API Conventions
Last reviewed: 2026-06-13
Maintained by: Engineering
The ZGRID API is the shared operating layer behind every product surface. These conventions keep managers, residents, technicians, and platform administrators on one consistent server contract.
Current conventions
- input validation is handled close to the route layer
- business rules live in feature services
- role, tenant, and organization scope checks must be enforced by the API
- shared client contracts should stay aligned with
packages/api-client
Auth Transports
ZGRID supports more than one client shape, but not more than one security model.
- browser-oriented web flows support cookie-based auth for login and refresh
- mobile and API-style clients use bearer-token auth
- both transport modes rely on the same API-enforced auth, scope, and business rules
- docs should describe transport expectations at a high level rather than as replay/bypass instructions
Request-Origin Hardening
Browser-style authenticated flows get additional origin protection because ZGRID serves both internal web workspaces and mobile/API clients.
- unsafe cookie-auth requests are protected by request-origin checks against configured web origins
- this protection is aimed at browser-style authenticated flows, not bearer-token API clients
- docs should describe this as origin/referer hardening without detailing abuse-oriented edge cases
Rate Limiting
Rate limiting is part of the platform protection layer, not a product feature.
- write-sensitive and abuse-prone route groups use route-level rate limiting
- the default store is in-process memory for local/dev/test work
- hosted multi-instance environments can use a shared Redis-backed store
- docs should explain rate limiting as a protective control and avoid publishing exact abuse-tuning thresholds
Upload Validation
Attachment flows in ZGRID are designed around trust reduction, not filename trust.
- upload flows validate actual file signatures, not only MIME types or filename extensions
- supported attachment paths can use signed object-storage upload/download flows where storage is configured
- docs should focus on allowed file classes and validation intent, not low-level exploit-relevant mechanics
Webhook Conventions
External billing and delivery providers plug into the same principle: isolate the integration and verify inputs before processing them.
- webhook endpoints are isolated from standard JSON parsing where raw-body signature verification is required
- provider-specific webhook processing stays in dedicated integration services
- docs should explain provider purpose, verification at a high level, and operational dependencies without exposing secrets
Key source areas
- routes:
apps/api/src/routes - feature services:
apps/api/src/features - typed client contracts:
packages/api-client/src/index.ts - environment validation:
apps/api/src/config/env.ts