APIs
You can interact with HFS in some ways:
You can invoke REST APIs.
Authentication by default is not necessary if requests are done using localhost (can be disabled). Otherwise you can replicate the login process (cookie based), or use http basic authentication. Avoid using clear passwords without https.
Since our interfaces are web-based, there's an API for almost anything. At the moment only a few are documented, but you can study others by looking into browser's dev-tools:
All POST requests to /~/api must include an extra header x-hfs-anti-csrf: 1, while GET requests don't need it.
While http requests are suitable for external software, you should consider also writing a plugin, or just writing some server code, to do run your code directly inside the server.
Some files like config.yaml, custom.html and plugin.js are monitored, and reloaded at every change, without need to restart the server.