ExtendDO exposes a DynamoDB JSON endpoint, a health endpoint, and a curl-friendly management API. The DynamoDB JSON endpoint targets ExtendDB parity. The management API is not an AWS Identity and Access Management REST API; it is a Worker-native interface for the ExtendDB management/auth surface.
| Path | Methods | Purpose |
|---|---|---|
/ |
POST |
DynamoDB JSON requests using x-amz-target. |
/healthz |
GET |
Worker and wasm health check. |
/management/... |
Multiple | JSON management API. |
DynamoDB JSON request bodies are capped at 16 MiB by the Worker entrypoint. Management request bodies are capped at 128 KiB.
Send DynamoDB JSON requests to / with POST and an x-amz-target header such
as DynamoDB_20120810.CreateTable.
The ExtendDB wasm engine handles validation, operation dispatch, expression and update evaluation, key-condition parsing, and DynamoDB response shaping. The Worker host provides storage through Durable Objects. For the implementation mapping behind each primitive, see DynamoDB Primitive Mapping.
Supported operation names in the current dispatch table:
- Table/control plane:
CreateTable,DeleteTable,DescribeTable,ListTables,UpdateTable,DescribeEndpoints,DescribeLimits. - Item and read operations:
PutItem,GetItem,DeleteItem,UpdateItem,Query,Scan,BatchGetItem,BatchWriteItem. - Transactions:
TransactGetItems,TransactWriteItems. - TTL and tags:
DescribeTimeToLive,UpdateTimeToLive,TagResource,UntagResource,ListTagsOfResource. - Streams:
DescribeStream,ListStreams,GetShardIterator,GetRecords. - Backups:
CreateBackup,DescribeBackup,ListBackups,DeleteBackup,RestoreTableFromBackup,DescribeContinuousBackups,UpdateContinuousBackups,RestoreTableToPointInTime. - Import/export:
ImportTable,ExportTableToPointInTime,DescribeExport,ListExports,DescribeImport,ListImports.
RestoreTableToPointInTime intentionally follows ExtendDB's current
unsupported-operation behavior.
ExtendDB's upstream import/export handler is filesystem-based. ExtendDO replaces that runtime dependency with an R2 adapter while preserving the DynamoDB/ExtendDB request and response shapes where possible.
Import behavior:
ImportTablereads fromFileSource.Path, interpreted as an R2 object key.- Supported input formats are DynamoDB JSON, ION-as-DynamoDB-JSON, and CSV.
- The target table remains hidden while parsing and staging rows.
- The R2 source object's etag/version is pinned before async processing.
- The table becomes active only after staged rows commit successfully.
Export behavior:
ExportTableToPointInTimecreates a snapshot-backed export session.- The requested destination is used as a prefix or base, but the final R2 object key is generated per export id to prevent collisions.
- Export status is visible through
DescribeExportandListExports. - Exported objects include ownership metadata so recovery does not confuse a same-size object with the intended export.
Management requests use HTTP Basic authentication:
- Static bootstrap admin:
EXTENDDO_ADMIN_USERandEXTENDDO_ADMIN_PASSWORD. - Stored admin users created through
/management/admins. - User self-service identity: username
account_id/user_namewith the user's password.
Admin-only routes reject self-service callers unless the specific route allows the matching user.
