Hoody Pipe
Section titled “Hoody Pipe”The Pipe API streams data directly between HTTP clients over a single, shared URL. Data flows from sender to receiver with no server-side storage — useful for transferring files, text, or media between machines, containers, or browser sessions. Use these endpoints to send data, receive data, embed a video player, monitor transfer progress, or build a custom client on top of the Hoody Pipe service.
Web Interface
Section titled “Web Interface”GET /api/v1/pipe
Section titled “GET /api/v1/pipe”Returns the Hoody Pipe web interface — an HTML page for sending files or text to a pipe path from the browser. Also accessible at / (root alias).
This endpoint takes no parameters.
{ "description": "HTML page with the Hoody Pipe web interface", "content": { "text/html": { "schema": { "type": "string" } } }}const html = await client.pipe.ui.getIndex();GET /api/v1/pipe/noscript
Section titled “GET /api/v1/pipe/noscript”Returns a pure HTML form for file/text upload that works without JavaScript. Useful in restricted browser environments or when JavaScript is disabled.
The page uses a CSP with a style nonce that blocks scripts. Path values are sanitized (leading slashes stripped, only URL-safe characters retained).
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
path | query | string | No | Pre-fill the pipe path. Only URL-safe characters allowed. |
mode | query | string | No | Input mode: file for file picker, text for textarea. Allowed values: file, text. Default: "file". |
{ "description": "HTML form page with CSP nonce", "content": { "text/html": { "schema": { "type": "string" } } }}const html = await client.pipe.ui.getNoScript({ path: "myfile", mode: "file"});Service Info
Section titled “Service Info”GET /api/v1/pipe/health
Section titled “GET /api/v1/pipe/health”Returns the standardized 9-field health response. Unauthenticated. Only reachable at /api/v1/pipe/health — a bare /health returns 404 with the body [ERROR] '/health' is not a valid path. Use '/api/v1/pipe/health'.\n. Methods other than GET/HEAD/OPTIONS return 405 with [ERROR] Method <verb> is not allowed.\n and Allow: GET, HEAD, OPTIONS.
This endpoint takes no parameters.
{ "status": "ok", "service": "hoody-pipe", "built": "2024-01-15T10:30:00.000Z", "started": "2024-01-20T08:00:00.000Z", "memory": { "rss": 52428800, "heap": 15728640 }, "fds": 128, "pid": 12345, "ip": "10.0.0.5", "userAgent": "curl/8.4.0"}const health = await client.pipe.health.check();GET /api/v1/pipe/help
Section titled “GET /api/v1/pipe/help”Returns plain text usage instructions showing how to send and receive data using curl. The help text includes the server’s own URL (derived from the Host header) so examples can be copied and run directly. Sections cover receiving data, sending files/text/directories with curl -T, ?download and ?filename control, ?video browser playback, ?progress transfer monitoring, and end-to-end encryption with OpenSSL. Also accessible at /help.
This endpoint takes no parameters.
Hoody Pipe 1.6.1Streaming Data Transfer over HTTP
======= Get =======curl https://pipe.example.com/mypathconst helpText = await client.pipe.info.getHelp();Data Transfer
Section titled “Data Transfer”GET /api/v1/pipe/{path}
Section titled “GET /api/v1/pipe/{path}”Receive data from the specified pipe path. The response blocks until a sender connects and starts streaming. Once established, the response body contains the sender’s data with original headers forwarded.
Lifecycle:
- Receiver GETs a path — request blocks
- When a sender POSTs/PUTs to the same path with matching
n, the pipe establishes - Response starts streaming with the sender’s data
- Response completes when the sender finishes uploading
Headers forwarded from sender:
Content-Type— sender’s content type (dangerous types rewritten totext/plain; foreign params dropped except a safe charset)Content-Length— only when the sender provided a valid^\d{1,19}$value AND the body is non-multipart (multipart parts use chunked encoding)Content-Disposition— if provided (e.g.attachment; filename="report.pdf"); a sender-suppliedinlineis upgraded toattachmentunless the effective Content-Type is on the inline-safe allowlist (image/audio/video/text/plain/application/pdf, excludingimage/svg+xml)X-Piping— custom metadata from senderX-Hoody-Pipe— custom metadata from sender
Forwarded headers are CRLF-sanitized (Content-Disposition, X-Piping, X-Hoody-Pipe) to prevent header injection.
Download control: Receivers can override Content-Disposition behavior using query parameters:
?download— forceattachmentdisposition (triggers browser download)?download=false— suppress Content-Disposition entirely (always display inline)?filename=custom.txt— set a custom download filename (implies?download)
These work per-receiver — with n=2, one receiver can download while the other displays inline.
