This document provides comprehensive documentation of all API routes, including authentication requirements, role/permission access, request/response formats, and example usage.
http://localhost:8080/api/v1
All protected routes require a valid JWT access token in the Authorization header:
Authorization: Bearer <access_token>
The API uses role-based access control. Default roles include:
| Role | Description |
|---|---|
admin |
Full system access |
manager |
Administrative access for business operations |
customer_experience |
Customer support access |
user |
Standard authenticated user |
{
"data": { ... },
"meta": { ... }
}{
"error": {
"code": "error_code",
"message": "Human-readable error message"
}
}{
"meta": {
"page": 1,
"page_size": 20,
"total_items": 150,
"total_pages": 8,
"has_next": true,
"has_prev": false
}
}Check if the API is running.
Authentication: None
Response (200):
{
"status": "ok"
}Register a new user account.
Authentication: None
Request Body:
{
"email": "user@example.com",
"password": "SecurePassword123!",
"first_name": "John",
"last_name": "Doe"
}Response (201):
{
"data": {
"user": {
"id": "uuid",
"email": "user@example.com",
"first_name": "John",
"last_name": "Doe",
"active": true,
"email_verified": false,
"created_at": "2025-01-18T10:00:00Z",
"updated_at": "2025-01-18T10:00:00Z"
},
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "random-secure-token",
"expires_at": "2025-01-18T10:15:00Z"
}
}Errors:
400- Invalid request body409- Email already exists
Authenticate with email and password.
Authentication: None
Request Body:
{
"email": "user@example.com",
"password": "SecurePassword123!"
}Response (200):
{
"data": {
"user": { ... },
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "random-secure-token",
"expires_at": "2025-01-18T10:15:00Z"
}
}Errors:
400- Invalid request body401- Invalid credentials403- Account is inactive
Obtain a new access token using a refresh token.
Authentication: None
Request Body:
{
"refresh_token": "random-secure-token"
}Response (200):
{
"data": {
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "new-random-secure-token",
"expires_at": "2025-01-18T10:15:00Z"
}
}Errors:
400- Invalid request body401- Invalid refresh token
Get Google OAuth authorization URL.
Authentication: None
Query Parameters:
state(optional) - CSRF protection state parameter
Response (200):
{
"data": {
"url": "https://accounts.google.com/o/oauth2/auth?...",
"state": "random-state-value"
}
}Handle Google OAuth callback.
Authentication: None
Query Parameters:
code(required) - Authorization code from Googlestate(required) - CSRF state parametererror(optional) - Error from Google if authorization failed
Response (200):
{
"data": {
"user": { ... },
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refresh_token": "random-secure-token",
"expires_at": "2025-01-18T10:15:00Z"
}
}Errors:
400- Missing authorization code or OAuth error
Retrieve the authenticated user's profile.
Authentication: Required (any authenticated user)
Permissions: Any authenticated user
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
"user": {
"id": "uuid",
"email": "user@example.com",
"first_name": "John",
"last_name": "Doe",
"active": true,
"email_verified": false
},
"roles": ["user"]
}
}Errors:
401- Authentication required404- User not found
Revoke all refresh tokens for the current user.
Authentication: Required (any authenticated user)
Permissions: Any authenticated user
Headers:
Authorization: Bearer <access_token>
Response (204): No content
Errors:
401- Authentication required
Retrieve a paginated list of products.
