{ "adminApiEndpoints": [ { "method": "POST", "path": "/api/admin/access-request", "summary": "Submit operator/platform access request for Super Admin review", "rbac": "any_admin", "rbacLabel": "Admin JWT (role=admin; no permission key)", "tags": [ "admin", "access" ] }, { "method": "POST", "path": "/api/admin/access-request/:id/decision", "summary": "Approve or reject a pending access request", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin", "access" ] }, { "method": "PUT", "path": "/api/admin/assign-role", "summary": "Assign adminRole by userId", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin" ] }, { "method": "GET", "path": "/api/admin/audit-log", "summary": "List audit entries + actorEmail enrichment + action catalog (see getCatalog().auditTrail, auditTrail.actorEmail)", "rbac": "audit.read", "rbacLabel": "audit.read", "tags": [ "audit" ] }, { "method": "GET", "path": "/api/admin/audit-log/export", "summary": "Export audit entries with same actorEmail rules as list (format=json|ndjson; see getCatalog().auditTrail.actorEmail)", "rbac": "audit.export", "rbacLabel": "audit.export", "tags": [ "audit" ] }, { "method": "DELETE", "path": "/api/admin/catalog-categories", "summary": "Delete overlay (?name=)", "rbac": "catalog.write", "rbacLabel": "catalog.write", "tags": [ "catalog" ] }, { "method": "GET", "path": "/api/admin/catalog-categories", "summary": "Merged categories + overlay keys", "rbac": "catalog.read", "rbacLabel": "catalog.read", "tags": [ "catalog" ] }, { "method": "POST", "path": "/api/admin/catalog-categories", "summary": "Upsert overlay category", "rbac": "catalog.write", "rbacLabel": "catalog.write", "tags": [ "catalog" ] }, { "method": "GET", "path": "/api/admin/commission", "summary": "Commission settings", "rbac": "commission.read", "rbacLabel": "commission.read", "tags": [ "commission" ] }, { "method": "POST", "path": "/api/admin/commission", "summary": "Update commission settings", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "commission" ] }, { "method": "GET", "path": "/api/admin/commission/category-rules", "summary": "Per-category rate overrides", "rbac": "commission.read", "rbacLabel": "commission.read", "tags": [ "commission" ] }, { "method": "POST", "path": "/api/admin/commission/category-rules", "summary": "Upsert category rule", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "commission" ] }, { "method": "DELETE", "path": "/api/admin/commission/category-rules/:category", "summary": "Remove category rule", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "commission" ] }, { "method": "POST", "path": "/api/admin/create", "summary": "Alias: create staff", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin" ] }, { "method": "GET", "path": "/api/admin/customer-checkout-payments", "summary": "Sanitized payment method rows from storefront orders for an email (query email, optional limit)", "rbac": "orders.read", "rbacLabel": "orders.read", "tags": [ "orders", "admin" ] }, { "method": "GET", "path": "/api/admin/dashboard", "summary": "Legacy dashboard JSON (prefer platform-overview; see getCatalog().dashboardOverview)", "rbac": "dashboard.read", "rbacLabel": "dashboard.read", "tags": [ "admin" ] }, { "method": "PATCH", "path": "/api/admin/inventory/products/:id/stock", "summary": "Delta (tracked only), absolute number, or stock \"—\" for unlimited", "rbac": "inventory.adjust", "rbacLabel": "inventory.adjust", "tags": [ "inventory" ] }, { "method": "GET", "path": "/api/admin/inventory/summary", "summary": "Stock KPIs + low-stock list (see getCatalog().stockManagement)", "rbac": "inventory.read", "rbacLabel": "inventory.read", "tags": [ "inventory" ] }, { "method": "GET", "path": "/api/admin/list", "summary": "Alias: list admins", "rbac": "staff.read", "rbacLabel": "staff.read", "tags": [ "admin" ] }, { "method": "GET", "path": "/api/admin/notification-settings", "summary": "Admin