# Overview ## Idempotency The HTTP `idempotency-key` request header field can be used to carry idempotency key in order to make non-idempotent HTTP methods such as `POST` or `PATCH` fault-tolerant Client can make the same request repeatedly because of network error, timeout etc.. but the same operation will not be executed twice. If Client repeats the same request by sending the same Idempotency Key value in request headers, and the request will be responded with the same response as the original request. Name of the request header is `idempotency-key`. {% hint style="info" %} Usage of Idempotency is optional. {% endhint %} ## Security ### x-api-key The HTTP `x-api-key` request header field must be used to identify Realm. ### Authorization Add `Authorization` request header with `x-api-key` value. ### Authentication To get x-api-key for Orangepill Admin API or Orangepill API send authentication data to `/auth/login` endpoint. #### Orangepill Admin API Login Use your email and password of Orangepill Realm [Admin](https://docs.orangepill.cloud/realms-and-admins#setup-realm-admin-user). {% tabs %} {% tab title="cURL" %} ```shell curl --location --request POST 'https://admin.orangepill.cloud/v1/auth/admins/login' \ --header 'x-api-key: AXVubzpwQDU1dzByYM==' \ --header 'Content-Type: application/json' \ --data-raw '{ "realm_key": "0dd4f142-f6de-4657-a521-352c9e17fcbe", "email": "your@email.com", "password": "your_password" }' ``` {% endtab %} {% endtabs %} in response you will receive `x-api-key`. {% tabs %} {% tab title="Response" %} ```json { "x-api-key": "1NHSjRWMWd5YkdkR2FWRm5iME1MjJjZGE0MTYtMjA4Yy00MTJjLThjMzgtOTcwNzhiMGQ3ODA2OnRvbWlzbGF2LmJpc2NhbkBnbWFpbC5jb206Y21oM1QyYzFkRlZ4WjFkNVFqUXhWMHd5UmtNMFJ6VnZXVm81YUZvd4ZDNnMVRYWk5SQ1JUSkE9PQ==" } ``` {% endtab %} {% endtabs %} #### Orangepill API Login Use Realm key, Username and Password of Orangepill Realm [User](https://docs.orangepill.cloud/identities-and-users#create-user). {% tabs %} {% tab title="cURL" %} ```shell curl --location --request POST 'https://api.orangepill.cloud/v1/auth/admins/login' \ --header 'x-api-key: AXVubzpwQDU1dzByYM==' \ --header 'Content-Type: application/json' \ --data-raw '{ "realm_key": "0dd4f142-f6de-4657-a521-352c9e17fcbe", "username": "your_username", "password": "your_password" }' ``` {% endtab %} {% endtabs %} in response you will receive `x-api-key`. {% tabs %} {% tab title="Response" %} ```json { "x-api-key": "1NHSjRWMWd5YkdkR2FWRm5iME1MjJjZGE0MTYtMjA4Yy00MTJjLThjMzgtOTcwNzhiMGQ3ODA2OnRvbWlzbGF2LmJpc2NhbkBnbWFpbC5jb206Y21oM1QyYzFkRlZ4WjFkNVFqUXhWMHd5UmtNMFJ6VnZXVm81YUZvd4ZDNnMVRYWk5SQ1JUSkE9PQ==" } ``` {% endtab %} {% endtabs %} Add `x-api-key` header to every HTTP call. ### Ownership Each created entity is flagged with `owner: authenticated_user.id` thus enabling automatic scope filtering and ownership. ### Roles User can have different roles in a realm.

Role	Description
`admin`	Create and update users and entities. Can manage deleted entities.
`manage`	Create and update users and entities.
`user`	Create and update entities.

### Scopes User is limited in it's scope to access data. User scopes:

Scope	Description
`realm`	Access to realm entities.
`own`	Access to own entities.

### Cumulative Permissions

Role, Scope	Permission
`user,own`	Can read owned entities. Can write owned entities. Can delete owned entities. Cannot delete owned user. Cannot undelete. Cannot create users.
`user,realm`	Can read all entities. Can write owned entities. Can delete owned entities. Cannot delete owned user. Cannot undelete. Cannot create users.
`manage,own`	Can read owned entities. Can write owned entities. Can delete owned entities. Can delete owned user. Can undelete owned. Cannot create users.
`manage,realm`	Can read all entities. Can update all entities. Can delete all entities. Can delete all users. Can undelete all. Cannot create users.
`admin,own`	Can read owned entities. Can write owned entities. Can delete own entities. Can delete own user. Can undelete own. Can create users.
`admin,realm`	Can read all entities. Can write all entities. Can delete all entities. Can delete all users. Can undelete all. Can create users.

