers/{ns}/index.json Publisher profile: namespace, verified domains, published packages.
curl -s https://ctxpkg.com/api/v1/publishers/leanctx/index.json | jq '.packages | length'Authenticated endpoints
PUT /api/v1/packages/{ns}/{name}/{version} Publish. Body = raw .ctxpkg bytes; Authorization: Bearer ctxp_…. The server verifies scoped-name + version binding, integrity, ed25519 signature, runs the secret scan (422 on high-confidence findings, no override) and enforces immutability (409 if the version exists).
lean-ctx pack publish my-pkg.ctxpkg # uses CTXPKG_TOKENPOST /api/v1/auth/request → GET /api/v1/auth/verify Magic-link sign-in for the web dashboard. Sessions are HttpOnly cookies; tokens for CI/CLI are minted in the account dashboard.
# browser flow — mint tokens at ctxpkg.com/account/Tokens
ctxp_… Publish scope. Mint in your account, store as a CI secret (CTXPKG_TOKEN). Shown exactly once; only the SHA-256 digest is stored.
ctxr_… Read scope. For installing private or purchased packages from CI and scripts without a browser session.
Error semantics
| Status | Meaning |
|---|---|
| 401 | Missing/invalid token, or bad webhook signature |
| 402 | Paid package — response body carries buy_url |
| 404 | Unknown package, version or publisher |
| 409 | Version already published (immutability) |
| 422 | Publish rejected: validation failed or secret scan found high-confidence credentials |
| 429 | Rate limit (anonymous downloads, auth requests) |
Run your own registry? The wire protocol is specified vendor-neutrally at
ctxpkg.org/registry —
point the CLI at it with --registry.