v1.11 — Authenticated API (Bearer tokens)
v1.11 — API expansion: 5 → 15 endpoints + Bearer auth
Public API was narrow (careers-embed only). Now mobile clients, scripts and integrations have full self-service.
🔑 API Tokens
- Generate in Profile → Security → API tokens → "Issue token"
- Format: `hrms_<8-char-prefix>_<64-hex-raw>`
- Stored only as bcrypt hash + visible prefix — even a compromised DB doesn't leak working tokens
- One-time reveal: token shown ONCE on creation, then masked everywhere
- Revoke any token anytime → all clients using it get 401 immediately
- `last_used_at` tracked (rate-limited to 60s)
- Optional `expires_at` per token
🆕 New endpoints
Public (no auth):
- `GET /api/v1/departments` — for filter dropdowns
- `GET /api/v1/positions`
Authenticated (Bearer):
- `GET /api/v1/me` / `PATCH /api/v1/me` — profile, locale, time_zone, integrations
- `GET /api/v1/me/leave_requests` / `POST` — list + create
- `GET /api/v1/me/kpi` — assignments + evaluations
- `GET /api/v1/me/documents` — paginated
- `GET /api/v1/me/notifications` (?filter=unread)
- `POST /api/v1/me/notifications/:id/read` / `POST .../read_all`
📖 Swagger UI updated
Open `/api-docs/` — all 15 endpoints listed with Bearer auth flow, request bodies, response schemas, error responses (401/404/422). Try-it-out enabled.
Examples
```bash
TOKEN="hrms_abc12345_$(generated)"
curl -H "Authorization: Bearer $TOKEN" /api/v1/me
curl -H "Authorization: Bearer $TOKEN" /api/v1/me/kpi
Request leave
curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json"
-d '{"leave_type_id":1,"started_on":"2026-08-01","ended_on":"2026-08-14"}'
/api/v1/me/leave_requests
```
Quality
- 118 examples (was 93 in v1.10), 0 failures
- Rubocop: 0 offenses
- Brakeman: 0 warnings