Skip to content

Metadata & auth

How the published API describes itself and which credentials each route class expects.

Specification

Title / version
Scalar and downloads use the same operation list (Auth, Collections, Records, API tokens, Search). Guests load Integrations (v1) (https://devapi.mandrel.cloud/api/docs/openapi-integrations.json); signed-in loads App reference (https://devapi.mandrel.cloud/api/docs/openapi-app.json) with a different info.title. The canonical JSON uses the default info.title (“Mandrel v2 API”). Other HTTP routes exist on the server but are not in this file — expand PUBLISHED_OPENAPI_TAG_ALLOWLIST in apps/backend/src/routes/openapi.ts intentionally if you publish more. info.version is 0.0.1.
Embed shell (iframe)
https://devapi.mandrel.cloud/api/docs/reference-ui?theme=system|dark|light&spec=integrations|app

Security schemes (OpenAPI components)

The spec defines:

  • bearerAuth — HTTP Bearer, JWT session access token.
  • apiToken — HTTP Bearer, API token (mnd_…).

Each operation lists which schemes apply. Operations with nosecurity entry are callable without credentials (for example public auth flows). Published routes skew toward authenticated collection and record access.

Org scope

For org data, send X-Organization-Id with a UUID that matches the org in the URL when both are present. The server validates consistency.

Collection list and writes are scoped by org; your effective collection set follows role and RCP in the product (not duplicated in OpenAPI).

Tags

Scalar lists only the published tag set. Signing in switches which export URL / info.title Scalar loads, not the route list. Open interactive spec →