notification toggles, announcements queue, flash sale", "rbac": "platform.read", "rbacLabel": "platform.read", "tags": [ "admin", "notifications" ] }, { "method": "PUT", "path": "/api/admin/notification-settings", "summary": "Update notification settings", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin", "notifications" ] }, { "method": "POST", "path": "/api/admin/notification-settings/clear-announcements", "summary": "Clear announcement rows and queued announcements only", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin", "notifications" ] }, { "method": "POST", "path": "/api/admin/notification-settings/clear-log", "summary": "Clear full admin notification log", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin", "notifications" ] }, { "method": "POST", "path": "/api/admin/notification-settings/clear-pending-approvals", "summary": "Clear only pending approval_request rows", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin", "notifications" ] }, { "method": "POST", "path": "/api/admin/notifications/announce", "summary": "Push custom in-app announcement to customers", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin", "notifications" ] }, { "method": "PATCH", "path": "/api/admin/orders/:orderNumber/status", "summary": "Update fulfilment status", "rbac": "orders.write", "rbacLabel": "orders.write", "tags": [ "orders" ] }, { "method": "GET", "path": "/api/admin/payment-methods", "summary": "All payment method configs", "rbac": "payments.read", "rbacLabel": "payments.read", "tags": [ "payments" ] }, { "method": "POST", "path": "/api/admin/payment-methods", "summary": "Create method", "rbac": "payments.write", "rbacLabel": "payments.write", "tags": [ "payments" ] }, { "method": "DELETE", "path": "/api/admin/payment-methods/:id", "summary": "Delete method", "rbac": "payments.write", "rbacLabel": "payments.write", "tags": [ "payments" ] }, { "method": "PUT", "path": "/api/admin/payment-methods/:id", "summary": "Replace method", "rbac": "payments.write", "rbacLabel": "payments.write", "tags": [ "payments" ] }, { "method": "POST", "path": "/api/admin/payment-methods/reset-catalog", "summary": "Reset to built-in catalogue", "rbac": "payments.write", "rbacLabel": "payments.write", "tags": [ "payments" ] }, { "method": "POST", "path": "/api/admin/permissions/check", "summary": "Whether current admin JWT allows a permission key (no separate permission; admin role required)", "rbac": "any_admin", "rbacLabel": "Admin JWT (role=admin; no permission key)", "tags": [ "admin" ] }, { "method": "GET", "path": "/api/admin/platform-overview", "summary": "Cross-cutting KPIs: orders, revenue, customers, stock, commission, etc. (Dashboard overview intro applies.)", "rbac": "platform.read", "rbacLabel": "platform.read", "tags": [ "admin" ] }, { "method": "DELETE", "path": "/api/admin/revoke-role", "summary": "Suspend admin by userId", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin" ] }, { "method": "GET", "path": "/api/admin/roles", "summary": "Role definitions, glossary, permission patterns, admin API matrix", "rbac": "roles.read", "rbacLabel": "roles.read", "tags": [ "admin" ] }, { "method": "GET", "path": "/api/admin/security/login-events", "summary": "Recent login attempts", "rbac": "security.read", "rbacLabel": "security.read", "tags": [ "security" ] }, { "method": "GET", "path": "/api/admin/security/sessions", "summary": "Active sessions (PG)", "rbac": "security.read", "rbacLabel": "security.read", "tags": [ "security" ] }, { "method": "DELETE", "path": "/api/admin/security/sessions/:id", "summary": "Revoke session by jti/id", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "security" ] }, { "method": "POST", "path": "/api/admin/shop/restamp-products", "summary": "Apply current shop name/logo stamp to all products (Shop profile