64a5411fb9
- Updated the User model to implement Filament’s tenancy contracts - Seeded a ready-to-use demo tenant (user, tenant, active package, purchase) - Introduced a branded, translated 403 error page to replace the generic forbidden message for unauthorised admin hits - Removed the public “Register” links from the marketing header - hardened join event logic and improved error handling in the guest pwa.
1.5 KiB
1.5 KiB
03 — API Contract
- Base URL:
/api/v1 - Auth
- Tenant apps: OAuth2 Authorization Code + PKCE, refresh tokens.
- Super Admin: session-authenticated Filament (web only).
- Common
- Pagination:
page,per_page(max 100). - Errors:
{ error: { code, message, trace_id }, details?: {...} }. - Rate limits: per-tenant and per-device for tenant apps; 429 with
x-rate-limit-*headers.
- Pagination:
Key Endpoints (abridged)
- Auth:
/oauth/authorize,/oauth/token,/oauth/token/refresh. - Tenants (Super Admin only): list/read; no create via API for MVP.
- Events (tenant): CRUD, publish, archive; unique by
tenant_id + slug. - Photos (tenant): signed upload URL, create, list, moderate, feature.
- Emotions & Tasks: list, tenant overrides; task library scoping.
- Purchases & Ledger: create purchase intent, webhook ingest, ledger list.
- Settings: read/update tenant theme, limits, legal page links.
Guest Polling (no WebSockets in v1)
- GET
/events/{token}/stats— lightweight counters for Home info bar.- Response:
{ online_guests: number, tasks_solved: number, latest_photo_at: ISO8601 }. - Cache:
Cache-Control: no-store; includeETagfor conditional requests.
- Response:
- GET
/events/{token}/photos?since=<ISO8601|cursor>— incremental gallery refresh.- Response:
{ data: Photo[], next_cursor?: string, latest_photo_at: ISO8601 }. - Use
If-None-MatchorIf-Modified-Sinceto return304 Not Modifiedwhen unchanged.
- Response:
Webhooks
- Payment provider events, media pipeline status, and deletion callbacks. All signed with shared secret per provider.