Authentication: None
Query Parameters:
page(optional, default: 1) - Page numberpage_size(optional, default: 20, max: 100) - Products per pagekeyword(optional) - Search by product name or description
Example:
GET /api/v1/catalog/products?page=1&page_size=20&keyword=laptop
Response (200):
{
"data": [
{
"id": "prod-1",
"sku": "LAPTOP-001",
"name": "Professional Laptop",
"description": "High-performance laptop for professionals",
"base_price": {
"amount": 99999,
"currency": "USD"
},
"SalePrice": {
"amount": 89999,
"currency": "USD"
},
"status": "active",
"brand_id": "brand-1",
"category_id": "cat-1",
"images": ["https://example.com/laptop.jpg"],
"attributes": {"color": "silver", "ram": "16GB"},
"created_at": "2025-01-18T10:00:00Z",
"updated_at": "2025-01-18T10:00:00Z"
}
],
"meta": {
"page": 1,
"page_size": 20,
"total_items": 150,
"total_pages": 8,
"has_next": true,
"has_prev": false
}
}Retrieve details of a specific product.
Authentication: None
Path Parameters:
id(required) - Product ID
Example:
GET /api/v1/catalog/products/prod-1
Response (200):
{
"data": {
"id": "prod-1",
"sku": "LAPTOP-001",
"name": "Professional Laptop",
"description": "High-performance laptop for professionals",
"base_price": {
"amount": 99999,
"currency": "USD"
},
"SalePrice": {
"amount": 89999,
"currency": "USD"
},
"status": "active",
"brand_id": "brand-1",
"category_id": "cat-1",
"created_at": "2025-01-18T10:00:00Z",
"updated_at": "2025-01-18T10:00:00Z"
}
}Errors:
400- Product ID is required404- Product not found
Retrieve products in a specific category with pagination.
Authentication: None
Path Parameters:
id(required) - Category ID
Query Parameters:
page(optional, default: 1)page_size(optional, default: 20, max: 100)
Example:
GET /api/v1/catalog/products/category/cat-1?page=1&page_size=10
Response (200):
{
"data": [
{ /* product object */ }
],
"meta": {
"page": 1,
"page_size": 10,
"total_items": 45,
"total_pages": 5,
"has_next": true,
"has_prev": false
}
}Retrieve all categories with pagination.
Authentication: None
Query Parameters:
page(optional, default: 1)page_size(optional, default: 20, max: 100)
Response (200):
{
"data": [
{
"id": "cat-1",
"name": "Electronics",
"slug": "electronics",
"description": "Electronic devices and gadgets",
"parent_id": null,
"image_url": "",
"active": true,
"created_at": "2025-01-18T10:00:00Z",
"updated_at": "2025-01-18T10:00:00Z"
}
],
"meta": { ... }
}Retrieve all brands with pagination.
Authentication: None
Query Parameters:
page(optional, default: 1)page_size(optional, default: 20, max: 100)
Response (200):
{
"data": [
{
"id": "brand-1",
"name": "TechCorp",
"slug": "techcorp",
"description": "Leading technology manufacturer",
"logo_url": "",
"active": true,
"created_at": "2025-01-18T10:00:00Z",
"updated_at": "2025-01-18T10:00:00Z"
}
],
"meta": { ... }
}All cart routes require authentication. Users can only access their own cart.
Retrieve the current user's cart.
Authentication: Required
Permissions: Any authenticated user (owns their cart)
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
"id": "cart-id",
"user_id": "user-id",
"session_id": "",
"items": [
{
"id": "item-id",
"product_id": "prod-1",
"variant_id": null,
"sku": "LAPTOP-001",
"name": "Professional Laptop",
"price": {
"amount": 99999,
"currency": "USD"
},
"quantity": 1,
"attributes": {}
}
],
"created_at": "2025-01-18T10:00:00Z",
"updated_at": "2025-01-18T10:05:00Z"
}
}Errors:
401- Authentication required
Add a product to the cart.
Authentication: Required
Permissions: Any authenticated user
Headers:
Authorization: Bearer <access_token>
Request Body:
{
"product_id": "prod-1",
"variant_id": null,
"quantity": 2,
"attributes": {
"color": "Black",
"size": "15-inch"
}
}Response (200):
{
"data": {
/* Updated cart object */
}
}Errors:
400- Invalid request body or product out of stock401- Authentication required
Update the quantity of an item in the cart.
