Skip to content

v1.11 — Authenticated API (Bearer tokens)

Choose a tag to compare

@dripips dripips released this 12 May 21:45

v1.11 — API expansion: 5 → 15 endpoints + Bearer auth

Public API was narrow (careers-embed only). Now mobile clients, scripts and integrations have full self-service.

🔑 API Tokens

  • Generate in Profile → Security → API tokens → "Issue token"
  • Format: `hrms_<8-char-prefix>_<64-hex-raw>`
  • Stored only as bcrypt hash + visible prefix — even a compromised DB doesn't leak working tokens
  • One-time reveal: token shown ONCE on creation, then masked everywhere
  • Revoke any token anytime → all clients using it get 401 immediately
  • `last_used_at` tracked (rate-limited to 60s)
  • Optional `expires_at` per token

🆕 New endpoints

Public (no auth):

  • `GET /api/v1/departments` — for filter dropdowns
  • `GET /api/v1/positions`

Authenticated (Bearer):

  • `GET /api/v1/me` / `PATCH /api/v1/me` — profile, locale, time_zone, integrations
  • `GET /api/v1/me/leave_requests` / `POST` — list + create
  • `GET /api/v1/me/kpi` — assignments + evaluations
  • `GET /api/v1/me/documents` — paginated
  • `GET /api/v1/me/notifications` (?filter=unread)
  • `POST /api/v1/me/notifications/:id/read` / `POST .../read_all`

📖 Swagger UI updated

Open `/api-docs/` — all 15 endpoints listed with Bearer auth flow, request bodies, response schemas, error responses (401/404/422). Try-it-out enabled.

Examples

```bash
TOKEN="hrms_abc12345_$(generated)"
curl -H "Authorization: Bearer $TOKEN" /api/v1/me
curl -H "Authorization: Bearer $TOKEN" /api/v1/me/kpi

Request leave

curl -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json"
-d '{"leave_type_id":1,"started_on":"2026-08-01","ended_on":"2026-08-14"}'
/api/v1/me/leave_requests
```

Quality

  • 118 examples (was 93 in v1.10), 0 failures
  • Rubocop: 0 offenses
  • Brakeman: 0 warnings