comfyanonymous/ComfyUI
API
ComfyUI's HTTP and WebSocket API. The core surface lives on server.py's PromptServer; a small set of frontend-only routes lives behind /internal/* (see api_server package).
The wiki is documentation, not a spec. The authoritative spec is openapi.yaml at the repo root (~99 KB, kept in sync with the routes).
Pages
| Page | Content |
|---|---|
| HTTP and WebSocket | The endpoints, request/response shapes, and event types you'll actually use |
Public vs internal
| Surface | Stability | Documented? |
|---|---|---|
| Public HTTP routes | Stable. Used by the frontend, custom UIs, scripts, and external integrations. | openapi.yaml |
| Public WebSocket | Stable. Event types are versioned via feature flags. | This wiki + frontend repo |
/internal/* |
Frontend-only. May change without notice. | Don't depend on it |
/extensions/* |
Custom-node-defined. Stability depends on each extension. | Per extension |
Authentication
Out of the box, ComfyUI is un-authenticated — anyone with network access to the listening port can queue prompts.
Mitigations the runtime ships with:
- Default bind to
127.0.0.1.--listenis required to expose to other hosts. - Origin-only middleware when listening on loopback — blocks browser cross-site fetches against
127.0.0.1:8188. - TLS via
--tls-keyfile/--tls-certfile. - CORS via
--enable-cors-header [ORIGIN](off by default). - Sec-Fetch-Site checks. The middleware in
server.pyreturns403onSec-Fetch-Site: cross-siterequests.
For real multi-user deployments, put ComfyUI behind a reverse proxy that handles auth — there is no built-in user/session auth (the --multi-user flag is for per-user data segregation, not authentication).
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.