API Reference
Endpoints, authentication, and response format
Dev OnlyConnection Details
| Property | Development | Production |
|---|---|---|
| Base URL | http://localhost:5000/api | https://api.yourdomain.com/api |
| Socket.IO URL | http://localhost:5000 | https://api.yourdomain.com |
| Auth Header | Authorization: Bearer <token> | Authorization: Bearer <token> |
| Content-Type | application/json | application/json |
| Access Token Lifespan | 15 minutes | 15 minutes |
| Refresh Token Lifespan | 7 days | 7 days |
Authentication Endpoints
| Method | Path | Description | Auth |
|---|---|---|---|
| POST | /auth/login | Login — returns access + refresh tokens | No |
| POST | /auth/refresh | Exchange refresh token for new access token | No |
| POST | /auth/logout | Revoke the current refresh token | Yes |
| POST | /auth/logout-all | Revoke all sessions for this account | Yes |
| GET | /auth/me | Get the authenticated user's profile | Yes |
| PATCH | /auth/change-password | Change password — revokes all active sessions | Yes |
Resource Endpoints by Module
Products — /api/v1/products
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | / | product:read | List products (paginated) |
| POST | / | product:write | Create product |
| POST | /bulk-import | product:write | Bulk import products |
| GET | /lookup/barcode/:barcode | product:read | Barcode lookup |
| GET | /:id | product:read | Get product detail |
| PATCH | /:id | product:write | Update product |
| DELETE | /:id | product:write | Soft-delete product |
| POST | /:id/variants | product:write | Add variant |
| PATCH | /:id/variants/:variantId | product:write | Update variant |
| DELETE | /:id/variants/:variantId | product:write | Soft-delete variant |
Categories — /api/v1/products/categories
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | /categories | category:read | List categories (tree/flat) |
| POST | /categories | category:write | Create category |
| GET | /categories/:id | category:read | Get category |
| PATCH | /categories/:id | category:write | Update category |
| DELETE | /categories/:id | category:write | Soft-delete category |
Inventory — /api/v1/inventory
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | /stock | inventory:read | Paginated stock list |
| GET | /stock/low | inventory:read | Low stock items |
| POST | /stock/adjust | inventory:write | Delta stock adjustment |
| POST | /stock/set | inventory:write | Absolute stock set |
| PATCH | /stock/:storeId/:productId/threshold | inventory:write | Update low stock threshold |
| GET | /movements | inventory:read | Stock movement history |
| GET | /transfers | inventory:read | List transfers |
| POST | /transfers | inventory:write | Create transfer |
| GET | /transfers/:id | inventory:read | Get transfer detail |
| POST | /transfers/:id/ship | inventory:write | Mark as IN_TRANSIT |
| POST | /transfers/:id/receive | inventory:write | Mark as COMPLETED |
| POST | /transfers/:id/cancel | inventory:write | Cancel transfer |
Sales — /api/v1/sales
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| POST | /checkout | sale:create | Process checkout |
| GET | / | sale:read | List sales |
| GET | /:id | sale:read | Get sale detail |
| POST | /:id/void | sale:void | Void a sale |
| POST | /:id/return | sale:return | Return a sale |
Payments — /api/v1/payments
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | / | sale:read | List payments |
| GET | /:id | sale:read | Get payment detail |
| POST | /collect-due | sale:create | Collect due payment |
| GET | /customer/:customerId | customer:read | Customer payment history |
Customers — /api/v1/customers
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | /groups | customer:read | List customer groups |
| POST | /groups | customer:write | Create group |
| PATCH | /groups/:id | customer:write | Update group |
| DELETE | /groups/:id | customer:write | Delete group |
| GET | /loyalty/program | customer:read | Get loyalty program config |
| GET | / | customer:read | List customers |
| POST | / | customer:write | Create customer |
| GET | /:id | customer:read | Get customer detail |
| PATCH | /:id | customer:write | Update customer |
| DELETE | /:id | customer:write | Delete customer |
| GET | /:id/ledger | customer:read | Customer financial ledger |
| GET | /:id/loyalty | customer:read | Loyalty point history |
| POST | /:id/loyalty/adjust | customer:write | Adjust loyalty points |
Suppliers — /api/v1/suppliers
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | / | supplier:read | List suppliers |
| POST | / | supplier:write | Create supplier |
| GET | /:id | supplier:read | Get supplier detail |
