SimpleDetail
📖 4 menit baca

API Endpoints Reference — Central Membership & SSO Hub

Prefix REST: /api/v1. The request body uses application/json, except for /oauth/token which uses application/x-www-form-urlencoded.

Health and Public Catalog

Method Path Auth Description
GET /health Public Health check of the application and main dependencies.
GET /api/v1/products Public List of active products; query search, page, limit.
GET /api/v1/products/:productCode Public Product details along with active plans.
GET /api/v1/products/:productCode/plans Public Plans available for the product.
{ "data": { "code": "NTO", "name": "NOTO", "plans": [{ "code": "free", "type": "free", "priceAmount": 0, "currency": "IDR" }] } }

Auth and Account

Method Path Auth Request / Result
POST /api/v1/auth/register Public { fullName, email, password, passwordConfirmation }; creates an unverified account, 201.
POST /api/v1/auth/login Public { email, password }; access token, refresh token, and profile, 200.
POST /api/v1/auth/logout Member Revokes refresh token/session, 204.
POST /api/v1/auth/refresh Public { refreshToken }; rotates refresh token.
POST /api/v1/auth/verify-email Public { token }; activates account.
POST /api/v1/auth/resend-verification Public { email }; generic response, 202.
POST /api/v1/auth/forgot-password Public { email }; generic response, 202.
POST /api/v1/auth/reset-password Public { token, password, passwordConfirmation }, 204.
GET /api/v1/me Member Profile and member status summary.
PATCH /api/v1/me Member { fullName, avatarUrl? }.
PATCH /api/v1/me/password Member { currentPassword, newPassword, passwordConfirmation }, 204.
PATCH /api/v1/me/notification-preferences Member Notification preferences.

Registration/login/reset must use rate limiter. Forgot-password and resend email must not disclose whether the email is registered.

Dashboard and Member License

Method Path Auth Description
GET /api/v1/dashboard Member Subscription summary, warnings, and latest payments.
GET /api/v1/licenses Member Member's licenses; filter status, productCode, page, limit.
GET /api/v1/licenses/:licenseId Member Detail of member's license.
POST /api/v1/licenses/activate-free Member { productCode, planCode }; creates active_free, 201.
POST /api/v1/licenses/:licenseId/renew Member { planCode, gateway }; creates order renewal paid, 201.
GET /api/v1/licenses/:licenseId/sso-link Member SSO authorization URL for product license.

Free activation rejects unverified accounts, inactive products/plans, and existing valid licenses. License-ID is created on the first activation and does not change upon renewal.

Checkout and Payment

Method Path Auth Description
POST /api/v1/orders Member Creates paid checkout; header Idempotency-Key is required.
GET /api/v1/orders Member Member's order history; filter status, page, limit.
GET /api/v1/orders/:orderId Member Order details and payment instructions.
GET /api/v1/payments Member Payment history; filter status, page, limit.
GET /api/v1/payments/:paymentId/invoice Member Metadata/download invoice settlement.

Order body:

{ "productCode": "NTO", "planCode": "pro-monthly", "gateway": "midtrans" }

Response 201 contains id, orderNumber, status: "pending_payment", amount, currency, paymentUrl, and expiresAt.

Webhook Payment Gateway

Method Path Auth Description
POST /webhooks/midtrans Midtrans Signature Processes notification/Snap callback.
POST /webhooks/xendit Xendit Callback Token Processes invoice callback.

Webhook must validate signature/token and amount, save event, check idempotency, then in one transaction update payment, order, license, and audit log. Invalid event gives 400; retry successful event gives 200 without reactivation. This endpoint should not be called by frontend.

Admin API

All endpoints below require a bearer token with role super_admin.

Method Path Description
GET /api/v1/admin/dashboard Member metrics, licenses, orders, and payments.
GET /api/v1/admin/members List of members; filter search, status, page, limit.
GET /api/v1/admin/members/:memberId Member details, licenses, and orders.
PATCH /api/v1/admin/members/:memberId/status `{ status: "active"
GET /api/v1/admin/products All products/plans, including inactive.
POST /api/v1/admin/products Creates a new product.
PATCH /api/v1/admin/products/:productId Updates product metadata/status.
POST /api/v1/admin/products/:productId/plans Creates a plan.
PATCH /api/v1/admin/plans/:planId Updates plan without changing old orders.
GET /api/v1/admin/orders Filters global orders.
GET /api/v1/admin/payments Filters global payments.
POST /api/v1/admin/orders/:orderId/confirm-payment Fallback manual verification; audit is required.
GET /api/v1/admin/audit-logs Filters actorId, action, objectType, from, to.
POST /api/v1/admin/oauth-clients Registers SaaS client; secret is only returned once.
PATCH /api/v1/admin/oauth-clients/:clientId Updates redirect URI, scope, or status.
POST /api/v1/admin/oauth-clients/:clientId/rotate-secret Rotates client secret.

OAuth2 and Metadata

Method Path Auth Description
GET /oauth/authorize Hub Session Authorization Code Flow + PKCE.
POST /oauth/token Client + code/refresh token Exchanges authorization code or refresh token.
GET /oauth/userinfo OAuth access token Claims according to scope.
POST /oauth/revoke Client + token Revokes refresh token.
GET /oauth/logout Hub Session Logs out SSO and revokes related token.
GET /.well-known/jwks.json Public Public key JWT active/retired.
GET /.well-known/oauth-authorization-server Public Metadata authorization server.

Scope: openid, profile:read, and license:read. Token is only issued for active accounts with licenses active, active_free, or grace_period.

Mapping NestJS Modules

Module Controller
AuthModule AuthController, MeController
ProductsModule ProductsController, PlansController
LicensesModule LicensesController, DashboardController
OrdersModule OrdersController
PaymentsModule PaymentsController, WebhooksController
AdminModule AdminMembersController, AdminProductsController, AdminOrdersController, AuditLogsController
OAuthModule OAuthController, WellKnownController