Multi-receiver: When n > 1, all receivers get identical copies via lockstep fan-out — each chunk is written to every receiver before the next chunk is read from the sender. Memory is bounded to roughly one chunk per receiver, with no per-receiver queuing. The slowest receiver paces the entire transfer.
Connection ordering: The receiver can connect before the sender — the server holds the connection until the sender arrives (up to 5-minute TTL).
Security headers on response:
X-Robots-Tag: none— prevents indexingX-Content-Type-Options: nosniff- CORS headers reflecting the receiver’s Origin
Also accessible without prefix (e.g. GET /myfile). Reserved paths (/help, /noscript, etc.) return their own content on GET instead of acting as pipe receivers.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
path | path | string | Yes | Pipe path name to receive from — must match the path used by the sender. |
n | query | integer | No | Expected number of receivers. Must match the sender’s n value exactly — a mismatch returns 400. When n > 1, the pipe waits for all n receivers and the sender before streaming. Default: 1. |
download | query | string | No | Control whether the response triggers a browser download. ?download, ?download=true, ?download=yes, ?download=1 force Content-Disposition: attachment. ?download=false, ?download=no, ?download=0 suppress Content-Disposition entirely. Absent — passthrough sender’s Content-Disposition as-is. |
filename | query | string | No | Set a custom download filename. Implies ?download — the response will have Content-Disposition: attachment; filename="<value>". Null bytes, CRLF, path separators, leading dots, and control characters are stripped. Truncated to 255 characters. |
video | query | string | No | Return an HTML page with an embedded MSE (MediaSource Extensions) video player instead of raw pipe data. The player page fetches the raw stream internally — no pipe receiver slot is consumed. Only serves the HTML player when the client sends Accept: text/html. Values: ?video, ?video=true, ?video=yes, ?video=1 show the player. ?video=false, ?video=no, ?video=0 return a normal pipe receiver. |
progress | query | string | No | Return real-time transfer progress as a Server-Sent Events (SSE) stream or HTML dashboard. Does NOT consume a pipe receiver slot. Accept: text/event-stream returns SSE. Accept: text/html returns an HTML dashboard. Values: ?progress, ?progress=true, ?progress=yes, ?progress=1 show progress. ?progress=false, ?progress=no, ?progress=0 return a normal pipe receiver. |
curl https://pipe.example.com/api/v1/pipe/mypath<streamed data from sender>[ERROR] Path '/mypath' is already in use by an active transfer.| Error Code | Title | Description | Resolution |
|---|---|---|---|
SERVICE_WORKER | Service Worker request blocked | Requests with Service-Worker: script header are rejected to prevent service worker registration via pipe paths | Do not register service workers via pipe paths |
ACTIVE_TRANSFER | Path has an active transfer | A transfer is already streaming on this path — no new receivers can join | Wait for the transfer to complete, or use a different path |
RECEIVER_SLOTS_FULL | All receiver slots taken | All n receiver slots for this path are occupied | Wait for a receiver to disconnect, or use a different path |
INVALID_N | Invalid receiver count | n is not a valid positive integer (1–256) | Set n between 1 and 256 |
N_MISMATCH | Receiver count mismatch | This receiver’s n doesn’t match existing sender/receivers on this path | Use the same n value as the sender |
[ERROR] Method DELETE is not allowed. Use GET, POST, or PUT.| Error Code | Title | Description | Resolution |
|---|---|---|---|
METHOD_NOT_ALLOWED | HTTP method not supported | Pipe paths accept GET, POST, PUT, OPTIONS only | Use GET to receive data |
[ERROR] Timed out waiting for sender.| Error Code | Title | Description | Resolution |
|---|---|---|---|
TTL_EXPIRED | Pipe TTL expired | Waited 5 minutes but counterpart didn’t connect. Pipe evicted. | Retry — ensure sender and receiver connect within 5 minutes |
[ERROR] Path too long (max 1024 characters).| Error Code | Title | Description | Resolution |
|---|---|---|---|
PATH_TOO_LONG | Path exceeds length limit | Path exceeds 1024 characters | Use a shorter path |
[ERROR] Too many pending transfers. Try again later.| Error Code | Title | Description | Resolution |
|---|---|---|---|
TOO_MANY_PENDING | Pending transfer limit reached | Server has 1000 pending pipes | Wait and retry |
TOO_MANY_ACTIVE | Active transfer limit reached | Server has 1000 active transfers — pipe established but cannot stream | Wait for transfers to finish, then retry |
const stream = await client.pipe.receive({ path: "mypath" });POST /api/v1/pipe/{path}
Section titled “POST /api/v1/pipe/{path}”Send data to the specified pipe path. The sender’s request body is streamed directly to receiver(s) when they connect — no server-side storage.
