Skip to main content
All admin endpoints require Staff account type. Most require specific admin permissions assigned to your role.

Branches

List branches

GET /api/admin/branches?action=list Returns all branches with their status, stats, and configuration. Required permission: api.admin.branches.view 
curl -X GET "https://propops.yourcompany.com/api/admin/branches?action=list" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    {
      "id": 1,
      "name": "London North",
      "code": "LDN-N",
      "is_active": true,
      "agent_count": 4,
      "open_jobs": 23,
      "created_at": "2023-01-15T09:00:00Z"
    }
  ],
  "count": 5
}

Import branches from CSV

POST /api/admin/branches?action=bulk_import Bulk-imports branches from an uploaded CSV file. Use action=download_template first to get the correct column format. Required permission: api.admin.branches.view
Requires CSRF token.
action
string
required
Must be bulk_import.
csv_file
file
required
CSV file with branch data. Download the template for column format.
csrf_token
string
required
CSRF token from GET /api/security/csrf-token.
curl -X POST "https://propops.yourcompany.com/api/admin/branches" \
  -H "Authorization: Bearer <token>" \
  -F "action=import_csv" \
  -F "csv_file=@branches.csv" \
  -F "csrf_token=<csrf-token>"

{
  "success": true,
  "data": {
    "imported": 12,
    "skipped": 0,
    "errors": []
  },
  "message": "12 branch(es) imported"
}

Download branch CSV template

GET /api/admin/branches?action=download_template Returns a CSV file with headers for the bulk branch import. Required permission: api.admin.branches.view 
curl -X GET "https://propops.yourcompany.com/api/admin/branches?action=download_template" \
  -H "Authorization: Bearer <token>" \
  -o branches-template.csv

Enable a branch

POST /api/admin/enable-branch Re-enables a disabled branch, allowing agents and jobs to be assigned to it. Required permission: api.admin.enable_branch.manage
Requires CSRF token.
branch_id
integer
required
ID of the branch to enable.
csrf_token
string
required
CSRF token.
curl -X POST "https://propops.yourcompany.com/api/admin/enable-branch" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"branch_id": 3, "csrf_token": "<csrf-token>"}'

{
  "success": true,
  "message": "Branch enabled"
}

Disable a branch

POST /api/admin/disable-branch Disables a branch. Existing jobs are preserved; no new jobs can be raised against a disabled branch. Required permission: api.admin.disable_branch.manage
Requires CSRF token.
branch_id
integer
required
ID of the branch to disable.
csrf_token
string
required
CSRF token.

Roles & permissions

List roles

GET /api/admin/roles Returns all defined roles with their associated permission sets. Pass ?id=<role_id> to retrieve a single role. Pass ?include_permissions=true to include full permission data for each role. Required permission: api.admin.roles.manage 
curl -X GET "https://propops.yourcompany.com/api/admin/roles" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "roles": [
    {
      "ID": 1,
      "name": "Property Manager",
      "description": "",
      "hierarchy_level": 50,
      "order": 1,
      "active": 1,
      "created_at": "2023-01-15T09:00:00Z"
    }
  ]
}

Create a role

POST /api/admin/roles Creates a new role. Required permission: api.admin.roles.manage
Requires CSRF token.
name
string
required
Display name for the role.
description
string
Optional description of the role.
hierarchy_level
integer
default:"99"
Hierarchy level (lower = more powerful). Must be strictly higher than the requesting user’s own role level.
order
integer
default:"999"
Display order.
active
integer
default:"1"
Whether the role is active (1) or inactive (0).
parent_role_id
integer
ID of a parent role to inherit permissions from (optional).
inherits_permissions
integer
default:"0"
Set to 1 to copy the parent role’s permissions as the starting set.
csrf_token
string
required
CSRF token.
curl -X POST "https://propops.yourcompany.com/api/admin/roles" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Maintenance Coordinator",
    "description": "Handles maintenance job coordination",
    "hierarchy_level": 60,
    "csrf_token": "<csrf-token>"
  }'

