Collections API

Endpoints

• POST /api/{collection}
• GET /api/{collection}
• GET /api/{collection}/{id}
• PATCH /api/{collection}/{id}
• DELETE /api/{collection}/{id}

Auth, roles, and access policies

• CRUD routes require valid auth.
• Canonical RBAC + Access Policy behavior is documented in Authorization.

Examples of policy expressions:

• @record.owner_id = @request.auth.id
• @request.auth.roles contains \"member\"
• @request.query.owner_id = @request.auth.id

Create record

curl -s -X POST http://127.0.0.1:3000/api/task \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{"data":{"title":"Ship docs","done":false}}'

List records

curl -s 'http://127.0.0.1:3000/api/task?limit=20&offset=0&done=false' \
  -H 'Authorization: Bearer <token>'

Query rules:

• limit: default 20, max 100.
• offset: default 0.
• Additional query keys are exact-match filters on scalar fields (string, bool, int, float, datetime).
• Unknown or invalid filter values return filter errors.

Relationship query options:

• expand: comma-separated relation names to expand (for example expand=owner,tags).
• For belongs_to / has_one: use relation name as filter key (for example owner=1).
• For many_to_many: use <relation>_any filter key (for example tags_any=2).

Patch record

curl -s -X PATCH http://127.0.0.1:3000/api/task/<id> \
  -H 'Authorization: Bearer <token>' \
  -H 'Content-Type: application/json' \
  -d '{"data":{"done":true}}'

Patch payload data must contain at least one field.

many_to_many patch payload supports relation ops:

{
  "data": {
    "tags": {
      "set": ["1"],
      "add": ["2"],
      "remove": ["3"]
    }
  }
}

Generated artifacts

Collection creation artifacts are documented in Bootstrap & Generated Artifacts.