A Petstore REST API built with Bun's native HTTP server and SQLite storage. Serves an OpenAPI 3.0 spec at /v3/api-docs. Designed as the running example for the apijack wiki.
bun run server.tsServer runs on port 3459.
This API uses session-based auth with CSRF protection:
- Send HTTP Basic Auth (
admin/password) toGET /session - The response sets two cookies:
SESSIONandXSRF-TOKEN - Include the
SESSIONcookie on all subsequent requests - Include the
X-XSRF-TOKENheader (value from theXSRF-TOKENcookie) on mutating requests (POST, PUT, DELETE)
# Get session cookies
curl -si -u admin:password http://localhost:3459/session
# Use cookies for a GET
curl -s -b "SESSION=<token>" http://localhost:3459/pets
# Use cookies + XSRF for a POST
curl -s -b "SESSION=<token>" \
-H "X-XSRF-TOKEN: <xsrf-token>" \
-X POST -H "Content-Type: application/json" \
-d '{"name":"Buddy","species":"dog","age":3}' \
http://localhost:3459/petsAdd sessionAuth to the environment config:
{
"sessionAuth": {
"session": { "endpoint": "/session", "method": "GET" },
"cookies": { "extract": ["SESSION", "XSRF-TOKEN"], "applyTo": ["*"] },
"headerMirror": [
{ "fromCookie": "XSRF-TOKEN", "toHeader": "X-XSRF-TOKEN", "applyTo": ["POST", "PUT", "DELETE"] }
],
"refreshOn": [401]
}
}| Method | Path | Description |
|---|---|---|
| GET | /v3/api-docs |
OpenAPI 3.0 spec (no auth) |
| GET | /session |
Get session cookies (Basic Auth required) |
| GET | /pets |
List pets (?species=, ?status=) |
| GET | /pets/:id |
Get a pet |
| POST | /pets |
Create a pet |
| PUT | /pets/:id |
Update a pet |
| DELETE | /pets/:id |
Delete a pet |
| POST | /pets/:id/adopt |
Adopt a pet |
| GET | /owners |
List owners |
| GET | /owners/:id |
Get an owner (includes pets) |
| POST | /owners |
Create an owner |
| PUT | /owners/:id |
Update an owner |
| DELETE | /owners/:id |
Delete an owner |