{
  "success": true,
  "message": "Role created successfully",
  "role_id": 8
}

List permissions

GET /api/admin/permissions/manage?action=list Returns all available permission keys, grouped by category. Required permission: api.admin.roles.manage 
curl -X GET "https://propops.yourcompany.com/api/admin/permissions/manage?action=list" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": {
    "jobs": [
      { "key": "api.jobs.manage.manage", "description": "Create, edit, and delete jobs" }
    ],
    "users": [
      { "key": "api.users.users.manage", "description": "Manage user accounts" }
    ]
  }
}

Get staff permissions

GET /api/admin/staff-permissions Returns the resolved permission set for a specific staff user. Required permission: api.admin.roles.manage
user_id
integer
required
Staff user ID.
curl -X GET "https://propops.yourcompany.com/api/admin/staff-permissions?user_id=12" \
  -H "Authorization: Bearer <token>"

Activity log

Get activity log

GET /api/admin/activity-log Returns a paginated audit trail of all user actions across the platform. Required permission: api.admin.activity_log.view
search
string
Full-text search across name, email, IP address, and activity details (applied after decryption).
activity_type
string
Filter by activity type string (e.g. login, branch_disabled, staff_-prefixed for all staff actions).
time_range
string
default:"24h"
Relative time window: 24h, 7d, 30d, 90d, or all.
job_uuid
string
Filter to activities related to a specific job UUID.
page
integer
default:"1"
Page number.
limit
integer
default:"50"
Results per page (max 100).
curl -X GET "https://propops.yourcompany.com/api/admin/activity-log?time_range=7d&limit=20" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    {
      "id": 44201,
      "uuid": "550e8400-e29b-41d4-a716-446655440001",
      "account_id": 12,
      "activity_type": "branch_disabled",
      "ip_address": "203.0.113.10",
      "user_agent": "Mozilla/5.0 ...",
      "details": { "branch_name": "London North" },
      "created_at": "2024-06-14T09:45:00Z",
      "user": {
        "first_name": "Jane",
        "last_name": "Smith",
        "email": "jane@example.com",
        "uuid": "abc123",
        "avatar_url": "/api/users/user-avatar?uuid=abc123"
      }
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 8420,
    "pages": 422
  },
  "stats": {
    "total": 104500,
    "today": 312,
    "unique_users": 28,
    "failed_logins": 4
  },
  "breakdown": [
    { "activity_type": "login", "count": 8200 }
  ],
  "filters": {
    "search": "",
    "activity_type": "",
    "time_range": "7d"
  }
}

Email logs

List email logs

GET /api/admin/email-logs Returns a paginated log of all outbound emails sent by the platform. Supports action=details to fetch a single email by ID, and action=stats for aggregate delivery statistics. Required permission: api.admin.email_logs.manage
action
string
default:"list"
list (default) — paginated email log.
details — single email record (requires id).
stats — aggregate delivery statistics.
id
integer
Email log ID. Required when action=details.
status
string
Filter by delivery status (e.g. sent, failed, delivered, opened, bounced).
date_range
string
default:"30"
Filter by date range: today, a number of days (e.g. 7, 30, 90), or all.
search
string
Search by recipient email, subject, or job reference.
page
integer
default:"1"
Page number.
per_page
integer
default:"25"
Results per page (max 100).
curl -X GET "https://propops.yourcompany.com/api/admin/email-logs?status=failed&per_page=25" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    {
      "id": 9901,
      "job_id": 55,
      "job_ref": "JOB-0055",
      "job_uuid": "550e8400-e29b-41d4-a716-446655440001",
      "recipient_email": "tenant@example.com",
      "subject": "Your repair has been scheduled",
      "status": "failed",
      "error_message": "SMTP timeout",
      "sent_at": "2024-06-13T14:32:00Z",
      "created_at": "2024-06-13T14:32:00Z"
    }
  ],
  "pagination": {
    "page": 1,
    "per_page": 25,
    "total_records": 3,
    "total_pages": 1
  }
}

Resend an email

POST /api/admin/resend-email Retries a failed email delivery. Required permission: api.admin.email_logs.view
Requires CSRF token.
email_id
integer
required
ID of the email log entry to resend.
csrf_token
string
required
CSRF token.
curl -X POST "https://propops.yourcompany.com/api/admin/resend-email" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"email_id": 9901, "csrf_token": "<csrf-token>"}'

