The Clash core ships a RESTful API (default 127.0.0.1:9090); the Clash for Windows GUI is itself just a client of this API. Understanding it unlocks third-party web dashboards and scripted automation.

Confirm the API works

curl http://127.0.0.1:9090/version

A response like {"premium":true,"version":"2023.08.17"} means all good.

Useful endpoints

EndpointPurpose
GET /proxiesList all groups and nodes with current selections.
PUT /proxies/:nameChange the selection of a select group.
GET /connectionsLive connection list (what the Connections page shows).
PATCH /configsChange mode, ports etc. at runtime, e.g. {"mode":"Global"}.
GET /trafficStreaming up/down rates.

Using a web dashboard

Open-source dashboards (yacd, clash-dashboard) are static pages: open one, point it at http://127.0.0.1:9090, and you get roughly the same controls as the client UI. Their real strength is managing Clash on another machine - just use that machine's LAN IP.

Adding a secret

If you expose the API to your LAN (external-controller: 0.0.0.0:9090), set a secret. Via Mixin:

mixin:
  external-controller: 0.0.0.0:9090
  secret: "a-long-random-string"

All requests must then carry Authorization: Bearer a-long-random-string.

Security: an unsecured 9090 exposed beyond localhost lets anyone change your proxy settings and read your connection log. Keep the default 127.0.0.1 binding unless you have a reason not to.

Worked automation examples (scheduled node switching and more) are in API Automation in Practice.