MiauInv/docs/ENDPOINTS.md

API Endpoints

This document lists the public page routes and JSON API endpoints exposed by MiauInv. API endpoints that modify account or inventory state require authentication unless explicitly marked as public.

Page Routes

Route	Authentication	Purpose
/	No	Landing page.
/login	No	Login page with password and passkey login.
/register	Optional	Registration page when registration is enabled.
/dashboard	Yes	Dashboard overview.
/inventory	Yes	Inventory item management.
/items	Yes	Item list view.
/locations	Yes	Location management.
/projects	Yes	Project allocation management.
/profile/settings	Yes	Account, 2FA, and passkey settings.
/profile/activity	Yes	User activity log.

Authentication and Account API

Endpoint	Method	Authentication	Purpose
/api/register	POST	No	Create a user when registration is enabled.
/api/login	POST	No	Password login. Returns a 2FA challenge if required.
/api/login/2fa	POST	No	Complete TOTP or recovery-code login.
/api/passkeys/login/options	POST	No	Start discoverable passkey login.
/api/passkeys/login/finish	POST	No	Complete passkey login.
/api/refresh	POST	No	Rotate a refresh token and issue a new session.
/api/logout	POST	Yes	Revoke refresh sessions and clear auth cookies.
/api/userinfo	GET	Yes	Return current user metadata and security status.
/api/profile	GET	Yes	Alias for current user metadata.
/api/account/username	POST	Yes	Change username with password confirmation.
/api/account/password	POST	Yes	Change password and refresh the current session.

Two-Factor Authentication API

Endpoint	Method	Authentication	Purpose
/api/2fa/setup	POST	Yes	Create a short-lived setup challenge, QR code, and manual setup secret.
/api/2fa/enable	POST	Yes	Confirm the setup challenge, enable 2FA, and generate recovery codes.
/api/2fa/disable	POST	Yes	Disable 2FA with password and TOTP confirmation.
/api/2fa/recovery-codes/regenerate	POST	Yes	Replace recovery codes with password and TOTP confirmation.

Passkey Management API

Endpoint	Method	Authentication	Purpose
/api/passkeys	GET	Yes	List registered passkeys.
/api/passkeys	DELETE	Yes	Remove a passkey with password confirmation.
/api/passkeys/register/options	POST	Yes	Start passkey registration.
/api/passkeys/register/finish	POST	Yes	Finish passkey registration and store the credential.
/api/passkeys/disable	POST	Yes	Remove all passkeys with password confirmation.

Activity API

Endpoint	Method	Authentication	Purpose
/api/activity	GET	Yes	Return recent activity entries for the current user. Admin users may request ?all=true.

Query parameters:

Parameter	Default	Max	Purpose
limit	50	100	Number of entries to return.
offset	0	100000	Offset for pagination.
all	false	n/a	Admin-only flag for reading all users' activity.

Inventory API

Endpoint	Method	Authentication	Purpose
/api/item	GET	Yes	List items or read an item by id.
/api/item	POST	Yes	Create an item.
/api/item	PUT	Yes	Update an item by id.
/api/item	DELETE	Yes	Delete an item by id.
/api/location	GET	Yes	List locations, read a location by id, or read location contents with content=true.
/api/location	POST	Yes	Create a location.
/api/location	PUT	Yes	Update a location by id.
/api/location	DELETE	Yes	Delete a location by id.
/api/project	GET	Yes	List projects, read a project by id, or read project allocation details with details=true.
/api/project	POST	Yes	Create a project.
/api/project	PUT	Yes	Update a project by id.
/api/project	DELETE	Yes	Delete a project by id.
/api/stock	GET	Yes	List stock rows, optionally filtered by item_id.
/api/stock	POST	Yes	Add stock to a location.
/api/stock	DELETE	Yes	Delete a stock row by id.
/api/association	GET	Yes	List project-item allocations, optionally filtered by project_id.
/api/association	POST	Yes	Allocate item quantity to a project.
/api/association	PUT	Yes	Update an allocation by id.
/api/association	DELETE	Yes	Delete an allocation by id.