{
  "success": true,
  "message": "Email queued for resending"
}

Rate limiting

Get / manage rate limit configuration

GET /api/admin/rate-limiting · POST /api/admin/rate-limiting · PUT /api/admin/rate-limiting All operations on this endpoint are action-driven via the action parameter. Available actions: get_settings, update_settings, bulk_update, get_violations, clear_limits. Required permission: api.admin.rate_limiting
action
string
required
Action to perform. For GET: get_settings, get_violations. For POST/PUT: update_settings, bulk_update, clear_limits.
endpoint_id
integer
Required for get_settings and get_violations — ID of the endpoint to retrieve settings for.
curl -X GET "https://propops.yourcompany.com/api/admin/rate-limiting?action=get_settings&endpoint_id=5" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "endpoint": {
    "id": 5,
    "endpoint_path": "/api/jobs/manage",
    "endpoint_name": "Job Management API",
    "rate_limit_enabled": 1,
    "rate_limit_requests": 60,
    "rate_limit_window": 60,
    "rate_limit_by": "user"
  }
}

User management

Get user management policy

GET /api/admin/user-management-policy Returns the current policy for user creation, password rules, and account lifecycle. Required permission: api.admin.user_management_policy.view 
curl -X GET "https://propops.yourcompany.com/api/admin/user-management-policy" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": {
    "min_password_length": 12,
    "require_special_chars": true,
    "password_expiry_days": 90,
    "max_failed_logins": 5,
    "lockout_duration_minutes": 30,
    "require_email_verification": true
  }
}

API usage stats

Get API usage statistics

GET /api/admin/api-usage-stats Returns daily API usage statistics for chart visualisation over the requested number of days. Required permission: api.admin.api_usage_stats.manage
days
integer
default:"30"
Number of days to retrieve (1–365).
endpoint_id
integer
Optional — filter statistics to a specific endpoint ID.
curl -X GET "https://propops.yourcompany.com/api/admin/api-usage-stats?days=30" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": {
    "labels": ["Jun 01", "Jun 02", "Jun 03"],
    "datasets": [
      {
        "label": "API Requests",
        "data": [1240, 983, 1102]
      }
    ]
  },
  "stats": {
    "total": 48200,
    "average": 1606.7,
    "max": 2340,
    "min": 412,
    "days": 30
  }
}

Document management

List job documents (admin)

GET /api/admin/job-documents Returns all job documents grouped by job, or retrieves document statistics / document-type counts depending on the action parameter. Staff admin only. Required permission: api.admin.job_documents.view
action
string
default:"list"
list — all active documents grouped by job.
stats — aggregate counts and total file size.
document-types — document-type names with per-type document counts.
regenerate-thumbnails — regenerate thumbnail images for all stored documents (requires api.admin.job-documents.regenerate-thumbnails permission).
curl -X GET "https://propops.yourcompany.com/api/admin/job-documents?action=list" \
  -H "Authorization: Bearer <token>"

Get orphaned files

GET /api/admin/orphaned-files Lists uploaded files that are no longer attached to any job, document record, or certification. Used for storage cleanup. Required permission: api.admin.documents.manage 
curl -X GET "https://propops.yourcompany.com/api/admin/orphaned-files" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    {
      "file_path": "/uploads/jobs/2024/06/photo_orphaned_abc.jpg",
      "size_bytes": 482000,
      "uploaded_at": "2024-06-10T12:00:00Z"
    }
  ],
  "total_size_mb": 18.4
}

Document Types

Document types define the categories used when uploading documents to a job (e.g. Gas Safety Certificate, Electrical Report, Invoice).

List document types

GET /api/admin/document-types Returns all configured document type categories. Required permission: api.admin.document-types.manage
Account types: Staff only 
curl -X GET "https://propops.yourcompany.com/api/admin/document-types" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    { "ID": 1, "name": "Gas Safety Certificate", "permission_key": "document.gas_safety", "heading": "Compliance", "order": 1, "active": 1, "created_at": "2024-01-01T09:00:00Z" },
    { "ID": 2, "name": "Electrical Report",       "permission_key": "document.electrical",  "heading": "Compliance", "order": 2, "active": 1, "created_at": "2024-01-01T09:00:00Z" }
  ]
}

