Skip to main content

API Reference

All Flo API endpoints are versioned and documented via Swagger/OpenAPI.

API Structure

APIBase PathAuth RequiredDescription
Private/api/v1/...Yes (cookie)Main application API
Public/api/public/v1/...API token or noneExternal integrations
Swagger/swaggerNo (dev only)Interactive API documentation

Endpoint Groups

Authentication

MethodEndpointAuthDescription
POST/api/v1/auth/loginNoPassword login
POST/api/v1/auth/registerNoUser registration
POST/api/v1/auth/forgot-passwordNoRequest password reset
POST/api/v1/auth/reset-passwordNoReset password with token
POST/api/public/v1/otp/requestNoRequest OTP code
POST/api/public/v1/otp/verifyNoVerify OTP code

Users

MethodEndpointAuthDescription
GET/api/v1/users/meUserGet current user profile
PUT/api/v1/users/meUserUpdate own profile
GET/api/v1/users/user/{id}/bookingsAdminGet user's bookings
GET/api/v1/users/user/{id}/subscriptionsAdminGet user's subscriptions

Activities & Bookings

MethodEndpointAuthDescription
GET/api/v1/activitiesUserList activities
POST/api/v1/activitiesAdminCreate activity
GET/api/v1/bookingsUserList own bookings
POST/api/v1/bookingsUserCreate booking
DELETE/api/v1/bookings/{id}UserCancel booking

Admin

MethodEndpointAuthDescription
GET/api/v1/admin/feature-flagsAdminGet feature flags
POST/api/v1/admin/feature-flagsAdminUpdate feature flags
GET/api/v1/admin/configsAdminGet app configuration

Dynamic Entities

MethodEndpointAuthDescription
GET/api/v1/schema/entitiesAdminList dynamic entity schemas
GET/api/v1/{entity}AdminList entity records
POST/api/v1/{entity}AdminCreate entity record
PUT/api/v1/{entity}/{id}AdminUpdate entity record
DELETE/api/v1/{entity}/{id}AdminDelete entity record

Other Endpoints

  • Newsletter — Subscription management and sending
  • Gallery — Media upload and management
  • Locations — Venue/location CRUD
  • Translations — Multi-language entity content
  • Analytics — Business metrics and KPIs
  • Webhooks — Webhook configuration and testing
  • Diagnostics — Version, health, performance counters

Response Caching

GET endpoints use Cache-Control headers with tiered durations:

DurationData TypeExamples
24hStatic reference dataGeographic provinces, analytics categories
1hNear-static dataGeographic comuni, diagnostics version
10minSchema metadataEntity schemas, augmented fields
5minConfig dataFeature flags, admin configs
2minSemi-stable listsLocations, studio closures, professionals
No cacheReal-time dataAuth, bookings, analytics counters, mutations

API Versioning

All endpoints use URL-based versioning:

/api/v{version:apiVersion}/resource

Controllers use the [ApiVersion] attribute:

[ApiVersion("1.0")]
[Route("api/v{version:apiVersion}/bookings")]
public class BookingsController : ControllerBase

TypeScript Client Generation

The frontend uses auto-generated TypeScript clients from the OpenAPI spec:

cd Flo.FE
npm run generate-proxies

This produces:

  • src/app/services/client.ts — Private API client with all DTOs
  • src/app/services/public-api-client.ts — Public API client

Run this command whenever backend endpoints change.

Public API Tokens

External consumers can access public endpoints using API tokens:

  1. SuperAdmin creates tokens in Settings > API Tokens
  2. Tokens are scoped to specific hosts (origin validation)
  3. Rate-limited via Nginx and application-level limiting
  4. Token is passed via Authorization: Bearer <token> header

Swagger

In development, Swagger UI is available at /swagger with two specs:

  • Private API: /swagger/v1/swagger.json
  • Public API: /swagger/public-v1/swagger.json