All systems operational

Public API

APIAvailable

DevSphere OS exposes a small, read-only public API secured by organization API keys. Today it provides read access to leads and invoices, with scoped keys, rate limiting, and request logging.

#Purpose

Document how external systems authenticate to and consume the public API.

#Architecture

The public API lives under a versioned path (v1). Requests authenticate with an organization API key sent as a Bearer token. The key resolves the organization and its scopes; the endpoint checks the required scope before returning data.

Keys are created and managed by CEO/admin. The plaintext key (prefixed dvs_live_) is shown once at creation; only a SHA-256 hash is stored, so a lost key cannot be recovered — it must be rotated or revoked.

1
Create key
CEO/admin, scoped.
2
Send Bearer
Authorization header.
3
Verify + scope
Org + scope checked.
4
Return data
Read leads/invoices.

#How it works

1

Authenticate

Send Authorization: Bearer dvs_live_… with the request.
2

Verify

The key is hashed and matched; revoked or expired keys are rejected.
3

Authorize scope

The endpoint requires a scope (for example leads:read); missing scope returns 403.
4

Rate limit & log

Requests are rate-limited (about 120/min per key) and recorded in request logs.

#Reference

#Endpoints (implemented today)

Method & pathScope
GET /api/v1/leadsleads:read
GET /api/v1/invoicesinvoices:read

#Defined scopes

ScopeAccess
leads:read / leads:writeLeads
invoices:readInvoices
clients:readClients
projects:readProjects
opportunities:readOpportunities
webhooks:manageManage webhook endpoints
Authenticated request
curl https://<your-app>/api/v1/leads \
  -H "Authorization: Bearer dvs_live_xxx.xxxxxxxx"
Common error responses
401 { "error": "invalid_api_key" }
403 { "error": "insufficient_scope", "need": "leads:read" }
429 { "error": "rate_limited" }

#Implementation notes

  • Keys are per-organization, scoped, revocable, and rotatable; platform staff cannot read them (hash-only).
  • Only GET leads and GET invoices are implemented today; other scopes exist for future expansion.
  • last_used_at is updated on successful verification.

#Limitations

Known limitations

  • Read-only surface today (leads, invoices).
  • A leads:write scope is defined but no write endpoint is implemented yet.
  • Rate limit defaults to roughly 120 requests per minute per key.

#Security considerations

Security

  • Treat keys as secrets; never embed them in client-side code.
  • Grant least-privilege scopes and one key per integration.
  • Rotate or revoke exposed keys immediately.

#Best practices

  • Store keys in a secrets manager.
  • Handle 401/403/429 explicitly.
  • Rotate keys periodically.

Still need help?

Can’t find what you’re looking for? The DevSphere OS team is happy to help.