Authentication: Required
Permissions: Any authenticated user (owns their cart)
Path Parameters:
id(required) - Cart item ID
Headers:
Authorization: Bearer <access_token>
Request Body:
{
"quantity": 3
}Response (200):
{
"data": {
/* Updated cart object */
}
}Errors:
400- Invalid request body or item ID required401- Authentication required404- Item not found in cart
Remove an item from the cart.
Authentication: Required
Permissions: Any authenticated user (owns their cart)
Path Parameters:
id(required) - Cart item ID
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
/* Updated cart object */
}
}Errors:
400- Item ID is required401- Authentication required404- Item not found in cart
Remove all items from the cart.
Authentication: Required
Permissions: Any authenticated user (owns their cart)
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
/* Empty cart object */
}
}Errors:
401- Authentication required
Create an order from the current user's cart.
Authentication: Required
Permissions: Any authenticated user
Headers:
Authorization: Bearer <access_token>
Request Body:
{
"shipping_address": {
"first_name": "John",
"last_name": "Doe",
"company": "Tech Corp",
"address1": "123 Main St",
"address2": "Apt 4B",
"city": "New York",
"state": "NY",
"postal_code": "10001",
"country": "US",
"phone_number": "555-0100"
},
"billing_address": {
/* Same format as shipping_address, optional */
},
"payment_method_id": "pm_123",
"promotion_codes": ["SAVE10"],
"shipping_method_id": "ship_standard",
"notes": "Please deliver after 5 PM"
}Response (201):
{
"data": {
"id": "order-id",
"order_number": "ORD-12345678",
"user_id": "user-id",
"status": "pending",
"items": [
{
"id": "item-id",
"product_id": "prod-1",
"sku": "LAPTOP-001",
"name": "Professional Laptop",
"unit_price": {
"amount": 99999,
"currency": "USD"
},
"quantity": 1,
"discount_amount": {
"amount": 0,
"currency": "USD"
},
"tax_amount": {
"amount": 8750,
"currency": "USD"
},
"total": {
"amount": 108749,
"currency": "USD"
}
}
],
"shipping_address": { /* address object */ },
"billing_address": { /* address object */ },
"subtotal": {
"amount": 99999,
"currency": "USD"
},
"discount_total": {
"amount": 0,
"currency": "USD"
},
"tax_total": {
"amount": 8750,
"currency": "USD"
},
"shipping_total": {
"amount": 0,
"currency": "USD"
},
"total": {
"amount": 108749,
"currency": "USD"
},
"notes": "Please deliver after 5 PM",
"created_at": "2025-01-18T10:00:00Z",
"updated_at": "2025-01-18T10:00:00Z"
}
}Errors:
400- Invalid request body, cart is empty, or invalid address401- Authentication required
Retrieve the current user's orders with pagination.
Authentication: Required
Permissions: Any authenticated user (views their own orders)
Query Parameters:
page(optional, default: 1)page_size(optional, default: 20, max: 100)
Example:
GET /api/v1/orders?page=1&page_size=10
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": [
{
/* Order object */
}
],
"meta": {
"page": 1,
"page_size": 10,
"total_items": 5,
"total_pages": 1,
"has_next": false,
"has_prev": false
}
}Errors:
401- Authentication required
Retrieve details of a specific order.