Create a document type

POST /api/admin/document-types Required permission: api.admin.document-types.manage
Requires CSRF token.
name
string
required
Display name for the document type (e.g. "EICR Report").
heading
string
required
Category heading used to group documents (e.g. "Compliance").
permission_key
string
required
Permission key for this document type. Must start with document. followed by lowercase letters, numbers, and underscores (e.g. document.eicr_report).
order
integer
default:"0"
Display order.
csrf_token
string
required
CSRF token from GET /api/security/csrf-token.
curl -X POST "https://propops.yourcompany.com/api/admin/document-types" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "EICR Report", "heading": "Compliance", "permission_key": "document.eicr_report", "csrf_token": "<csrf-token>"}'

{
  "success": true,
  "message": "Document type created successfully",
  "data": {
    "id": 4,
    "name": "EICR Report",
    "permission_key": "document.eicr_report",
    "heading": "Compliance",
    "order": 0
  }
}

Update a document type

PUT /api/admin/document-types Required permission: api.admin.document-types.manage
Requires CSRF token.
id
integer
required
ID of the document type to update.
name
string
required
Updated display name.
heading
string
required
Updated category heading.
permission_key
string
required
Updated permission key (must start with document.).
order
integer
Updated display order.
active
integer
1 to activate, 0 to deactivate.
csrf_token
string
required
CSRF token.

Delete a document type

DELETE /api/admin/document-types Deactivates a document type. Returns an error if documents of this type are currently attached to active jobs. Required permission: api.admin.document-types.manage
id
integer
required
ID of the document type to delete (passed as a query parameter).
Legal documents are rich-text pages (privacy policy, terms of service, cookie notice) displayed to users on the login screen and in the account area. They can be targeted to specific account types. GET /api/admin/documents Returns all legal documents. Required permission: api.admin.documents.manage
Account types: Staff only 
curl -X GET "https://propops.yourcompany.com/api/admin/documents" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    {
      "id": 1,
      "title": "Privacy Policy",
      "slug": "privacy-policy",
      "version": "1.3",
      "account_type_targeting": "1,2,3,4,5",
      "is_active": true,
      "updated_at": "2024-03-01T09:00:00Z"
    }
  ],
  "count": 3,
  "message": "Operation completed successfully"
}
POST /api/admin/documents Required permission: api.admin.documents.manage
Requires CSRF token.
title
string
required
Document title (e.g. "Privacy Policy").
slug
string
required
URL-safe identifier (e.g. "privacy-policy"). Must be unique.
content
string
required
Rich-text HTML content of the document.
version
string
Version string (e.g. "1.3"). Shown to users when they accept the document.
account_type_targeting
string
Comma-separated account type IDs to show this document to (e.g. "1,2,4"). Leave empty to show to all.
is_active
boolean
default:"true"
Whether the document is currently shown to users.
csrf_token
string
required
CSRF token from GET /api/security/csrf-token.
curl -X POST "https://propops.yourcompany.com/api/admin/documents" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "title": "Cookie Notice",
    "slug": "cookie-notice",
    "content": "<p>We use cookies...</p>",
    "version": "1.0",
    "account_type_targeting": "1,2,3,4,5",
    "is_active": true,
    "csrf_token": "<csrf-token>"
  }'

{
  "success": true,
  "data": { "id": 4 },
  "message": "Document created"
}
DELETE /api/admin/documents Required permission: api.admin.documents.manage
Requires CSRF token.
id
integer
required
ID of the document to delete.
csrf_token
string
required
CSRF token.

Job Tags & Reference Data

Job tags cover the configurable lookup tables for job types, statuses, priorities, and title templates.

Get job reference data

GET /api/admin/job-tags Returns configurable reference data used across jobs. The type parameter selects which table to retrieve. Required permission: api.admin.job_tags.view
Account types: Staff only
type
string
required
Data type to retrieve: types, priorities, statuses, or titles.
curl -X GET "https://propops.yourcompany.com/api/admin/job-tags?type=types" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    { "id": 1, "name": "Plumbing",             "icon": "wrench",      "is_active": true },
    { "id": 2, "name": "Electrical",           "icon": "bolt",        "is_active": true },
    { "id": 3, "name": "Gas & Heating",        "icon": "flame",       "is_active": true },
    { "id": 4, "name": "General Maintenance",  "icon": "tools",       "is_active": true }
  ],
  "count": 4,
  "message": "Operation completed successfully"
}

