SPEC-STV-03-API-Endpoints

📜

SPEC-STV-03 · Spec header. Spec ID: SPEC-STV-03 · Title: API Endpoints Reference · Version: 1.0.0 · Status: Planned · Authority: Specification · Priority: P0 · Owner role: Backend architect · Reviewers: Frontend lead, Security lead · Last reviewed: 2026-05-11 · Sync targets: routes/api.php, app/Http/Controllers/Api/**, docs/API_ENDPOINTS.md · Depends on: SPEC-STV-HUB, SPEC-STV-01, SPEC-STV-02, SPEC-STV-11 · Consumed by: SPEC-STV-04 … SPEC-STV-12, future SwiftUI client · Conflict rule: Hub wins. · Change policy: Backend architect + Frontend lead; Registry bump on any breaking change.

1 · Conventions

Base path: /api/v1. Major version increments are breaking changes.

Auth: Laravel Sanctum personal access tokens. Each token carries an abilities set (§3).

Content-type: application/json request and response. SSE responses use text/event-stream.

Pagination: cursor-based on hot lists (?cursor=…&per_page=≤100); page-based on admin lists.

Errors: RFC 7807-ish JSON { "error": { "code": "...", "message": "...", "details": {...} } }. HTTP status carries semantics (400|401|403|404|409|422|429|5xx).

Timestamps: ISO 8601 UTC.

IDs in public URLs use uuid; internal id is never exposed.

2 · Auth

Method	Path	Abilities	Notes
POST	`/auth/login`	—	Returns Sanctum token. Rate-limited 5 / min / IP.
POST	`/auth/logout`	any	Revokes current token.
GET	`/auth/me`	any	Returns user profile + workspace memberships.
POST	`/auth/tokens`	`tokens:create`	Issue a scoped token.
DELETE	`/auth/tokens/{id}`	`tokens:revoke`	Revoke a token.

3 · Sanctum ability set

workspaces:read, workspaces:write, pages:read, pages:write, blocks:write, databases:read, databases:write, comments:write, files:write, sharing:write, ai:transform, ai:generate, rag:query, rag:reindex (admin), settings:write, tokens:create, tokens:revoke. The web session is treated as carrying the full set scoped by the user's workspace role.

4 · Workspaces

Method	Path	Abilities	Shape
GET	`/workspaces`	`workspaces:read`	List user's workspaces.
POST	`/workspaces`	`workspaces:write`	Body `{ name, slug?, icon?, default_language? }`.
GET	`/workspaces/{uuid}`	`workspaces:read`	Details + role.
PATCH	`/workspaces/{uuid}`	`workspaces:write`, owner/admin	Partial update.
DELETE	`/workspaces/{uuid}`	`workspaces:write`, owner only	Soft-delete, scheduled hard delete in 30 days.
GET	`/workspaces/{uuid}/members`	`workspaces:read`	List.
POST	`/workspaces/{uuid}/members`	`workspaces:write`	Invite by email, role required.
PATCH	`/workspaces/{uuid}/members/{user_uuid}`	`workspaces:write`, admin+	Change role.
DELETE	`/workspaces/{uuid}/members/{user_uuid}`	`workspaces:write`, admin+	Remove.

5 · Pages

Method	Path	Notes
GET	`/workspaces/{ws}/pages?parent={uuid\|null}&cursor=…`	Sidebar tree, cursor-paginated children only.
POST	`/workspaces/{ws}/pages`	Body `{ title, parent_page_uuid?, icon?, template_id? }`.
GET	`/pages/{uuid}`	Returns page + first N blocks (configurable, default 100).
PATCH	`/pages/{uuid}`	Partial update: `title`, `icon`, `cover_url`, `visibility`, `seo`.
POST	`/pages/{uuid}/archive`	Soft archive; cascade to subpages = config flag.
POST	`/pages/{uuid}/restore`	Reverse archive.
POST	`/pages/{uuid}/move`	Body `{ new_parent_uuid?: "…\|null", new_sort_position?: number }`.
POST	`/pages/{uuid}/favorite`	Toggle favorite for current user.
GET	`/pages/{uuid}/versions`	List event-based versions.
POST	`/pages/{uuid}/versions/{n}/restore`	Restore a prior version.