Lifecycle:
- Sender POSTs to a path — gets back a streaming response with
[INFO]status messages - Server waits for
nreceivers to connect (default: 1) - Once all receivers connect, data streams from sender to all receivers simultaneously
- Sender receives
[INFO] Upload complete.then[INFO] Transfer complete.
Status messages (streamed to sender as text/plain):
[INFO] Waiting for 1 receiver(s) to connect...[INFO] Streaming to 1 receiver(s)...[INFO] Upload complete.[INFO] Transfer complete.Multipart uploads: When Content-Type matches multipart/form-data, the server extracts the first file part (non-file form fields are drained and skipped) and streams its contents. The part’s Content-Type and Content-Disposition are forwarded to receivers. Content-Length is NOT forwarded for multipart inputs — the response uses chunked transfer encoding.
Custom headers: Set X-Hoody-Pipe or X-Piping request headers to forward arbitrary metadata to receivers. Each header is capped at 8 KiB (over-cap headers are dropped) and CRLF/control chars are stripped. The receiver response carries Access-Control-Expose-Headers: X-Piping, X-Hoody-Pipe only when at least one was supplied.
Content-Type safety: Dangerous MIME types that execute scripts in browsers (text/html, image/svg+xml, application/javascript, XHTML/XML, etc.) are rewritten to text/plain. Parameters are stripped except for a single safe charset.
Connection ordering: Either sender or receiver(s) can connect first — the server holds the early party until counterparts arrive.
Limits:
- Path length: max 1024 characters
- Receiver count (
n): 1–256 - Pending transfers: max 1000 server-wide
- Active transfers: max 1000 server-wide
- Unestablished pipe TTL: 5 minutes
Also accessible without prefix (e.g. POST /myfile).
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
path | path | string | Yes | Unique pipe path name. Must not be a reserved path (/, /help, /noscript, /favicon.ico, /robots.txt). |
n | query | integer | No | Number of receivers to wait for before starting the transfer. All receivers get identical copies of the data (fan-out). Must be a positive integer, max 256. Default: 1. |
Request Body
Section titled “Request Body”Data to stream to receiver(s). Any content type is accepted.
- Binary files: Use
application/octet-streamor the file’s actual MIME type - Text: Use
text/plain - Multipart: Use
multipart/form-datafor browser uploads — only the first file part is streamed; leading non-file form fields are drained and skipped - No body: An empty POST is valid — receivers get an empty response
curl -T myfile.png https://pipe.example.com/api/v1/pipe/secret.png[INFO] Waiting for 1 receiver(s) to connect...[INFO] Streaming to 1 receiver(s)...[INFO] Upload complete.[INFO] Transfer complete.[ERROR] '/help' is a reserved path. Use a custom path like '/myfile' or '/transfer123'.| Error Code | Title | Description | Resolution |
|---|---|---|---|
RESERVED_PATH | Path is reserved | The requested path is a system-reserved path (/, /help, /noscript, etc.) | Choose a different path that is not reserved |
DUPLICATE_SENDER | Path already has a sender | Another sender is already connected to this path waiting for receivers | Use a different path, or wait for the existing transfer to complete |
ACTIVE_TRANSFER | Path has an active transfer | The path is currently in use by a streaming transfer | Wait for the current transfer to finish, or use a different path |
INVALID_N | Invalid receiver count | The n query parameter is not a valid positive integer, or exceeds max 256 | Set n to a positive integer between 1 and 256 |
N_MISMATCH | Receiver count mismatch | Sender’s n doesn’t match existing receivers’ n on this path | Use the same n value as the receivers |
CONTENT_RANGE | Content-Range not supported | Content-Range headers are not supported for streaming transfers | Send the complete file without range headers |
[ERROR] Method DELETE is not allowed. Use GET, POST, or PUT.| Error Code | Title | Description | Resolution |
|---|---|---|---|
METHOD_NOT_ALLOWED | HTTP method not supported | Pipe paths accept GET (receive), POST/PUT (send), and OPTIONS (CORS preflight). HEAD is supported on reserved paths only. | Use GET to receive data, POST or PUT to send data |
[ERROR] Path too long (max 1024 characters).| Error Code | Title | Description | Resolution |
|---|---|---|---|
PATH_TOO_LONG | Path exceeds length limit | The pipe path exceeds the maximum length of 1024 characters | Use a shorter path name |
[ERROR] Too many pending transfers. Try again later.| Error Code | Title | Description | Resolution |
|---|---|---|---|
TOO_MANY_PENDING | Pending transfer limit reached | Server has 1000 unestablished pipes. New transfers rejected until existing ones complete or expire (5-min TTL). | Wait for transfers to complete or expire, then retry |
TOO_MANY_ACTIVE | Active transfer limit reached | Server has 1000 concurrent active transfers | Wait for active transfers to finish, then retry |
await client.pipe.send({ path: "secret.png", body: fileBuffer});PUT /api/v1/pipe/{path}
Section titled “PUT /api/v1/pipe/{path}”Identical to POST — send data to the specified pipe path. PUT is provided as an alias because curl -T file URL uses PUT, making it natural for file transfers.
