API Categories

OpenAPI Explorer

Auto-generated OpenAPI definition for all enabled modules.

Default server: https://mercato-pr-97.tournee.io

Authentication & Accounts

Showing 20 of 29 endpoints

GET/auth/admin/nav

Auth required

Resolve backend chrome bootstrap payload

Returns the backend chrome payload available to the authenticated administrator after applying scope, RBAC, role defaults, and personal sidebar preferences.

Responses

200Backend chrome payload

Content-Type: application/json

{
  "groups": [
    {
      "name": "string",
      "items": [
        {
          "href": "string",
          "title": "string"
        }
      ]
    }
  ],
  "settingsSections": [
    {
      "id": "string",
      "label": "string",
      "items": [
        {
          "id": "string",
          "label": "string",
          "href": "string"
        }
      ]
    }
  ],
  "settingsPathPrefixes": [
    "string"
  ],
  "profileSections": [
    {
      "id": "string",
      "label": "string",
      "items": [
        {
          "id": "string",
          "label": "string",
          "href": "string"
        }
      ]
    }
  ],
  "profilePathPrefixes": [
    "string"
  ],
  "grantedFeatures": [
    "string"
  ],
  "roles": [
    "string"
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/auth/admin/nav" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/auth/feature-check

Auth required

Check feature grants for the current user

Evaluates which of the requested features are available to the signed-in user within the active tenant / organization context.

Request body (application/json)

{
  "features": [
    "string"
  ]
}

Responses

200Evaluation result

Content-Type: application/json

{
  "ok": true,
  "granted": [
    "string"
  ],
  "userId": "string"
}

400Invalid request — features array missing, too large, or contains invalid entries

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/auth/feature-check" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"features\": [
    \"string\"
  ]
}"

GET/auth/features

Auth requiredauth.acl.manage

List declared feature flags

Returns all static features contributed by the enabled modules along with their module source. Requires features: auth.acl.manage

Responses

200Aggregated feature catalog

Content-Type: application/json

{
  "items": [
    {
      "id": "string",
      "title": "string",
      "module": "string"
    }
  ],
  "modules": [
    {
      "id": "string",
      "title": "string"
    }
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/auth/features" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/auth/locale

GET /auth/locale

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/auth/locale" \
  -H "Accept: application/json"

POST/auth/locale

POST /auth/locale

Responses

201Success response

Content-Type: application/json

"string"

Example

curl -X POST "https://mercato-pr-97.tournee.io/auth/locale" \
  -H "Accept: application/json"

POST/auth/login

Authenticate user credentials

Validates the submitted credentials and issues a bearer token cookie for subsequent API calls.

Request body (application/x-www-form-urlencoded)

email=user%40example.com&password=string

Responses

200Authentication succeeded

Content-Type: application/json

{
  "ok": true,
  "token": "string",
  "redirect": null
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Invalid credentials

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403User lacks required role

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

429Too many login attempts

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/auth/login" \
  -H "Accept: application/json" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "email=user%40example.com&password=string"

GET/auth/logout

Auth required

Log out (legacy GET)

For convenience, the GET variant performs the same logout logic as POST and issues a redirect.

Responses

200Success response

Content-Type: application/json

"string"

302Redirect to login after successful logout

Content-Type: text/html

string

Example

curl -X GET "https://mercato-pr-97.tournee.io/auth/logout" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/auth/logout

Auth required

Invalidate session and redirect

Clears authentication cookies and redirects the browser to the login page.

Responses

201Success response

Content-Type: application/json

"string"

302Redirect to login after successful logout

Content-Type: text/html

string

Example

curl -X POST "https://mercato-pr-97.tournee.io/auth/logout" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/auth/profile

Auth required

Get current profile

Returns the email address for the signed-in user.

Responses

200Profile payload

Content-Type: application/json

{
  "email": "user@example.com",
  "roles": [
    "string"
  ]
}

404User not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/auth/profile" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/auth/profile

Auth required

Update current profile

Updates the email address or password for the signed-in user.

Request body (application/json)

{}

Responses

200Profile updated

Content-Type: application/json

{
  "ok": true,
  "email": "user@example.com"
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/auth/profile" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{}"

POST/auth/reset

Send reset email

Requests a password reset email for the given account. The endpoint always returns `ok: true` to avoid leaking account existence.

Request body (application/x-www-form-urlencoded)

email=user%40example.com

Responses

200Reset email dispatched (or ignored for unknown accounts)

Content-Type: application/json

{
  "ok": true
}

400Invalid request origin

Content-Type: application/json

{
  "error": "string"
}

429Too many password reset requests

Content-Type: application/json

{
  "error": "string"
}

500Password reset email origin is not configured

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/auth/reset" \
  -H "Accept: application/json" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "email=user%40example.com"

POST/auth/reset/confirm

Complete password reset

Validates the reset token and updates the user password.