Authentication: Required
Permissions:
- Order owner (user_id matches authenticated user)
- OR Users with role:
admin,manager, orcustomer_experience
Path Parameters:
id(required) - Order ID
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
/* Order object */
}
}Errors:
400- Order ID is required401- Authentication required403- You don't have permission to view this order404- Order not found
All admin routes require authentication AND one of the following roles:
adminmanagercustomer_experience
List all roles.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
"roles": [
{
"id": "role-id",
"name": "admin",
"description": "Full system access"
}
]
}
}Errors:
401- Authentication required403- Insufficient permissions
Create a new role.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Headers:
Authorization: Bearer <access_token>
Request Body:
{
"name": "inventory_manager",
"description": "Manages inventory levels"
}Response (201):
{
"data": {
"role": {
"id": "role-id",
"name": "inventory_manager",
"description": "Manages inventory levels"
}
}
}Errors:
400- Invalid request body401- Authentication required403- Insufficient permissions
Get a specific role by ID.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - Role ID
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
"role": {
"id": "role-id",
"name": "admin",
"description": "Full system access"
}
}
}Errors:
401- Authentication required403- Insufficient permissions404- Role not found
Update an existing role.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - Role ID
Headers:
Authorization: Bearer <access_token>
Request Body:
{
"name": "inventory_admin",
"description": "Full inventory access"
}Response (200):
{
"data": {
"role": {
"id": "role-id",
"name": "inventory_admin",
"description": "Full inventory access"
}
}
}Errors:
400- Invalid request body401- Authentication required403- Insufficient permissions404- Role not found
Delete a role.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - Role ID
Headers:
Authorization: Bearer <access_token>
Response (204): No content
Errors:
401- Authentication required403- Insufficient permissions
Get all permissions granted to a role.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - Role ID
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
"permissions": [
{
"id": "perm-id",
"name": "manage_products",
"resource": "products",
"action": "manage",
"description": "Full access to products"
}
]
}
}Errors:
401- Authentication required403- Insufficient permissions
Grant a permission to a role.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - Role ID
Headers:
Authorization: Bearer <access_token>
Request Body:
{
"permission_id": "perm-id"
}Response (200):
{
"data": {
"message": "Permission granted successfully"
}
}Errors:
400- Invalid request body401- Authentication required403- Insufficient permissions
Revoke a permission from a role.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - Role IDpermId(required) - Permission ID
Headers:
Authorization: Bearer <access_token>
Response (204): No content
Errors:
401- Authentication required403- Insufficient permissions
List all permissions.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
"permissions": [
{
"id": "perm-id",
"name": "manage_products",
"resource": "products",
"action": "manage",
"description": "Full access to products"
}
]
}
}Errors:
401- Authentication required403- Insufficient permissions
Create a new permission.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Headers:
Authorization: Bearer <access_token>
Request Body:
{
"name": "manage_inventory",
"resource": "inventory",
"action": "manage",
"description": "Full access to inventory management"
}Response (201):
{
"data": {
"permission": {
"id": "perm-id",
"name": "manage_inventory",
"resource": "inventory",
"action": "manage",
"description": "Full access to inventory management"
}
}
}Errors:
400- Invalid request body401- Authentication required403- Insufficient permissions
Get a specific permission by ID.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - Permission ID
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
"permission": {
"id": "perm-id",
"name": "manage_products",
"resource": "products",
"action": "manage",
"description": "Full access to products"
}
}
}Errors:
401- Authentication required403- Insufficient permissions404- Permission not found
Update an existing permission.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - Permission ID
Headers:
Authorization: Bearer <access_token>
Request Body:
{
"name": "manage_inventory",
"resource": "inventory",
"action": "manage",
"description": "Updated description"
}Response (200):
{
"data": {
"permission": {
"id": "perm-id",
"name": "manage_inventory",
"resource": "inventory",
"action": "manage",
"description": "Updated description"
}
}
}Errors:
400- Invalid request body401- Authentication required403- Insufficient permissions404- Permission not found
Delete a permission.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - Permission ID
Headers:
Authorization: Bearer <access_token>
Response (204): No content
Errors:
401- Authentication required403- Insufficient permissions
Get all roles assigned to a user.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - User ID
Headers:
Authorization: Bearer <access_token>
Response (200):
{
"data": {
"roles": ["admin", "user"]
}
}Errors:
401- Authentication required403- Insufficient permissions
Assign a role to a user.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - User ID
Headers:
Authorization: Bearer <access_token>
Request Body:
{
"role_id": "role-id"
}or
{
"role_name": "admin"
}Response (200):
{
"data": {
"message": "Role assigned successfully"
}
}Errors:
400- Invalid request body or either role_id or role_name is required401- Authentication required403- Insufficient permissions404- Role not found
Remove a role from a user.
