Model download API (mobile and headless clients)¶
Queue CivitAI and Hugging Face model downloads on a ComfyUI host protected by MSS-Login. The API is JSON-only, works with Bearer tokens (JWT or long-lived API token), and reuses the same features as the ComfyUI admin UI: per-user API keys, can_download_models permission, model isolation paths, S3 destinations (experimental), and concurrency limits.
No ComfyUI HTML or browser session is required.
Authentication¶
Every request:
Authorization: Bearer <jwt-or-api-token>
Content-Type: application/json
Requirements:
- Valid token (see Authentication)
- Role permission
can_download_models(enabled forownerandadminby default; configurable per group)
Remote clients (REQUIRE_AUTH_FOR_REMOTE_API=true) must send Bearer auth; paths under /mss-login/ are not exempt from remote protection when a token is missing.
Quick start¶
POST /mss-login/generate_token— create an API token (needscan_have_api_tokens).GET /mss-login/api/me— confirmcan_download_models(or infer from role).PUT /mss-login/api/model-download/api-keys— store CivitAI and/or Hugging Face keys (encrypted, per user).POST /mss-login/api/model-download/download— queue a download; receivejob_id.GET /mss-login/api/model-download/jobs/{job_id}— poll untilstatusiscompleted,failed, orcancelled.
Endpoints¶
| Method | Path | Purpose |
|---|---|---|
| GET | /mss-login/api/model-download/sources |
Sources, which keys are set, and capabilities |
| GET | /mss-login/api/model-download/folders |
Valid folder_type values (e.g. checkpoints, loras) |
| GET | /mss-login/api/model-download/api-keys |
Which sources have keys (not the secrets) |
| PUT | /mss-login/api/model-download/api-keys |
Set or clear a source API key |
| POST | /mss-login/api/model-download/download |
Queue a download job |
| GET | /mss-login/api/model-download/jobs |
List your jobs + queue stats |
| GET | /mss-login/api/model-download/jobs/{job_id} |
Single job (polling) |
| POST | /mss-login/api/model-download/jobs/{job_id}/cancel |
Cancel a queued job |
Alternate prefix (same handlers): /api/mss-login/api/model-download/...
Capabilities (GET .../sources)¶
Example response:
{
"sources": ["civitai", "huggingface"],
"sources_with_keys": ["civitai"],
"capabilities": {
"sources": ["civitai", "huggingface"],
"destination_types": ["local", "s3"],
"limits": {
"active_total": 5,
"active_civitai": 3,
"active_huggingface": 2
},
"experimental": {
"s3": false,
"model_isolation": true
},
"civitai_fields": ["model_version_id", "type", "format", "size", "fp"],
"huggingface_fields": ["repo_id", "filename", "subfolder"]
}
}
Store API keys¶
PUT /mss-login/api/model-download/api-keys
Authorization: Bearer <token>
{"source": "civitai", "api_key": "your-civitai-token"}
Clear a key with an empty api_key:
{"source": "huggingface", "api_key": ""}
Keys are stored per user and never returned on GET.
Queue CivitAI download¶
POST /mss-login/api/model-download/download
Authorization: Bearer <token>
{
"source": "civitai",
"model_version_id": "138296",
"folder_type": "checkpoints",
"destination_type": "local",
"format": "SafeTensor",
"size": "pruned",
"fp": "fp16"
}
| Field | Required | Notes |
|---|---|---|
source |
yes | civitai or huggingface |
model_version_id |
CivitAI | Also accepts modelVersionId |
folder_type |
no | Default checkpoints; use GET .../folders |
destination_type |
no | local (default) or s3 if experimental S3 enabled |
type, format, size, fp |
no | CivitAI download query parameters |
Queue Hugging Face download¶
{
"source": "huggingface",
"repo_id": "owner/model-name",
"filename": "model.safetensors",
"folder_type": "checkpoints",
"destination_type": "local",
"subfolder": "optional/subfolder"
}
Poll job status¶
GET /mss-login/api/model-download/jobs/abc123...
Authorization: Bearer <token>
{
"job": {
"job_id": "abc123...",
"source": "civitai",
"status": "running",
"progress_pct": 42.5,
"bytes_done": 104857600,
"total_bytes": 2469606195,
"eta_seconds": 120.3,
"model_version_id": "138296",
"destination": "",
"error": "",
"can_cancel": false
},
"stats": {
"active_total": 1,
"pending_total": 0,
"limit_total": 5
}
}
Statuses: queued, running, completed, failed, cancelled.
Model isolation¶
When experimental.model_isolation is enabled, downloads go to per-user folders under the isolation tree (same as the ComfyUI UI). Use target_username only if the caller has can_manage_model_sharing (admin/owner); otherwise the job runs for the authenticated user.
Admin download for another user¶
{
"source": "civitai",
"model_version_id": "12345",
"target_username": "alice",
"folder_type": "checkpoints"
}
Requires sharing permission; uses the target user’s stored CivitAI/HF key.
Errors¶
| HTTP | Meaning |
|---|---|
| 401 | Missing or invalid token |
| 403 | No can_download_models, S3 disabled, or sharing not allowed |
| 400 | Invalid body, missing API key for source, bad folder_type |
| 404 | Unknown job_id or target_username |