Admin and settings:
| Method | Path | Purpose |
|---|---|---|
POST |
/management/admins |
Create stored admin. |
GET |
/management/admins |
List admins. |
DELETE |
/management/admins/<admin> |
Delete admin. |
PUT |
/management/admins/<admin>/password |
Change admin password. |
GET |
/management/settings |
List settings. |
GET |
/management/settings/<key> |
Read setting. |
PUT |
/management/settings/<key> |
Update writable setting. |
Accounts:
| Method | Path | Purpose |
|---|---|---|
POST |
/management/accounts |
Create account. |
GET |
/management/accounts |
List accounts. |
DELETE |
/management/accounts/<account_id> |
Delete account. |
Users:
| Method | Path | Purpose |
|---|---|---|
POST |
/management/accounts/<account_id>/users |
Create user. |
GET |
/management/accounts/<account_id>/users |
List users. |
DELETE |
/management/accounts/<account_id>/users/<user> |
Delete user. |
PUT |
/management/accounts/<account_id>/users/<user>/password |
Change user password. |
GET |
/management/accounts/<account_id>/users/<user>/policies |
List user policies. |
PUT |
/management/accounts/<account_id>/users/<user>/policies/<policy> |
Put user inline policy. |
DELETE |
/management/accounts/<account_id>/users/<user>/policies/<policy> |
Delete user inline policy. |
PUT |
/management/accounts/<account_id>/users/<user>/permissions-boundary |
Put user boundary. |
GET |
/management/accounts/<account_id>/users/<user>/permissions-boundary |
Get user boundary. |
DELETE |
/management/accounts/<account_id>/users/<user>/permissions-boundary |
Delete user boundary. |
PUT |
/management/accounts/<account_id>/users/<user>/tags |
Put user tags. |
GET |
/management/accounts/<account_id>/users/<user>/tags |
List user tags. |
DELETE |
/management/accounts/<account_id>/users/<user>/tags |
Delete user tags by request body. |
DELETE |
/management/accounts/<account_id>/users/<user>/tags/<key> |
Delete one user tag. |
POST |
/management/accounts/<account_id>/users/<user>/access-keys |
Create access key. |
GET |
/management/accounts/<account_id>/users/<user>/access-keys |
List access keys. |
DELETE |
/management/accounts/<account_id>/users/<user>/access-keys/<key> |
Delete access key. |
PUT |
/management/accounts/<account_id>/users/<user>/access-keys/<key>/status |
Update access key status. |
POST |
/management/accounts/<account_id>/users/<user>/access-keys/import |
Import access key. |
Groups:
| Method | Path | Purpose |
|---|---|---|
POST |
/management/accounts/<account_id>/groups |
Create group. |
GET |
/management/accounts/<account_id>/groups |
List groups. |
DELETE |
/management/accounts/<account_id>/groups/<group> |
Delete group. |
POST |
/management/accounts/<account_id>/groups/<group>/users |
Add user to group. |
GET |
/management/accounts/<account_id>/groups/<group>/users |
List group users. |
DELETE |
/management/accounts/<account_id>/groups/<group>/users/<user> |
Remove user from group. |
GET |
/management/accounts/<account_id>/groups/<group>/policies |
List group policies. |
PUT |
/management/accounts/<account_id>/groups/<group>/policies/<policy> |
Put group inline policy. |
DELETE |
/management/accounts/<account_id>/groups/<group>/policies/<policy> |
Delete group inline policy. |
Roles and sessions:
| Method | Path | Purpose |
|---|---|---|
POST |
/management/accounts/<account_id>/roles |
Create role. |
GET |
/management/accounts/<account_id>/roles |
List roles. |
DELETE |
/management/accounts/<account_id>/roles/<role> |
Delete role. |
GET |
/management/accounts/<account_id>/roles/<role>/policies |
List role policies. |
PUT |
/management/accounts/<account_id>/roles/<role>/policies/<policy> |
Put role inline policy. |
DELETE |
/management/accounts/<account_id>/roles/<role>/policies/<policy> |
Delete role inline policy. |
PUT |
/management/accounts/<account_id>/roles/<role>/permissions-boundary |
Put role boundary. |
GET |
/management/accounts/<account_id>/roles/<role>/permissions-boundary |
Get role boundary. |
DELETE |
/management/accounts/<account_id>/roles/<role>/permissions-boundary |
Delete role boundary. |
PUT |
/management/accounts/<account_id>/roles/<role>/tags |
Put role tags. |
GET |
/management/accounts/<account_id>/roles/<role>/tags |
List role tags. |
DELETE |
/management/accounts/<account_id>/roles/<role>/tags |
Delete role tags by request body. |
DELETE |
/management/accounts/<account_id>/roles/<role>/tags/<key> |
Delete one role tag. |
POST |
/management/accounts/<account_id>/assume-role |
Assume role as current authenticated caller. |
POST |
/management/accounts/<account_id>/roles/<role>/assume |
Admin assume role by caller ARN. |
The router also accepts singular /policy/<policy>, /boundary, and group
membership /members aliases for some endpoints. Prefer the plural
/policies/..., /permissions-boundary, and /users paths in new
documentation and scripts.
Management routes for managed policies and policy versions, MFA devices, OIDC/SAML providers, federated assume-role flows, account organization context, trusted-network/FAS context, and request-tag condition context are intentionally not exposed. They are outside the ExtendDB parity target unless ExtendDB adds them upstream.