### API scopes When calling API you can apply following scopes on entities.

Scope	Description
`own (default)`	Entities where current user is owner.
`all`	All realm entities.
`incoming`	Applies only for transactions. Transactions where current user is owner of destination account.
`outgoing`	Applies only for transactions. Transactions where current user is owner of source account.
`deleted`	Deleted entities.

## Soft delete Entities are never physically deleted, hence soft delete mechanism is applied. When `DELETE` method is invoked on REST API interface, Orangepill middleware will flag the entity as `deleted: true`, and timestamped as `deleted_at: Date.now()`. Entities marked as deleted are filtered out from **scopes** `all` and `own`. To view deleted entities either disable **scopes** by adding `?scope=false` to URL query or choose `?scope=deleted` if exists for specific endpoint. ## RESTful Orangepill API is completely RESTful thus being interface for buidling frontend and backend apps. ### `find` Find entities Find entitites by query. #### Parameters

Property	Type	Default	Description
`limit`	`Number`	`null`	Max count of rows.
`offset`	`Number`	`null`	Number of skipped rows.
`fields`	`String\|Array<String>`	`null`	Fields to return.
`sort`	`String\|Array<String>`	`null`	Sorted fields.
`search`	`String`	`null`	Search text.
`searchFields`	`String\|Array<String>`	`null`	Fields for search.
`scope`	`String\|Array<String>\|Boolean`	`null`	Scopes for the query. If `false`, the default scopes are disabled.
`populate`	`String\|Array<String>`	`null`	Populated fields.
`query`	`String\|Object`	`null`	Query object. If `String`, it will be converted with `JSON.parse`

#### REST endpoint ``` GET {serviceName}/all ``` #### Results ``` [ { id: "akTRSKTKzGCg9EMz", ... }, { id: "0YZQR0oqyjKILaRn", ... } ] ``` ### `list` List entities List entities with pagination. It returns also the total number of rows. #### Parameters

Property	Type	Default	Description
`page`	`Number`	`null`	Page number.
`pageSize`	`Number`	`null`	Size of a page.
`fields`	`String\|Array<String>`	`null`	Fields to return.
`sort`	`String\|Array<String>`	`null`	Sorted fields.
`search`	`String`	`null`	Search text.
`searchFields`	`String\|Array<String>`	`null`	Fields for search.
`scope`	`String\|Array<String>\|Boolean`	`null`	Scopes for the query. If `false`, the default scopes are disabled. Example: `?scope=-own,all` removes own scope, and adds all.
`populate`	`String\|Array<String>`	`null`	Populated fields.
`query`	`String\|Object`	`null`	Query object. If `String`, it's converted with `JSON.parse`

#### REST endpoint ``` GET {serviceName} ``` #### Results ``` { rows: [ { id: "2bUwg4Driim3wRhg", ..., }, { id: "Di5T8svHC9nT6MTj", ..., }, { id: "YVdnh5oQCyEIRja0", ..., }, ], total: 3, page: 1, pageSize: 10, totalPages: 1, } ``` ### `count` Count entities Get the number of entities by query. #### Parameters

Property	Type	Default	Description
`search`	`String`	`null`	Search text.
`searchFields`	`String\|Array<String>`	`null`	Fields for search.
`scope`	`String\|Array<String>\|Boolean`	`null`	Scopes for the query. If `false`, the default scopes are disabled.
`query`	`String\|Object`	`null`	Query object. If `String`, it's converted with `JSON.parse`

#### REST endpoint ``` GET {serviceName}/count ``` #### Results ``` 15 ``` ### `get` Get an entity by ID Get an entity by ID. #### Parameters

Property	Type	Default	Description
`<id>`	`any`	`null`	ID of the entity. The name of the property comes from the primary key field.
`fields`	`String\|Array<String>`	`null`	Fields to return.
`scope`	`String\|Array<String>\|Boolean`	`null`	Scopes for the query. If `false`, the default scopes are disabled.
`populate`	`String\|Array<String>`	`null`	Populated fields.

#### REST endpoint ``` GET {serviceName}/{id} ``` #### Results ``` { id: "YVdnh5oQCyEIRja0", ..., } ``` ##