All API routes mount under /api. Registration: apps/web/routes/api.php includes public, protected, mobile, external, and webhook groups.
Public API #
File: routes/api/public.php. No session auth; widget routes use ResolveWidgetEmbedToken.
| Method | Path | Notes |
|---|---|---|
| POST | /api/v1/tenant-journey/config | Journey config for embedded RapidStor; DetectUserAgent |
| GET | /api/v1/tenant-journey/translations | Resolved translation overrides for RapidStor v2 frontend (corp, location, language query params); CORS-enabled |
| GET | /api/v1/public/content/embed | CMS embed |
| POST | /api/v1/public/widget/chat/start | Widget chat session |
| POST | /api/v1/public/widget/chat/auth | Reverb channel auth |
| GET | /api/v1/public/widget/chat/locations | Widget locations list |
| POST/GET | /api/v1/public/widget/chat/conversations/{id}/messages|history | Widget messaging |
| GET | /api/v1/public/widget/chat/tool-results/{message} | Agent tool results (legacy Laravel path; mono widget now uses agent-runtime) |
Cross-repo note: The RapidStor mono chat widget (rapidstor-chat) now calls the agent-runtime service directly at POST /widget/conversations, POST /widget/conversations/:id/messages (SSE response), GET /widget/conversations/:id/history, and watch WebSocket /ws?token= — not the Laravel /api/v1/public/widget/chat/* routes. Laravel widget routes remain for legacy deployments. Embed token is sent as X-Widget-Token with credentials: omit.
Agent runtime — widget API #
Service: apps/agent-runtime/src/http/api.ts. Auth: X-Widget-Token header (public embed token); CORS scoped to token allowedOrigins. Mounted at service origin (e.g. agents.r6automate.com).
| Method | Path | Notes |
|---|---|---|
| POST | /widget/conversations | Start session; returns conversationId, secret, visitorId, control, short-lived streamToken |
| POST | /widget/conversations/:id/messages | Send turn; streams reply as SSE on same response |
| GET | /widget/conversations/:id/history | Transcript with folded tool outputs |
| POST | /widget/conversations/:id/stream-token | Re-mint watch WebSocket token (~5 min TTL) |
| WS | /ws?token= | Passive watch stream (operator/takeover, backgrounded turns) |
Cross-product: Widget agent tools call RapidStor MCP (/api/v1/mcp) for locations, unit types, reservations, and enquiries. See RapidStor docs for MCP tool shapes.
Protected API (session auth) #
Middleware: cookies, session, CSRF, Inertia, auth. File: routes/api/protected.php.
Dashboard #
| Method | Path |
|---|---|
| POST | /api/v1/dashboard/ — fetch widget data |
| GET | /api/v1/dashboard/metrics, /widgets, /config |
| POST/PATCH/DELETE | /api/v1/dashboard/config[/{id}] — CRUD dashboards |
Tenant Journey #
| Method | Path |
|---|---|
| POST | /api/v1/reporting |
| GET/POST/PUT/DELETE | /api/v1/campaigns[/{id}] |
| PUT | /api/v1/campaigns/config — save journey snippet config (includes snippet-level translations) |
| POST | /api/v1/campaigns/metrics, /campaigns/{name}/metrics |
| GET | /api/v1/campaigns/translations/catalog — enabled languages + translation key catalog |
| GET | /api/v1/campaigns/translations?scope_type=&scope_id=&language= — overrides + inherited defaults at language/corp/location scope |
| PUT | /api/v1/campaigns/translations — batch upsert translation overrides |
| GET/POST/PUT/DELETE | /api/v1/experiments[/{id}] |
| GET/POST/PUT | /api/v1/admin/languages[/{language}] — manage enabled languages (internal admin) |
Revenue Management #
Requires ensure.rev-mgmt.flag — resolves access from revenue_management_entitled (not the legacy visibility flag). Suite proxies to the rev-mgmt engine with JWT-scoped corporation context.