Request body (application/x-www-form-urlencoded)

token=string&password=string

Responses

200Password reset succeeded

Content-Type: application/json

{
  "ok": true,
  "redirect": "string"
}

400Invalid token or payload

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

429Too many reset confirmation attempts

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/auth/reset/confirm" \
  -H "Accept: application/json" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "token=string&password=string"

GET/auth/roles

Auth requiredauth.roles.list

List roles

Returns available roles within the current tenant. Super administrators receive visibility across tenants. Requires features: auth.roles.list

Parameters

Name	In	Required	Schema	Description
id	query	No	any	—
page	query	No	any	—
pageSize	query	No	any	—
search	query	No	any	—
tenantId	query	No	any	—

Responses

200Role collection

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "name": "string",
      "usersCount": 1,
      "tenantId": null,
      "tenantName": null
    }
  ],
  "total": 1,
  "totalPages": 1
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/auth/roles?page=1&pageSize=50" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/auth/roles

Auth requiredauth.roles.manage

Create role

Creates a new role for the current tenant or globally when `tenantId` is omitted. Requires features: auth.roles.manage

Request body (application/json)

{
  "name": "string"
}

Responses

201Role created

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000"
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/auth/roles" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"name\": \"string\"
}"

PUT/auth/roles

Auth requiredauth.roles.manage

Update role

Updates mutable fields on an existing role. Requires features: auth.roles.manage

Request body (application/json)

{
  "id": "00000000-0000-4000-8000-000000000000"
}

Responses

200Role updated

Content-Type: application/json

{
  "ok": true
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

404Role not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/auth/roles" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"id\": \"00000000-0000-4000-8000-000000000000\"
}"

DELETE/auth/roles

Auth requiredauth.roles.manage

Delete role

Deletes a role by identifier. Fails when users remain assigned. Requires features: auth.roles.manage

Parameters

Name	In	Required	Schema	Description
id	query	Yes	any	Role identifier

Responses

200Role deleted

Content-Type: application/json

{
  "ok": true
}

400Role cannot be deleted

Content-Type: application/json

{
  "error": "string"
}

404Role not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/auth/roles?id=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/auth/roles/acl

Auth requiredauth.acl.manage

Fetch role ACL

Returns the feature and organization assignments associated with a role within the current tenant. Requires features: auth.acl.manage

Parameters

Name	In	Required	Schema	Description
roleId	query	Yes	any	—
tenantId	query	No	any	—

Responses

200Role ACL entry

Content-Type: application/json

{
  "isSuperAdmin": true,
  "features": [
    "string"
  ],
  "organizations": null
}

400Invalid role id

Content-Type: application/json

{
  "error": "string"
}

404Role not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/auth/roles/acl?roleId=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/auth/roles/acl

Auth requiredauth.acl.manage

Update role ACL

Replaces the feature list, super admin flag, and optional organization assignments for a role. Requires features: auth.acl.manage

Request body (application/json)

{
  "roleId": "00000000-0000-4000-8000-000000000000",
  "organizations": null
}

Responses

200Role ACL updated

Content-Type: application/json

{
  "ok": true,
  "sanitized": true
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

404Role not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/auth/roles/acl" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"roleId\": \"00000000-0000-4000-8000-000000000000\",
  \"organizations\": null
}"

GET/auth/session/refresh

Refresh auth cookie from session token (browser)

Exchanges an existing `session_token` cookie for a fresh JWT auth cookie and redirects the browser.

Parameters

Name	In	Required	Schema	Description
redirect	query	No	any	Absolute or relative URL to redirect after refresh

Responses

200Success response

Content-Type: application/json

"string"

302Redirect to target location when session is valid

Content-Type: text/html

string

Example

curl -X GET "https://mercato-pr-97.tournee.io/auth/session/refresh" \
  -H "Accept: application/json"

POST/auth/session/refresh

Refresh access token (API/mobile)

Exchanges a refresh token for a new JWT access token. Pass the refresh token obtained from login in the request body.

Request body (application/json)

{
  "refreshToken": "string"
}

Responses

200New access token issued

Content-Type: application/json

{
  "ok": true,
  "accessToken": "string",
  "expiresIn": 1
}

400Missing refresh token

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Invalid or expired token

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

429Too many refresh attempts

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/auth/session/refresh" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"refreshToken\": \"string\"
}"

Directory (Tenants & Organizations)

Showing 2 of 2 endpoints

GET/directory/organizations/lookup

Public organization lookup by slug

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/directory/organizations/lookup" \
  -H "Accept: application/json"

GET/directory/tenants/lookup

Public tenant lookup

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/directory/tenants/lookup" \
  -H "Accept: application/json"

Events

Showing 2 of 2 endpoints

GET/events

Auth required

List declared events

Returns every declared event. Filters: category, module, excludeTriggerExcluded (default true).