6 · Blocks

Method	Path	Notes
GET	`/pages/{uuid}/blocks?after={position}&limit=200`	Cursor-based by `position`.
POST	`/pages/{uuid}/blocks`	Single or batch `{ blocks: [...] }`. Returns assigned IDs and positions.
PATCH	`/blocks/{id}`	Partial update of `content` / `metadata`.
POST	`/blocks/{id}/move`	Body `{ new_parent_block_id?, new_position }`.
POST	`/blocks/batch`	Bulk patch (used by autosave).
DELETE	`/blocks/{id}`	Soft delete; emits `page_version` op.

7 · Databases

Method	Path	Notes
POST	`/databases`	Create. Body `{ page_id?, name, properties: [...] }`.
GET	`/databases/{id}`	Returns schema + view list.
POST	`/databases/{id}/properties`	Add property.
PATCH	`/properties/{id}`	Rename / change config.
GET	`/databases/{id}/rows?view={id}&cursor=…`	Filtered/sorted server-side per view.
POST	`/databases/{id}/rows`	Create row with optional initial cell values.
PATCH	`/rows/{id}/cells`	Bulk cell update `{ values: { property_id: value, ... } }`.
POST	`/databases/{id}/views`	Create view.
PATCH	`/views/{id}`	Edit config.

8 · Templates / Search / Comments / Files

Method	Path	Notes
GET	`/templates?category=…&scope=workspace\|global`	—
POST	`/templates/{id}/instantiate`	Body `{ parent_page_uuid?, workspace_uuid }`.
POST	`/pages/{uuid}/save_as_template`	—
GET	`/search?q=…&workspace={uuid}&types=page,block,file,database&limit=20`	Meilisearch.
GET	`/pages/{uuid}/comments`	—
POST	`/comments`	Body `{ page_uuid, block_id?, parent_comment_id?, body }`.
POST	`/comments/{id}/resolve`	—
POST	`/files/presign`	Returns S3 PUT URL + signed fields.
POST	`/files/commit`	Body `{ key, mime, size, original_name }` → creates `files` row.
GET	`/files/{uuid}/signed-url`	Time-limited download URL.

9 · Sharing

Method	Path	Notes
POST	`/pages/{uuid}/share-link`	Body `{ mode: "view\|comment", password?, expires_at? }`. Returns `{ url, token }`.
DELETE	`/share-links/{token}`	—
POST	`/pages/{uuid}/shares`	Body `{ user_uuid, role }`.
DELETE	`/pages/{uuid}/shares/{user_uuid}`	—
GET	`/public/{token}`	Public read. No auth. Rate-limited 60 / min / IP. Strips comments unless `mode = comment`.

10 · AI + RAG

Method	Path	Notes
POST	`/ai/transform`	Body `{ action, selection: { page_uuid, block_id?, text }, options? }`. Returns transformed text. SSE-friendly via `/ai/transform/stream`.
POST	`/ai/transform/stream`	SSE. Events `delta`, `final`, `error`.
POST	`/ai/generate`	Body `{ prompt, context: { page_uuid?, scope } }`. Generates a draft page outline / API doc / spec.
POST	`/rag/query`	Body `{ workspace_uuid, query, top_k? }`. Returns hits with citations `{ page_uuid, block_id?, score, excerpt }`.
POST	`/rag/reindex`	Admin. Body `{ scope?: "workspace\|page", id? }`. Queued.
GET	`/rag/status?workspace={uuid}`	Returns `{ chunks, stale, last_indexed_at, queue_depth }`.

11 · Activity & Settings

Method	Path	Notes
GET	`/workspaces/{uuid}/activity?entity=page&entity_id={uuid}&cursor=…`	Read-only audit feed.
GET	`/workspaces/{uuid}/settings`	—
PATCH	`/workspaces/{uuid}/settings/{key}`	Admin. Body `{ value }`.

12 · Rate limits (defaults)

Auth: 5 / min / IP.

AI transform: 30 / min / user, 500 / day / workspace.

AI generate: 10 / min / user.

Public share read: 60 / min / IP, 5 / sec burst.

RAG reindex: 1 in-flight / workspace.

File presign: 60 / min / user.

13 · Error catalogue (selected)

workspace.member_required, workspace.role_insufficient, page.archived, page.parent_loop, block.invalid_type, block.content_too_large, database.property_type_mismatch, share.password_required, share.expired, ai.rate_limited, ai.input_too_long, rag.disabled_for_workspace, file.mime_blocked, file.size_exceeded, idor.cross_workspace.