Authentication: Required
Permissions: Role required: admin, manager, or customer_experience
Path Parameters:
id(required) - User IDroleId(required) - Role ID
Headers:
Authorization: Bearer <access_token>
Response (204): No content
Errors:
401- Authentication required403- Insufficient permissions404- Role not found
| Method | Path | Auth | Roles/Permissions |
|---|---|---|---|
| GET | /health | No | - |
| POST | /api/v1/auth/register | No | - |
| POST | /api/v1/auth/login | No | - |
| POST | /api/v1/auth/refresh | No | - |
| GET | /api/v1/auth/google | No | - |
| GET | /api/v1/auth/google/callback | No | - |
| GET | /api/v1/auth/profile | Yes | Any authenticated user |
| POST | /api/v1/auth/logout | Yes | Any authenticated user |
| GET | /api/v1/catalog/products | No | - |
| GET | /api/v1/catalog/products/:id | No | - |
| GET | /api/v1/catalog/products/category/:id | No | - |
| GET | /api/v1/catalog/categories | No | - |
| GET | /api/v1/catalog/brands | No | - |
| GET | /api/v1/cart | Yes | Any authenticated user |
| POST | /api/v1/cart/items | Yes | Any authenticated user |
| PATCH | /api/v1/cart/items/:id | Yes | Any authenticated user |
| DELETE | /api/v1/cart/items/:id | Yes | Any authenticated user |
| DELETE | /api/v1/cart | Yes | Any authenticated user |
| POST | /api/v1/orders | Yes | Any authenticated user |
| GET | /api/v1/orders | Yes | Any authenticated user |
| GET | /api/v1/orders/:id | Yes | Owner OR admin/manager/customer_experience |
| GET | /api/v1/admin/roles | Yes | admin, manager, customer_experience |
| POST | /api/v1/admin/roles | Yes | admin, manager, customer_experience |
| GET | /api/v1/admin/roles/:id | Yes | admin, manager, customer_experience |
| PUT | /api/v1/admin/roles/:id | Yes | admin, manager, customer_experience |
| DELETE | /api/v1/admin/roles/:id | Yes | admin, manager, customer_experience |
| GET | /api/v1/admin/roles/:id/permissions | Yes | admin, manager, customer_experience |
| POST | /api/v1/admin/roles/:id/permissions | Yes | admin, manager, customer_experience |
| DELETE | /api/v1/admin/roles/:id/permissions/:permId | Yes | admin, manager, customer_experience |
| GET | /api/v1/admin/permissions | Yes | admin, manager, customer_experience |
| POST | /api/v1/admin/permissions | Yes | admin, manager, customer_experience |
| GET | /api/v1/admin/permissions/:id | Yes | admin, manager, customer_experience |
| PUT | /api/v1/admin/permissions/:id | Yes | admin, manager, customer_experience |
| DELETE | /api/v1/admin/permissions/:id | Yes | admin, manager, customer_experience |
| GET | /api/v1/admin/users/:id/roles | Yes | admin, manager, customer_experience |
| POST | /api/v1/admin/users/:id/roles | Yes | admin, manager, customer_experience |
| DELETE | /api/v1/admin/users/:id/roles/:roleId | Yes | admin, manager, customer_experience |
| Code | Description |
|---|---|
200 |
OK - Request succeeded |
201 |
Created - Resource created successfully |
204 |
No Content - Request succeeded with no response body |
400 |
Bad Request - Invalid request data |
401 |
Unauthorized - Authentication required or invalid token |
403 |
Forbidden - Insufficient permissions |
404 |
Not Found - Resource not found |
409 |
Conflict - Resource already exists |
500 |
Internal Server Error - Server error |