| PATCH | /:id | supplier:write | Update supplier |
| DELETE | /:id | supplier:write | Delete supplier |
Purchases — /api/v1/purchases
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | / | purchase:read | List purchase orders |
| POST | / | purchase:write | Create purchase order |
| GET | /:id | purchase:read | Get PO detail |
| POST | /:id/receive | purchase:receive | Receive goods |
| POST | /:id/payment | purchase:write | Add payment to PO |
| POST | /:id/cancel | purchase:write | Cancel PO |
Expenses — /api/v1/expenses
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | /categories | expense:read | List expense categories |
| POST | /categories | expense:write | Create category |
| DELETE | /categories/:id | expense:write | Delete category |
| GET | /summary | expense:read | Expense summary |
| GET | / | expense:read | List expenses |
| POST | / | expense:write | Create expense |
| GET | /:id | expense:read | Get expense detail |
| PATCH | /:id | expense:write | Update expense |
| DELETE | /:id | expense:write | Delete expense |
Reports — /api/v1/reports
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | /sales | report:read | Sales summary report |
| GET | /profit | report:read | Profit & loss report |
| GET | /stock | report:read | Stock valuation report |
| GET | /cashier | report:read | Cashier performance report |
Receipts — /api/v1/receipts
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | /template | receipt:read | Get receipt template |
| PUT | /template | receipt:write | Create/update template |
| GET | /sale/:saleId | receipt:generate | Generate receipt (data/HTML) |
| GET | /sale/:saleId/preview | receipt:generate | HTML receipt preview |
Users — /api/v1/users
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| PATCH | /me | Any authenticated | Update own profile |
| GET | / | ADMIN/MANAGER | List users |
| POST | / | ADMIN/MANAGER | Create user |
| GET | /:id | ADMIN/MANAGER | Get user detail |
| PATCH | /:id | ADMIN/MANAGER | Update user |
| POST | /:id/reset-password | ADMIN/MANAGER | Reset user password |
| DELETE | /:id | ADMIN/MANAGER | Deactivate user |
| PATCH | /:id/restore | ADMIN/MANAGER | Reactivate user |
Stores — /api/v1/stores
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | / | store:manage | List stores |
| POST | / | store:manage | Create store |
| GET | /:id | store:manage | Get store details |
| PATCH | /:id | store:manage | Update store |
| GET | /:id/stats | store:manage | Store dashboard stats |
| DELETE | /:id | store:manage | Soft-delete store |
Tenant & Settings — /api/v1/tenants
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | /me | tenant:manage | Get own tenant profile |
| PATCH | /me | tenant:manage | Update own tenant |
| GET | /me/settings | tenant:manage | Get tenant settings |
| PATCH | /me/settings | tenant:manage | Update tenant settings |
| GET | /me/dashboard | tenant:manage | Dashboard statistics |
Audit Logs — /api/v1/audit
| Method | Endpoint | Permission | Description |
|---|---|---|---|
| GET | / | report:read | Tenant audit logs |
| GET | /all | SUPER_ADMIN | Platform-wide audit logs |
Super Admin — /api/v1/super-admin
| Method | Endpoint | Description |
|---|---|---|
| GET | /admins | List super admins |
| POST | /admins | Create super admin |
| GET | /stats | Platform-wide statistics |
| GET | /users | List all users (cross-tenant) |
| GET | /users/:userId | Get user (cross-tenant) |
| DELETE | /users/:userId | Soft-delete user |
| PATCH | /users/:userId/restore | Restore user |
| DELETE | /users/:userId/hard | Hard-delete user |
| POST | /users/bulk | Bulk user action |
| POST | /users/:userId/reset-password | Reset any password |
Standard Response Format
Success Response
Error Response
HTTP Status Code Reference
| Status Code | Meaning | When It Occurs |
|---|---|---|
| 200 OK | Success | GET, PATCH, DELETE requests that complete normally |
| 201 Created | Resource created | POST requests that create a new resource |
| 400 Bad Request | Validation error | Request body fails Zod schema — check error.details array |
| 401 Unauthorized | Invalid auth | Missing or expired access token |
| 403 Forbidden | Insufficient rights | Token is valid but the role lacks the required permission |
| 404 Not Found | Missing resource | The ID does not exist or belongs to a different tenant |
| 409 Conflict | Duplicate | Unique constraint violation — e.g. SKU already exists |
| 422 Unprocessable | Business logic error | e.g. insufficient stock, exceeded credit limit |
| 429 Too Many Requests | Rate limited | Exceeded request limit — back off and retry |
| 500 Server Error | Unexpected error | Check backend Pino logs for the full stack trace |