API Reference

Last generated 2026-07-13 · window 2026-07-12T18:02:00Z–2026-07-13T18:01:03Z

MTAS API registered in app/Providers/RouteServiceProvider.php. Mobile primary client: storapp-mobile/src/services/mtas.ts.

OAuth #

MethodPathAuth
POST/oauth/tokenClient credentials + user password; outdated middleware on issue

Public (no token) #

File: routes/api/v1/public.php

MethodPath
GET/api/v1/health, /health/extra, /health/full
GET/api/v1/corporations/{code}/locations
POST/api/v1/corporations/{code}/users, password resets, exists checks
GET/api/v1/app-configuration — feature flags, maintenance mode
POSTIdentity webhooks (Stripe, Shufti, Veriff), Twilio, R6Pay webhooks

Current user (Passport token) #

File: routes/api/v1/protected/accessToken.php. Middleware: auth:api.

MethodPathMobile consumer
GET/PUT/api/v1/users/currentProfile, polling (60s in TabNavigator)
GET/api/v1/users/current/rapidstor-auth-tokenJWT broker for RapidStor API
GET/api/v1/users/current/invoices, downloadInvoiceHistoryScreen
POST/api/v1/users/current/create-r6pay-payment/{ledger}MakePayment (R6Pay path)
POST/api/v1/users/current/unlockSmart key / BLE unlock
GET.../corporations/{code}/locations/{loc}/tenants/{tenant}/access-codesAccessScreen
POST.../noke/unlock, .../inception/unlockGate unlock
GET/PATCH/api/v1/users/current/notificationsNotificationsScreen
GET/POST/api/v1/in-app-messagesInAppMessage banners
POST/api/v1/users/current/syncPost-payment refresh

RapidStor proxy #

Prefix: rapidstorApi/api/v1. Same Passport token. Proxies payments, ledgers, invoices, contact to RapidStor.

Contract note: Mobile defines POST api/v1/users/current/protege/unlock in mtas.ts but no dedicated route exists in MTAS — generic POST /users/current/unlock handles Protege via UserController::unlock.

API key & corp key routes #

Integration/admin routes in apiKey.php and corpKey.php — corp management, reports, push notifications, tenant sync. Not used by the mobile app directly.