editor role).", "rbac": "shop_profile_editor", "rbacLabel": "shop_profile_editor · Super Admin or Operations Admin", "tags": [ "admin", "geo" ] }, { "method": "GET", "path": "/api/admin/staff", "summary": "List admin users", "rbac": "staff.read", "rbacLabel": "staff.read", "tags": [ "admin" ] }, { "method": "POST", "path": "/api/admin/staff", "summary": "Create staff admin", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin" ] }, { "method": "DELETE", "path": "/api/admin/staff/:id", "summary": "Delete staff", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin" ] }, { "method": "PATCH", "path": "/api/admin/staff/:id", "summary": "Update staff (role, 2FA flag, status)", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin" ] }, { "method": "POST", "path": "/api/admin/staff/:id/reset-password", "summary": "Set staff password", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin" ] }, { "method": "GET", "path": "/api/admin/store-geo", "summary": "Store origin (label, lat, lng, updatedAt) for distance APIs; platform.read (Dashboard overview — Geo).", "rbac": "platform.read", "rbacLabel": "platform.read", "tags": [ "admin", "geo" ] }, { "method": "PUT", "path": "/api/admin/store-geo", "summary": "Set store latitude, longitude, label (Shop profile editor: Super Admin or Operations Admin).", "rbac": "shop_profile_editor", "rbacLabel": "shop_profile_editor · Super Admin or Operations Admin", "tags": [ "admin", "geo" ] }, { "method": "GET", "path": "/api/admin/tax-settings", "summary": "VAT/tax shop settings", "rbac": "platform.read", "rbacLabel": "platform.read", "tags": [ "admin", "tax" ] }, { "method": "PUT", "path": "/api/admin/tax-settings", "summary": "Update tax settings (home country, VAT number, inclusive flag)", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin", "tax" ] }, { "method": "GET", "path": "/api/admin/vendors", "summary": "All vendors", "rbac": "vendors.read", "rbacLabel": "vendors.read", "tags": [ "vendors" ] }, { "method": "POST", "path": "/api/admin/vendors", "summary": "Register vendor (optional businessTin)", "rbac": "vendors.write", "rbacLabel": "vendors.write", "tags": [ "vendors" ] }, { "method": "PATCH", "path": "/api/admin/vendors/:id", "summary": "Update vendor profile / TIN / taxVerified", "rbac": "vendors.write", "rbacLabel": "vendors.write", "tags": [ "vendors" ] }, { "method": "POST", "path": "/api/admin/vendors/:id/approve", "summary": "Approve by path id", "rbac": "vendors.approve", "rbacLabel": "vendors.approve", "tags": [ "vendors" ] }, { "method": "POST", "path": "/api/admin/vendors/:id/reject", "summary": "Reject by path id", "rbac": "vendors.approve", "rbacLabel": "vendors.approve", "tags": [ "vendors" ] }, { "method": "POST", "path": "/api/admin/vendors/:id/suspend", "summary": "Suspend vendor", "rbac": "vendors.approve", "rbacLabel": "vendors.approve", "tags": [ "vendors" ] }, { "method": "GET", "path": "/api/admin/wallet/:userId", "summary": "Admin wallet balance for userId (self, Super Admin, or wallet.read; Dashboard overview — Wallet).", "rbac": "wallet.read", "rbacLabel": "wallet.read", "tags": [ "admin", "wallet" ] }, { "method": "GET", "path": "/api/admin/wallet/:userId/transactions", "summary": "Wallet ledger for a staff admin userId; use a numeric :userId with wallet.read or Super Admin (Dashboard overview — Wallet activity).", "rbac": "wallet.read", "rbacLabel": "wallet.read", "tags": [ "admin", "wallet" ] }, { "method": "POST", "path": "/api/admin/wallet/adjust", "summary": "Super Admin — writes balance and a ledger row (body: userId, amountUSD, optional note; Dashboard overview — Adjust).", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "admin", "wallet" ] }, { "method": "GET", "path": "/api/admin/wallet/me", "summary": "Current admin USD wallet balance (Dashboard overview — Wallet: pair with …/wallet/me/transactions for