All endpoints available in this service. Use the table below to integrate with the frontend.
https://api.foxtcon1.com (or your deployment URL).Authorization: Bearer <your_token>. Public endpoints (Auth config, Check email, Login, OTP start/verify, Health) do not require it.| API name | Method | Endpoint | Description | How to use in frontend | Postman (method, auth, body) |
|---|---|---|---|---|---|
| Health check | GET | /api/health | Returns API health status. | fetch('/api/health') or use for uptime checks. | GET · No auth |
| Auth config | GET | /api/v1/auth/config | Public auth configuration (portal, loginIdentifier, tenantSlug). | getAuthConfig() before login to decide email vs phone UI. | GET · No auth |
| Check email | POST | /api/v1/auth/check-email | Check if email exists (super-admin portal). | POST body: { email }. Use before sending OTP. | POST · No auth{"email":"admin@example.com"} |
| Login | POST | /api/v1/auth/login | Authenticate and get session/token. | POST body: credentials. Store token; set cookie or Authorization header. | POST · No auth{"email":"admin@example.com","password":"your-password"} |
| OTP start | POST | /api/v1/auth/otp/start | Request OTP (phone/email) for org portal. | POST body: { phone } or { email }. Then call OTP verify. | POST · No auth{"channel":"email","destination":"user@example.com"} |
| OTP verify | POST | /api/v1/auth/otp/verify | Verify OTP; creates server session, returns accessToken + expiresIn. Web: Set-Cookie refresh + CSRF. Mobile: X-Client-Type: mobile + refreshToken in JSON. | otpVerify(); store access in memory only. Headers: X-Client-Type: web (default). See docs/openapi-auth.yaml. | POST · No auth{"channel":"email","destination":"user@example.com","otp":"123456"} |
| Refresh tokens | POST | /api/v1/auth/refresh | Rotate refresh and issue new access JWT. Web: workforce_refresh cookie + header X-Refresh-CSRF must match workforce_refresh_csrf cookie. Mobile: X-Client-Type: mobile + { refreshToken }. | Called by token.js / http.js on 401; do not call from public forms without CSRF. | POST · No auth{"refreshToken":"<opaque>"} |
| Logout | POST | /api/v1/auth/logout | Revoke DB session (when sid or refresh known); clears access + refresh cookies. | logout() from auth.js; clears in-memory access + cookies. | POST · Auth{} |
| Current user (Me) | GET | /api/v1/me | Get current authenticated user, tenant, roles, scopes. | getCurrentUser() after login. Use for layout, role, tenantId. | GET · Auth |
| List organizations | GET | /api/v1/organizations | List organizations (super-admin or tenant-scoped). | getOrganizations() or similar. Include Authorization header. | GET · Auth |
| Get organization | GET | /api/v1/organizations/[id] | Get single organization by ID. | getOrganization(orgId). Returns name, logoUrl, etc. | GET · Auth |
| Update organization | PATCH | /api/v1/organizations/[id] | Update organization details. | PATCH with body. Require admin/owner role. | PATCH · Auth |
| List organization members | GET | /api/v1/organizations/[id]/members | List members (users) of an organization. | getOrganizationMembers(orgId). Use for schedules, job list, dropdowns. | GET · Auth |
| Get/Update member | GETPATCHDELETE | /api/v1/organizations/[id]/members/[userId] | Get, update, or remove a member. | Request with orgId and userId. Use for user detail/edit. | GET · Auth |
| List locations | GET | /api/v1/organizations/[id]/locations | List locations (properties) for an organization. | getOrganizationLocations(orgId). Use for property switcher. | GET · Auth |
| Get/Update location | GETPATCHDELETE | /api/v1/organizations/[id]/locations/[locationId] | Get or update a location. | CRUD with orgId and locationId. | GET · Auth |
| List schedules | GET | /api/v1/schedules | List schedules (access-filtered: only assigned or creator). | getSchedules(). Returns items[]. Use for Schedule Lobby. | GET · Auth |
| Create schedule | POST | /api/v1/schedules | Create a new schedule. | createSchedule({ name, assigneeGroupIds, assigneeUserIds, assigneeUserIdsExpanded, detailsConfig }). | POST · Auth{"name":"Week 1","assigneeGroupIds":[],"assigneeUserIds":[]} |
| Get schedule | GET | /api/v1/schedules/[id] | Get a schedule by ID (403 if no access). | getSchedule(scheduleId). Use on Schedule Detail page. | GET · Auth |
| Update schedule | PATCH | /api/v1/schedules/[id] | Update schedule (name, assignees, detailsConfig). | updateSchedule(scheduleId, body). | PATCH · Auth |
| Delete schedule | DELETE | /api/v1/schedules/[id] | Delete a schedule and its shifts. | deleteSchedule(scheduleId). | DELETE · Auth |
| List shifts | GET | /api/v1/schedules/[id]/shifts | List shifts for a schedule (same access as schedule). | getShifts(scheduleId). Returns items[] with employee_id, shift_date, etc. | GET · Auth |
