`POST /api/scripts/{id}/run` — dispatch a standalone-script run (#626 C3 / §13). Reuses the existing `services::scripts::dispatch` Wasm executor verbatim; resolves + tenancy-checks the script via `resolve_script` (an id from another workspace is indistinguishable from an unknown id → 404).
const url = 'https://example.com/api/scripts/2489E9AD-2EE2-8E00-8EC9-32D5F69181C0/run';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"input":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/api/scripts/2489E9AD-2EE2-8E00-8EC9-32D5F69181C0/run \ --header 'Content-Type: application/json' \ --data '{ "input": "example" }'Parameters
Section titled “Parameters”Path Parameters
Section titled “Path Parameters”Request Bodyrequired
Section titled “Request Bodyrequired”POST /api/scripts/{id}/run body. input is exposed to the script as the
global input; it is passed straight to the executor and NEVER persisted (it
can carry secrets/PII), mirroring the MCP script.run arg. Absent → null.
object
Examplegenerated
{ "input": "example"}Responses
Section titled “Responses”Run dispatched; poll the run for the result
POST /api/scripts/{id}/run body — the dispatched run id + its initial status.
The run is created running and executes on a spawned task (fire-and-forget):
the script’s actual result lands later on the kind='script' run row, which the
UI fetches by polling — it is NOT returned here.
object
Examplegenerated
{ "bound_resources": [ "example" ], "run_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "script_id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0", "script_slug": "example", "status": "example"}Permission denied
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Unknown script id / wrong workspace
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}