Public Endpoints

The /api/v1/public/* family is the deliberate "external integrations" surface. Endpoints here accept an API token via Authorization: Bearer ... and validate scopes; they do not accept the dashboard session cookie.

OpenAPI

GET /api/v1/public/openapi.json     full spec, no auth required

The spec is the authoritative source for available endpoints and parameter shapes.

Common endpoints

GET  /api/v1/public/posts            list  — scope: posts:read
POST /api/v1/public/posts            create — scope: posts:write
GET  /api/v1/public/accounts         list  — scope: accounts:read

Authentication failure modes

401 invalid_token — token doesn't decode or doesn't match a stored hash.
401 token_revoked — revoked_at is set on the token record.
403 missing_scope — token doesn't carry the required scope.

What's not public

The cookie-only surface (workspaces, billing, admin, marketplace, team management) intentionally has no public-API mirror today. Build against the cookie-auth surface only when you control the browser session.

Public Endpoints

OpenAPI

Common endpoints

Authentication failure modes

What's not public

API Tokens

Webhooks

Route Catalog

Public Endpoints ​

OpenAPI ​

Common endpoints ​

Authentication failure modes ​

What's not public ​

Related ​

API Tokens

Webhooks

Route Catalog

Public Endpoints

OpenAPI

Common endpoints

Authentication failure modes

What's not public

Related