Metadata & auth
How the published API describes itself and which credentials each route class expects.
Specification
- Title / version
- Scalar and downloads use the same operation list (Auth, Collections, Records, API tokens, Search). Guests load Integrations (v1) (https://devapi.mandrel.cloud/api/docs/openapi-integrations.json); signed-in loads App reference (https://devapi.mandrel.cloud/api/docs/openapi-app.json) with a different
info.title. The canonical JSON uses the defaultinfo.title(“Mandrel v2 API”). Other HTTP routes exist on the server but are not in this file — expandPUBLISHED_OPENAPI_TAG_ALLOWLISTinapps/backend/src/routes/openapi.tsintentionally if you publish more.info.versionis0.0.1. - Embed shell (iframe)
https://devapi.mandrel.cloud/api/docs/reference-ui?theme=system|dark|light&spec=integrations|app
Security schemes (OpenAPI components)
The spec defines:
bearerAuth— HTTP Bearer, JWT session access token.apiToken— HTTP Bearer, API token (mnd_…).
Each operation lists which schemes apply. Operations with nosecurity entry are callable without credentials (for example public auth flows). Published routes skew toward authenticated collection and record access.
Org scope
For org data, send X-Organization-Id with a UUID that matches the org in the URL when both are present. The server validates consistency.
Collection list and writes are scoped by org; your effective collection set follows role and RCP in the product (not duplicated in OpenAPI).
Tags
Scalar lists only the published tag set. Signing in switches which export URL / info.title Scalar loads, not the route list. Open interactive spec →