ledger).", "rbac": "any_admin", "rbacLabel": "Admin JWT (role=admin; no permission key)", "tags": [ "admin", "wallet" ] }, { "method": "GET", "path": "/api/admin/wallet/me/transactions", "summary": "Wallet ledger for the current admin (Dashboard overview — Wallet activity).", "rbac": "any_admin", "rbacLabel": "Admin JWT (role=admin; no permission key)", "tags": [ "admin", "wallet" ] }, { "method": "POST", "path": "/api/auth/cancel", "summary": "Cancel own customer account", "rbac": "jwt", "rbacLabel": "JWT (any signed-in user)", "tags": [ "auth" ] }, { "method": "POST", "path": "/api/auth/logout", "summary": "Revoke current session (PG)", "rbac": "jwt", "rbacLabel": "JWT (any signed-in user)", "tags": [ "auth" ] }, { "method": "GET", "path": "/api/auth/me", "summary": "Current user", "rbac": "jwt", "rbacLabel": "JWT (any signed-in user)", "tags": [ "auth" ] }, { "method": "GET", "path": "/api/auth/orders", "summary": "Customer orders for JWT email (payment details redacted)", "rbac": "jwt", "rbacLabel": "JWT (any signed-in user)", "tags": [ "auth" ] }, { "method": "GET", "path": "/api/auth/orders/:orderNumber", "summary": "Single customer order if email matches", "rbac": "jwt", "rbacLabel": "JWT (any signed-in user)", "tags": [ "auth" ] }, { "method": "PATCH", "path": "/api/auth/profile", "summary": "Update profile (e.g. displayName)", "rbac": "jwt", "rbacLabel": "JWT (any signed-in user)", "tags": [ "auth" ] }, { "method": "POST", "path": "/api/commission/set-rate", "summary": "Update rate (legacy body)", "rbac": "super_admin", "rbacLabel": "Super Admin only (adminRole=super_admin)", "tags": [ "commission" ] }, { "method": "GET", "path": "/api/orders", "summary": "All orders (admin)", "rbac": "orders.read", "rbacLabel": "orders.read", "tags": [ "orders" ] }, { "method": "GET", "path": "/api/orders/:orderNumber", "summary": "Order detail", "rbac": "orders.read", "rbacLabel": "orders.read", "tags": [ "orders" ] }, { "method": "GET", "path": "/api/products", "summary": "Product list (any authenticated user)", "rbac": "jwt", "rbacLabel": "JWT (any signed-in user)", "tags": [ "products" ] }, { "method": "POST", "path": "/api/products", "summary": "Create product", "rbac": "products.write", "rbacLabel": "products.write", "tags": [ "products" ] }, { "method": "DELETE", "path": "/api/products/:id", "summary": "Delete product", "rbac": "products.delete", "rbacLabel": "products.delete", "tags": [ "products" ] }, { "method": "GET", "path": "/api/products/:id", "summary": "Product by id", "rbac": "jwt", "rbacLabel": "JWT (any signed-in user)", "tags": [ "products" ] }, { "method": "PATCH", "path": "/api/products/:id", "summary": "Patch product", "rbac": "products.write", "rbacLabel": "products.write", "tags": [ "products" ] }, { "method": "PUT", "path": "/api/products/:id", "summary": "Replace product", "rbac": "products.write", "rbacLabel": "products.write", "tags": [ "products" ] }, { "method": "GET", "path": "/api/products/stats", "summary": "Aggregate product stats", "rbac": "jwt", "rbacLabel": "JWT (any signed-in user)", "tags": [ "products" ] }, { "method": "POST", "path": "/api/vendor/approve", "summary": "Approve vendor (body vendorId)", "rbac": "vendors.approve", "rbacLabel": "vendors.approve", "tags": [ "vendors" ] }, { "method": "GET", "path": "/api/vendor/pending-verification", "summary": "Pending KYC vendors", "rbac": "vendors.read", "rbacLabel": "vendors.read", "tags": [ "vendors" ] }, { "method": "POST", "path": "/api/vendor/reject", "summary": "Reject vendor", "rbac": "vendors.approve", "rbacLabel": "vendors.approve", "tags": [ "vendors" ] } ], "rbacLegend": { "jwt": "JWT (any signed-in user)", "any_admin": "Admin JWT (role=admin; no permission key)", "super_admin": "Super Admin only (adminRole=super_admin)", "shop_profile_editor": "shop_profile_editor · Super Admin or Operations Admin" } }