Create job reference data

POST /api/admin/job-tags Adds a new entry to the selected reference table. Required permission: api.admin.job_tags.view
Requires CSRF token.
type
string
required
Target table: type, priority, status, or title.
name
string
required
Display name of the new entry.
color
string
Hex color code used for status badges (e.g. "#22c55e").
pattern
string
Pattern value (for job types).
effect
string
Effect value (for job types).
active
integer
default:"1"
Whether the entry is active.
csrf_token
string
required
CSRF token from GET /api/security/csrf-token.
curl -X POST "https://propops.yourcompany.com/api/admin/job-tags" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"type": "type", "name": "Roofing", "color": "#f59e0b", "csrf_token": "<csrf-token>"}'

{
  "success": true,
  "data": { "id": 9 },
  "message": "Entry created successfully"
}

Settings Configuration

These endpoints manage the admin settings page structure — groups and individual setting fields. They are used internally by the PropOps settings UI.

Save a settings group

POST /api/admin/settings/configuration/save-group Creates or updates a settings group (a logical grouping of settings fields within the admin panel). Required permission: api.admin.settings.configuration.save_group.manage
Account types: Staff only
Requires CSRF token.
id
integer
Group ID to update. Omit to create a new group.
name
string
required
Display name for the group (e.g. "Email Settings").
slug
string
required
URL-safe key (e.g. "email-settings").
icon
string
Icon key to display alongside the group name.
order
integer
Display order within the settings page.
csrf_token
string
required
CSRF token from GET /api/security/csrf-token.
curl -X POST "https://propops.yourcompany.com/api/admin/settings/configuration/save-group" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"name": "Email Settings", "slug": "email-settings", "icon": "mail", "order": 3, "csrf_token": "<csrf-token>"}'

{
  "success": true,
  "message": "Settings group saved"
}

Delete a settings group

POST /api/admin/settings/configuration/delete-group Removes a settings group and all its associated fields. Required permission: api.admin.settings.configuration.save_group.manage
Requires CSRF token.
id
integer
required
ID of the settings group to delete.
csrf_token
string
required
CSRF token.

Save a settings page

POST /api/admin/settings/configuration/save-page Creates or updates individual setting field values within a group. Required permission: api.admin.settings.configuration.save_group.manage
Requires CSRF token.
group_slug
string
required
Slug of the parent settings group.
settings
object
required
Key-value map of setting keys and their new values (e.g. {"smtp_host": "mail.yourcompany.com"}).
csrf_token
string
required
CSRF token.
curl -X POST "https://propops.yourcompany.com/api/admin/settings/configuration/save-page" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "group_slug": "email-settings",
    "settings": {
      "smtp_host": "mail.yourcompany.com",
      "smtp_port": "587",
      "smtp_encryption": "tls"
    },
    "csrf_token": "<csrf-token>"
  }'

{
  "success": true,
  "message": "Settings saved"
}

Permissions Dropdown

Load permission checkboxes

GET /api/admin/permissions-dropdown Returns rendered HTML permission checkboxes for a specific role or account type and category, used to lazy-load sections of the permissions management UI. The response is always a JSON envelope containing the rendered HTML string. Required permission: api.admin.permissions_dropdown.view
Account types: Staff only
entity_type
string
required
role or account_type.
entity_id
integer
required
ID of the role or account type to load permissions for.
category
string
required
Permission category to filter by (e.g. api.jobs, page.dashboard, document.gas).
permission_type
string
default:"api"
Type of permissions to return: api, page, or document.
format
string
default:"html"
Accepted values: html or json. Both return the same JSON envelope; this parameter is validated but does not change the response structure.
curl -X GET "https://propops.yourcompany.com/api/admin/permissions-dropdown?entity_type=role&entity_id=3&category=api.jobs&permission_type=api" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "html": "<div><!-- rendered checkbox HTML --></div>",
  "entity": { "ID": 3, "name": "Manager" },
  "entityLabel": "Staff Role",
  "categoryLabel": "api.jobs"
}