| Create shift | POST | /api/v1/schedules/[id]/shifts | Create a shift (one per user or open shift). | createShift(scheduleId, { assignedUserId, jobId, shiftDate, startTime, endTime, title, instructions, status, isOpenShift }). | POST · Auth{"assignedUserId":"user-uuid","jobId":"job-uuid","shiftDate":"2025-02-10","startTime":"09:00","endTime":"17:00"} |
| Get shift | GET | /api/v1/schedules/[id]/shifts/[shiftId] | Get a single shift. | GET with scheduleId and shiftId. | GET · Auth |
| Update shift | PATCH | /api/v1/schedules/[id]/shifts/[shiftId] | Update shift (assignee, times, title, status, etc.). | updateShift(scheduleId, shiftId, body). | PATCH · Auth |
| Delete shift | DELETE | /api/v1/schedules/[id]/shifts/[shiftId] | Delete a shift. | deleteShift(scheduleId, shiftId). | DELETE · Auth |
| List unavailabilities | GET | /api/v1/schedules/[id]/unavailabilities | List unavailabilities for a schedule in a date range. Query: from, to (yyyy-MM-dd). | getUnavailabilities(scheduleId, fromDate, toDate). Returns items[] with user_id, unavailability_date, start_time, end_time, all_day, note. | GET · Auth |
| Create unavailability | POST | /api/v1/schedules/[id]/unavailabilities | Create one or more unavailabilities (current user). Supports repeatEntries for repeat rules. | createUnavailability(scheduleId, { unavailabilityDate, startTime, endTime, allDay?, note?, repeatEntries? }). | POST · Auth{"unavailabilityDate":"2026-02-21","startTime":"09:00","endTime":"17:00","allDay":false,"note":"Out of town"} |
| Delete unavailability | DELETE | /api/v1/schedules/[id]/unavailabilities/[uaId] | Delete an unavailability (own only). | deleteUnavailability(scheduleId, unavailabilityId). | DELETE · Auth |
| List jobs | GET | /api/v1/job-list | List jobs for the current tenant. | getJobs(). Returns items with job_name, code, color, etc. Use in shift form and Job List page. | GET · Auth |
| Create job | POST | /api/v1/job-list | Create a new job. | createJob({ name, code, description, color, ... }). | POST · Auth{"name":"Front Desk","code":"FD","description":"Front desk associate","color":"#3b82f6"} |
| Get job | GET | /api/v1/job-list/[id] | Get a job by ID. | GET /api/v1/job-list/{id}. | GET · Auth |
| Update job | PATCH | /api/v1/job-list/[id] | Update a job. | updateJob(id, body). | PATCH · Auth |
| Delete job | DELETE | /api/v1/job-list/[id] | Delete a job. | deleteJob(id). | DELETE · Auth |
| Bulk delete jobs | POST | /api/v1/job-list/bulk | Delete multiple jobs by IDs. | POST body: { ids: string[] }. | POST · Auth{"ids":["job-uuid-1","job-uuid-2"]} |
| List segments (with groups) | GET | /api/v1/smart-groups | List segments and their smart groups for the tenant. | getSegments(). Use for Schedule assignees and Smart Groups page. | GET · Auth |
| List segments (flat) | GET | /api/v1/smart-groups/segments | List segments. | GET /api/v1/smart-groups/segments. | GET · Auth |
| Create segment | POST | /api/v1/smart-groups/segments | Create a segment. | POST with name, etc. | POST · Auth |
| Get/Update/Delete segment | GETPATCHDELETE | /api/v1/smart-groups/segments/[id] | Segment CRUD. | Use segment id in schedule assignees and group rules. | GET · Auth |
| Get/Update/Delete smart group | GETPATCHDELETE | /api/v1/smart-groups/[id] | Smart group CRUD (rules, logic). | Use with filterEmployeesBySmartGroup() for member list. | GET · Auth |
| Clock in/out | POST | /api/v1/clock | Time clock punch (in/out). | POST with jobId, clockId, etc. Use from Time Clock UI. | POST · Auth |
| Presign upload | POST | /api/v1/files/presign | Get presigned URL for file upload (e.g. S3). | POST body: { key, contentType }. Upload file to returned URL. | POST · Auth{"key":"uploads/file.pdf","contentType":"application/pdf"} |
| Super admin users | GET | /api/v1/super-admin/users | List users (super-admin only). | Only when portal === 'super-admin'. Include auth. | GET · Auth |
| Tickets | GETPOST | /api/v1/tickets | Support or internal tickets. | Use from support/chat UI if integrated. | GET · Auth |
| List chat rooms | GET | /api/v1/chat/rooms | List chat rooms for the current tenant (General, Admins & Owners, Smart group rooms). Also returns adminsAndOwners for sidebar. | getChatRooms(). Use for chat sidebar and room list. | GET · Auth |
| Sync smart group chat rooms | POST | /api/v1/chat/rooms/sync | Create/update smart group chat rooms so they exist and only group members can see them. | syncChatSmartGroupRooms({ smartGroups: [{ smartGroupId, name, memberIds }] }). | POST · Auth{"smartGroups":[{"smartGroupId":"sg-uuid","name":"All hands","memberIds":["user1","user2"]}]} |
| List room messages | GET | /api/v1/chat/channels/[channelId]/messages | Get message history for a chat room. Query: limit, cursor, before. | getChatRoomMessages(roomId, { limit: 50 }). Returns items[], nextCursor. | GET · Auth |
| Send room message | POST | /api/v1/chat/channels/[channelId]/messages | Send a message to a chat room. | sendChatMessage(roomId, content). Real-time delivery via Socket.IO. | POST · Auth{"content":"Hello everyone"} |