Skip to main content

REST API Overview

The OKT REST API is mounted at /api/v1 and uses the Chi router. All routes are registered in backend/internal/api/wiring.go.

Base URL

http://localhost:8080/api/v1

Authentication

Two auth mechanisms are supported:

JWT (session)

For browser/frontend sessions. Obtain a token via POST /auth/login, then pass it as Authorization: Bearer <token> on every request. Refresh via POST /auth/refresh.

See Auth for the session endpoints.

OAuth 2.1 (MCP / programmatic)

For agents and programmatic clients. The server implements OAuth 2.1 with PKCE. Access tokens are HS256 JWTs signed with cfg.Auth.JWTSecret; refresh tokens are opaque + hashed at rest in okt_system.oauth_refresh_tokens.

Register a client via POST /oauth/register, then follow the authorize/token flow. See Auth > OAuth.

Repository scoping

Repository-scoped routes live under /{repoID} and require the X-Repository-ID header (or the URL's repoID path param). A repo-scoped query reads the per-repo pool from appmw.PoolFromContext(ctx) (set by appmw.WithRepoQueries, registered in the /{repoID} route group). System-side routes use Deps.Store directly (the default pool).

Authorization

RBAC is enforced via Casbin. Most routes are wrapped with h.perm(resource, action, handler) or h.repoPerm(resource, action, handler), which run AuthRequired then RequirePermission. A user's permissions come from their roles (group assignments) in the system and repository domains. See Architecture > RBAC.

Response format

All responses are JSON. Errors use {"error": "message"}. Success responses return the resource object or an array directly (no envelope).

Rate limiting

Not currently implemented.

Common headers

HeaderRequiredDescription
Authorizationyes (most routes)Bearer <jwt> or OAuth access token
X-Repository-IDsystem routesRepository UUID or slug (for routes not under /{repoID})
Content-TypePOST/PUTapplication/json (or multipart/form-data for uploads)