Open-Source Wikis

/

ComfyUI

/

API

comfyanonymous/ComfyUI

API

ComfyUI's HTTP and WebSocket API. The core surface lives on server.py's PromptServer; a small set of frontend-only routes lives behind /internal/* (see api_server package).

The wiki is documentation, not a spec. The authoritative spec is openapi.yaml at the repo root (~99 KB, kept in sync with the routes).

Pages

Page Content
HTTP and WebSocket The endpoints, request/response shapes, and event types you'll actually use

Public vs internal

Surface Stability Documented?
Public HTTP routes Stable. Used by the frontend, custom UIs, scripts, and external integrations. openapi.yaml
Public WebSocket Stable. Event types are versioned via feature flags. This wiki + frontend repo
/internal/* Frontend-only. May change without notice. Don't depend on it
/extensions/* Custom-node-defined. Stability depends on each extension. Per extension

Authentication

Out of the box, ComfyUI is un-authenticated — anyone with network access to the listening port can queue prompts.

Mitigations the runtime ships with:

  • Default bind to 127.0.0.1. --listen is required to expose to other hosts.
  • Origin-only middleware when listening on loopback — blocks browser cross-site fetches against 127.0.0.1:8188.
  • TLS via --tls-keyfile / --tls-certfile.
  • CORS via --enable-cors-header [ORIGIN] (off by default).
  • Sec-Fetch-Site checks. The middleware in server.py returns 403 on Sec-Fetch-Site: cross-site requests.

For real multi-user deployments, put ComfyUI behind a reverse proxy that handles auth — there is no built-in user/session auth (the --multi-user flag is for per-user data segregation, not authentication).

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

API – ComfyUI wiki | Factory