/v1/sessions/{session_id}/pluginsSession-scoped admin route. Direct session callers first fetch /api/s/{session_id}/auth-challenge, then send X-Taiku-Session-Nonce, X-Taiku-Session-Key, and X-Taiku-Session-Auth. The host runtime handles this automatically when session admin actions are available.
Authorization
sessionChallengeHeader sessionViewerProofHeader sessionWriteProofHeader One-time session auth challenge returned by /api/s/{session_id}/auth-challenge.
In: header
Base64-encoded proof of the one-time challenge, derived from the session secret.
In: header
Base64-encoded proof of the same challenge, derived from the session write/admin secret.
In: header
Path Parameters
Current session identifier.
Header Parameters
Fresh one-time challenge/nonce returned by /api/s/{session_id}/auth-challenge. Must match the nonce used to derive the session proof headers.
Base64-encoded proof of the server-provided challenge, derived from the session secret for viewer access.
Base64-encoded proof of the same challenge, derived from the session write/admin secret. Required for writer routes when the session is write-protected, and required for admin routes.
Request Body
application/json
Plugin installation payload.
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
text/plain
text/plain
text/plain
curl -X POST "/api/v1/sessions/string/plugins" \ -H "Content-Type: application/json" \ -d '{ "manifest_url": "string", "plugin_id": "string" }'{
"ok": true
}"missing session auth challenge""tunnel admin auth required""Session not found."