AIGQLUnify • Architecture patent pending
Your REST · Our Graph
Runtime map • CP & DP

Control Plane & Data Plane endpoints

One control surface, many runtimes. The Control Plane (CP) handles tenants, workspaces, policies, DSAR, and SDL generation. The Data Plane (DP) executes GraphQL queries, calls your REST services, and emits OpenTelemetry traces with PDP decisions stamped into spans.

Keep this page next to your terminal while you wire OTEL, PDP, and DSAR into Jaeger and your SIEM.

$CP = Control Plane base URL $DP = Data Plane base URL Tenant/workspace: t_demo/ws_demo in samples

Control Plane (CP)

The Control Plane is where you manage onboarding, SDL, policy, and DSAR. In dev, the default base URL is usually http://localhost:4000 or the apigql-control-plane service in docker-compose.

Health & metadata

Quick liveness and configuration checks from your terminal or uptime monitor.

GET  $CP/health
GET  $CP/meta
GET  $CP/tenants        # list tenants
GET  $CP/tenants/$TENANT/workspaces

SDL & federation

OpenAPI → SDL; publish one endpoint or multiple Apollo-ready subgraphs.

GET    $CP/sdl/$TENANT/$WS              # current SDL
POST   $CP/sdl/$TENANT/$WS/plan         # propose a new plan
POST   $CP/sdl/$TENANT/$WS/publish      # promote plan → active
GET    $CP/sdl/$TENANT/$WS/history      # inspect older SDL versions

PDP policies

Centralize ABAC rules. The DP calls here at runtime to enforce deny-by-default.

GET    $CP/policy/$TENANT/$WS/etag
GET    $CP/policy/$TENANT/$WS/rules
POST   $CP/policy/$TENANT/$WS/rules     # create or update
GET    $CP/policy/$TENANT/$WS/history

DSAR lifecycle

Export/delete flows with immutable audit stamps and artifacts.

POST   $CP/compliance/$TENANT/$WS/dsar
       # body: {"type":"export","subjectId":"user:123"}

GET    $CP/compliance/$TENANT/$WS/dsar           # list DSAR requests
GET    $CP/compliance/$TENANT/$WS/dsar/$ID      # DSAR status
GET    $CP/compliance/$TENANT/$WS/dsar/$ID/artifact
       # download export.zip

Data Plane (DP)

The Data Plane is where queries execute. It speaks GraphQL on the front, HTTP/REST on the back, and talks to PDP and DSAR endpoints along the way. In dev, the base is usually http://localhost:8080 or apigql-data-plane via docker-compose.

Health & metadata

Confirm the graph is ready, which plan is active, and what SDL/policy tags it’s using.

GET  $DP/health
GET  $DP/meta
# both will echo: planId, sdlEtag, policyEtag,
# and a minimal OTEL/Jaeger wiring status

GraphQL endpoint

Single entry point for apps, subgraphs, and AI helpers.

POST $DP/graphql
  { "query": "{ orders { id total userEmail } }" }

# In tools like curl:
curl -s -H "Content-Type: application/json" \
     -H "x-role: analyst" \
     $DP/graphql \
     -d '{ "query":"{ orders { id total userEmail } }" }'

OTEL / Jaeger wiring

Traces go to the OTLP exporter you configured. DP spans include PDP & DSAR tags.

# Typical dev Jaeger URL
http://localhost:16686/

# Search tags like:
apigql.pdp.allow=true
apigql.dsar.action=create
apigql.plan.id=<UUID>

AI helpers (optional)

Where supported, AI helpers sit “next to” the DP and respect PDP/DSAR decisions.

POST $DP/ai/suggest-joins
POST $DP/ai/summarize
# Always downstream of masking and DSAR obligations.