# Send a file (uses PUT)curl -T myfile https://pipe.example.com/api/v1/pipe/mypath
# Send stdinecho 'hello' | curl -T - https://pipe.example.com/api/v1/pipe/mypath
# Send a directory as tar.gztar czf - ./mydir | curl -T - https://pipe.example.com/api/v1/pipe/mydir.tar.gzAll parameters, request body handling, status messages, and error codes are identical to POST.
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
path | path | string | Yes | Unique pipe path name (same rules as POST — no reserved paths, max 1024 chars). |
n | query | integer | No | Number of receivers to wait for (must match receivers’ n, max 256). Default: 1. |
Request Body
Section titled “Request Body”Data to stream — any content type. Multipart/form-data supported (first file part extracted; non-file fields are skipped).
curl -T myfile https://pipe.example.com/api/v1/pipe/mypath[INFO] Waiting for 1 receiver(s) to connect...[INFO] Streaming to 1 receiver(s)...[INFO] Upload complete.[INFO] Transfer complete.[ERROR] Path '/mypath' already has a sender connected.| Error Code | Title | Description | Resolution |
|---|---|---|---|
RESERVED_PATH | Path is reserved | The requested path is a system-reserved path | Choose a different path |
DUPLICATE_SENDER | Path already has a sender | Another sender is already connected | Use a different path or wait |
INVALID_N | Invalid receiver count | n is not a valid positive integer (1–256) | Set n to a positive integer between 1 and 256 |
CONTENT_RANGE | Content-Range not supported | Content-Range headers are not supported | Send the complete file |
[ERROR] Method DELETE is not allowed. Use GET, POST, or PUT.| Error Code | Title | Description | Resolution |
|---|---|---|---|
METHOD_NOT_ALLOWED | HTTP method not supported | Pipe paths accept GET, POST, PUT, OPTIONS only | Use GET to receive, POST or PUT to send |
[ERROR] Path too long (max 1024 characters).| Error Code | Title | Description | Resolution |
|---|---|---|---|
PATH_TOO_LONG | Path exceeds length limit | Path exceeds 1024 characters | Use a shorter path |
[ERROR] Too many pending transfers. Try again later.| Error Code | Title | Description | Resolution |
|---|---|---|---|
TOO_MANY_PENDING | Pending transfer limit reached | Server has 1000 pending pipes | Wait and retry |
await client.pipe.send({ path: "mypath", method: "PUT", body: fileBuffer});OPTIONS /api/v1/pipe/{path}
Section titled “OPTIONS /api/v1/pipe/{path}”Handles CORS preflight requests for cross-origin browser access. Returns permissive CORS headers reflecting the request Origin.
Headers returned:
Access-Control-Allow-Origin— reflects Origin (or*if none/null)Access-Control-Allow-Methods—GET, POST, PUT, OPTIONS(HEAD is supported same-origin on reserved paths only)Access-Control-Allow-Headers—Content-Type, Content-Disposition, Authorization, X-Piping, X-Hoody-PipeAccess-Control-Allow-Credentials—true(when Origin present and not “null”)Access-Control-Max-Age—86400(24 hours)Access-Control-Allow-Private-Network—true(when requested)
Parameters
Section titled “Parameters”| Name | In | Type | Required | Description |
|---|---|---|---|---|
path | path | string | Yes | Any path — OPTIONS is handled identically for all paths. |
curl -X OPTIONS https://pipe.example.com/api/v1/pipe/mypath \ -H "Origin: https://app.example.com" \ -H "Access-Control-Request-Method: POST" \ -iHTTP/1.1 200 OKAccess-Control-Allow-Origin: https://app.example.comAccess-Control-Allow-Methods: GET, POST, PUT, OPTIONSAccess-Control-Allow-Headers: Content-Type, Content-Disposition, Authorization, X-Piping, X-Hoody-PipeAccess-Control-Allow-Credentials: trueAccess-Control-Max-Age: 86400await client.pipe.corsPreflight({ path: "mypath" });