API Discovery

List discovered endpoints

GET /api/admin/api-discovery Returns all discovered API endpoints registered in the system, including their health status, supported methods, and permission requirements. Optionally filter by health status. Required permission: api.admin.api_discovery.manage
Account types: Staff only
action
string
default:"get_endpoints"
get_endpoints — return all registered endpoints.
get_statistics — aggregate endpoint counts and health summary.
get_endpoint_history — health check history for a specific endpoint (requires endpoint_id).
get_usage_logs — recent usage log entries (requires endpoint_id).
health_status
string
Filter by health status: healthy, warning, or error.
endpoint_id
integer
Required when action=get_endpoint_history or action=get_usage_logs — ID of the endpoint.
curl -X GET "https://propops.yourcompany.com/api/admin/api-discovery?action=get_endpoints" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "data": [
    {
      "id": 1,
      "endpoint_path": "/api/jobs/manage",
      "name": "Job Management API",
      "category": "jobs",
      "http_methods": ["GET", "POST"],
      "permission_key": "api.jobs.manage.manage",
      "health_status": "healthy",
      "auto_discovered": true,
      "last_checked_at": "2024-06-14T10:00:00Z"
    }
  ],
  "count": 48
}

Run API discovery

POST /api/admin/api-discovery Scans the /api directory and registers all discovered endpoints and action types. Use discover_endpoints for a full scan or register_actions to synchronise action types only. Required permission: api.admin.api_discovery.manage
Account types: Staff only
Requires CSRF token.
action
string
required
discover_endpoints — scan and register all API endpoints.
register_actions — register action types from permission keys and annotations.
csrf_token
string
required
CSRF token from GET /api/security/csrf-token.
curl -X POST "https://propops.yourcompany.com/api/admin/api-discovery" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"action":"discover_endpoints","csrf_token":"<csrf-token>"}'

{
  "success": true,
  "message": "API discovery completed",
  "data": {
    "endpoints_found": 48,
    "endpoints_registered": 48
  }
}

API Permissions

List API permission configurations

GET /api/admin/api-permissions Returns the full list of API permission configurations stored in the access registry. Optionally retrieve a single entry by ID or filter by category / search term. Required permission: api.admin.api_permissions.manage
Account types: Staff only
id
integer
If provided, returns the single API permission configuration with this ID.
category
string
Filter results to a specific api_category value.
search
string
Search across api_path, api_name, and description.
curl -X GET "https://propops.yourcompany.com/api/admin/api-permissions" \
  -H "Authorization: Bearer <token>"

{
  "success": true,
  "apis": [
    {
      "id": 1,
      "api_path": "/api/jobs/manage",
      "api_name": "Job Management API",
      "api_category": "jobs",
      "http_method": "GET",
      "access_level": "permission",
      "required_permission": "api.jobs.manage.manage",
      "allowed_account_types": [1],
      "is_active": 1
    }
  ],
  "api_execution_time": 3.21
}

Create an API permission configuration

POST /api/admin/api-permissions Creates a new API permission configuration entry in the access registry. Required permission: api.admin.api_permissions.manage
Account types: Staff only
Requires CSRF token.
api_path
string
required
The API endpoint path (e.g. /api/jobs/manage).
api_name
string
required
Human-readable name for this endpoint.
access_level
string
required
One of: public, authenticated, permission, account_type, custom.
api_category
string
Category grouping (e.g. jobs, admin).
http_method
string
default:"*"
HTTP method this configuration applies to (e.g. GET, POST, *).
required_permission
string
Dot-notation permission key required when access_level=permission.
allowed_account_types
array
Account type IDs that are permitted to access this endpoint.
description
string
Optional description.
is_active
integer
default:"1"
1 to enable, 0 to disable.
csrf_token
string
required
CSRF token from GET /api/security/csrf-token.

Update an API permission configuration

PUT /api/admin/api-permissions Updates an existing API permission configuration entry. Required permission: api.admin.api_permissions.manage
Account types: Staff only
Requires CSRF token.
id
integer
required
ID of the configuration to update.
csrf_token
string
required
CSRF token.
All POST fields except api_path are accepted as optional update fields. Provide id to identify the record and csrf_token for CSRF protection.

Delete an API permission configuration

DELETE /api/admin/api-permissions Removes an API permission configuration entry from the access registry. Required permission: api.admin.api_permissions.manage
Account types: Staff only
Requires CSRF token.
id
integer
required
ID of the configuration to delete.
csrf_token
string
required
CSRF token.