Appearance
API Overview
The NestJS REST API is served at http://localhost:3000. Interactive documentation (Swagger UI) is available at http://localhost:3000/docs.
Modules
| Module | Path prefix | Description |
|---|---|---|
| Auth | /api/auth/* | better-auth: sign-in, sign-out, OAuth callbacks, session |
| Tenant | /tenants | Tenant creation (superadmin), retrieval, and configuration |
| User | /tenants/:tenantId/users | User management within a tenant |
| Entry | /tenants/:tenantId/entries | Time entry CRUD and approval |
| Invoice | /tenants/:tenantId/invoices | Invoice management and OCR |
| Project | /tenants/:tenantId/projects | Project management |
| Task List | /tenants/:tenantId/task-lists | Task list and task management |
| Vehicle | /tenants/:tenantId/vehicles | Vehicle management |
| Notification | /tenants/:tenantId/notifications | In-app notifications |
| Sync | /tenants/:tenantId/syncs | IMAP email sync configuration |
| Search | /tenants/:tenantId/search | Full-text search across entries, invoices, projects |
| API Key | /tenants/:tenantId/api-keys | API key management |
| Webhook | /tenants/:tenantId/webhooks | Webhook subscriptions |
| Admin | /admin | Super-admin operations |
Authentication
All routes except /api/auth/* require a valid session cookie. The AuthGuard is applied globally.
To make a route public, apply the @Public() decorator:
typescript
import { Public } from '../auth/decorators'
@Public()
@Get('health')
health() { return 'ok' }Authorization
Tenant-scoped routes are protected by TenantGuard (applied globally). It resolves the caller's role for the requested tenant and builds a CASL ability object.
Use @CheckAbility to require a specific permission:
typescript
@CheckAbility({ action: 'manage', subject: 'Entry' })See Permissions & CASL for the full role matrix.
API Keys
External integrations can authenticate with API keys. Include the key in the Authorization header:
Authorization: Bearer tt_<key>API keys are scoped to a single tenant and granted admin role access within that tenant.
Swagger
The OpenAPI spec is served at:
- JSON:
GET /docs-json - YAML:
GET /docs-yaml - UI:
GET /docs
Use pnpm openapi:export to snapshot the spec to openapi.json for SDK generation.