| Method | Path | Notes |
|---|---|---|
| GET | /api/v1/revenue-management/rules/{facilityCode} | Facility rules bundle (includes active explorations) |
| POST | /api/v1/revenue-management/rules/{facilityCode} | Save facility rules |
| POST | /api/v1/revenue-management/engine/{facilityCode}/run | On-demand engine run (only engine_connected facilities) |
| POST | /api/v1/revenue-management/explorations/start | Start Layer 1 exploration |
| POST | /api/v1/revenue-management/explorations/{id}/end | End exploration |
| GET | /api/v1/revenue-management/activity?facility={code}&limit= | Approval Centre / Home recent-activity feed (proxies engine GET /api/activity); operator events only (approve/reject/revert/flip) |
| GET | /api/v1/revenue-management/bulk-pricing | Corp-wide pending recommendations; scoped to active corporation. Corp-wide path includes live inventory fields (units_total, units_available, occupancy_pct, base_rate) joined fresh from site_units |
| POST | /api/v1/revenue-management/recommendations/bulk-approve | Batch approve |
| GET | /api/v1/revenue-management/rule-sets | List rule sets (corp-scoped via JWT) |
| POST | /api/v1/revenue-management/rule-set-assignments/bulk | Bulk-assign facilities to rule sets |
Engine direct API (Go service, JWT auth): GET /api/portfolio-page/:facility (Home/Portfolio bundle — health, facilityTable, occupancyTrend, value_report), GET /api/activity, GET /api/explorations/active, approve/reject endpoints, rules CRUD. Internal telemetry (engine.run, config.edit, etc.) is filtered from the operator activity feed at the SQL layer.
Helpdesk (Confluence) #
File: ConfluenceController. Backed by ConfluenceClient against the configured Helpdesk folder (CONFLUENCE_HELPDESK_FOLDER_ID). Responses cached 12h via tagged Redis cache.
| Method | Path | Response |
|---|---|---|
| GET | /api/v1/helpdesk/articles | { results: [{ id, title }] } — full article index (id + title only); paginated CQL fetch server-side |
| GET | /api/v1/helpdesk/search?q= | { results: [{ id, title }] } — server-side CQL full-text search (legacy; Articles tab now uses /articles + client filter) |
| GET | /api/v1/helpdesk/page/{id} | Rendered HTML body for drill-in view |
| GET | /api/v1/helpdesk/{key} | Metric/widget-linked help content by key |
Other protected resources #
| Resource | Prefix | Auth extras |
|---|---|---|
| Help Center | /api/v1/help-center/* | — |
| Admin | /api/v1/admin/* | internal.admin |
| Finance | /api/v1/finance/* | — |
| RapidStor proxy | POST /api/v1/rapidstor/reservation | — |
| Tasks | /api/v1/tasks/*, /task-categories/* | — |
| Chat assistant | /api/v1/chat/* | assistant.enabled |
| Profile | /api/v1/profile/* | — |
| Contacts, Activity, Corporation settings | various /api/v1/... | — |
Mobile API #
File: routes/api/mobile.php. Auth: auth:sanctum + SetCorporationFromRequest.
| Method | Path |
|---|---|
| POST | /api/v1/mobile/login, /google-auth |
| POST/GET/DELETE | /api/v1/mobile/logout, /me, /dashboard/*, /tasks/* |
External & webhooks #
| Method | Path | Auth |
|---|---|---|
| POST | /api/v1/external/content | AuthenticateApiKey (Bearer) |
| POST | /api/v1/webhooks/rev-mgmt/unit-type-sync | VerifyRevMgmtWebhookSignature |
Web routes (Inertia) #
File: routes/web.php. Session auth; admin at /admin/* with internal.admin.
Notable: GET /admin/stats — Admin Stats page (Application Interest, System Alerts, Benchmarks). Optional query from, to for benchmark date range.
Revenue Management: GET /revenue-management/home/{facility?} (nav landing), /portfolio/{facility?}, /bulk-pricing, /rules/{facility?}, /my-facility/{facility?} — gated by RM entitlement / application flags. Portfolio shares the Home Pennant key via relatedRoutes.
RapidStor Settings: GET /rapidstor-settings/{site?}, PATCH /rapidstor-settings/site/{site}, PATCH /rapidstor-settings/corporation/{corporation} — native schema-driven settings screen (gated by rapidstor_internal_settings global flag).
Tenant Journey: GET /tenant-journey/{site}/editor, GET /tenant-journey/{site}/translations — journey editor and translation management UI.
MCP analytics #
POST /mcp/analytics — auth + assistant.enabled, throttled 60/min (routes/ai.php).