API reference · Extension Installs
GET/api/installs/validate

Validate extension bundle content hash

Internal endpoint for extension runners and deployment validation. It checks whether a supplied content hash belongs to the currently installed extension version for the supplied tenant and extension registry ID. The EE action uses an admin database connection, reads tenant_extension_install by tenant_id and registry_id, and checks extension_bundle for a matching version_id and content_hash. A negative validation result is returned as 200 with valid=false, not as 404. Requires x-api-key; the Express middleware allows the ALGA_AUTH_KEY runner secret or a valid database API key.

Query parameters

tenantstring <uuid>Required
Tenant UUID from tenant_extension_install.tenant_id.
extensionstring <uuid>Required
Extension registry UUID from tenant_extension_install.registry_id.
hashstringRequired
Bundle content hash to validate. The EE action accepts sha256:<64 hex chars> or a raw 64-character hex string and normalizes raw hex to sha256: form.

Header parameters

x-canarystringOptional
Optional runner canary identifier used only for logging and cache variance.

Response body

Success response 200 · schema InstallValidateResponse

validbooleanRequired
True when the hash matches a bundle for the currently installed extension version; false when validation completes but does not match.

Response codes

200
Validation completed. valid=false means the hash did not match, the install was not found, or the hash format was invalid at the action layer.
400
Required tenant, extension, or hash query parameter is missing.
401
x-api-key is missing or invalid at middleware.
500
Unexpected validation failure. The EE handler returns valid=false for internal exceptions.