Responses

200Declared events

Content-Type: application/json

{
  "data": [
    {
      "id": "string",
      "label": "string"
    }
  ],
  "total": 1
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/events" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/events/stream

Auth required

GET /events/stream

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/events/stream" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Scheduler

Showing 8 of 8 endpoints

GET/scheduler/jobs

Auth requiredscheduler.jobs.view

List scheduledjobs

Returns a paginated collection of scheduledjobs scoped to the authenticated organization. Requires features: scheduler.jobs.view

Parameters

Name	In	Required	Schema	Description
page	query	No	any	—
pageSize	query	No	any	—
id	query	No	any	—
search	query	No	any	—
scopeType	query	No	any	—
isEnabled	query	Yes	any	—
sourceType	query	No	any	—
sourceModule	query	No	any	—
sort	query	No	any	—
order	query	No	any	—
ids	query	No	any	Comma-separated list of record UUIDs to filter by (max 200).

Responses

200Paginated scheduledjobs

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "name": "string",
      "description": null,
      "scopeType": "system",
      "organizationId": null,
      "tenantId": null,
      "scheduleType": "cron",
      "scheduleValue": "string",
      "timezone": "string",
      "targetType": "queue",
      "targetQueue": null,
      "targetCommand": null,
      "targetPayload": null,
      "requireFeature": null,
      "isEnabled": true,
      "lastRunAt": null,
      "nextRunAt": null,
      "sourceType": "user",
      "sourceModule": null,
      "createdAt": "string",
      "updatedAt": "string"
    }
  ],
  "total": 1,
  "totalPages": 1
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/scheduler/jobs?page=1&pageSize=20" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/scheduler/jobs

Auth requiredscheduler.jobs.manage

Create scheduledjob

Creates a new scheduled job with cron or interval-based scheduling. Requires features: scheduler.jobs.manage

Request body (application/json)

{
  "name": "string",
  "description": null,
  "scopeType": "system",
  "organizationId": null,
  "tenantId": null,
  "scheduleType": "cron",
  "scheduleValue": "string",
  "timezone": "UTC",
  "targetType": "queue",
  "targetQueue": null,
  "targetCommand": null,
  "targetPayload": null,
  "requireFeature": null,
  "isEnabled": true,
  "sourceType": "user",
  "sourceModule": null
}

Responses

201ScheduledJob created

Content-Type: application/json

{
  "id": null
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/scheduler/jobs" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"name\": \"string\",
  \"description\": null,
  \"scopeType\": \"system\",
  \"organizationId\": null,
  \"tenantId\": null,
  \"scheduleType\": \"cron\",
  \"scheduleValue\": \"string\",
  \"timezone\": \"UTC\",
  \"targetType\": \"queue\",
  \"targetQueue\": null,
  \"targetCommand\": null,
  \"targetPayload\": null,
  \"requireFeature\": null,
  \"isEnabled\": true,
  \"sourceType\": \"user\",
  \"sourceModule\": null
}"

PUT/scheduler/jobs

Auth requiredscheduler.jobs.manage

Update scheduledjob

Updates an existing scheduled job by ID. Requires features: scheduler.jobs.manage

Request body (application/json)

{
  "id": "string",
  "description": null,
  "targetQueue": null,
  "targetCommand": null,
  "targetPayload": null,
  "requireFeature": null
}

Responses

200ScheduledJob updated

Content-Type: application/json

{
  "ok": true
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/scheduler/jobs" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"id\": \"string\",
  \"description\": null,
  \"targetQueue\": null,
  \"targetCommand\": null,
  \"targetPayload\": null,
  \"requireFeature\": null
}"

DELETE/scheduler/jobs

Auth requiredscheduler.jobs.manage

Delete scheduledjob

Deletes a scheduled job by ID. Requires features: scheduler.jobs.manage

Request body (application/json)

{
  "id": "string"
}

Responses

200ScheduledJob deleted

Content-Type: application/json

{
  "ok": true
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/scheduler/jobs" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"id\": \"string\"
}"

GET/scheduler/jobs/{id}/executions

Get execution history for a schedule

Fetch recent executions from BullMQ for a scheduled job. Requires QUEUE_STRATEGY=async.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—
pageSize	query	No	any	—

Responses

200Execution history

Content-Type: application/json

{
  "items": [
    {
      "id": "string",
      "scheduleId": "00000000-0000-4000-8000-000000000000",
      "startedAt": "string",
      "finishedAt": null,
      "status": "running",
      "triggerType": "scheduled",
      "triggeredByUserId": null,
      "errorMessage": null,
      "errorStack": null,
      "durationMs": null,
      "queueJobId": "string",
      "queueName": "string",
      "attemptsMade": 1,
      "result": null
    }
  ],
  "total": 1,
  "page": 1,
  "pageSize": 1
}

400Local strategy not supported

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Access denied

Content-Type: application/json

{
  "error": "string"
}

404Schedule not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/scheduler/jobs/:id/executions?pageSize=20" \
  -H "Accept: application/json"

GET/scheduler/queue-jobs/{jobId}

Get BullMQ job details and logs

Fetch detailed information and logs for a queue job. Requires QUEUE_STRATEGY=async.

Parameters

Name	In	Required	Schema	Description
jobId	path	Yes	any	—
queue	query	Yes	any	—

Responses

200Job details and logs

Content-Type: application/json

{
  "id": "string",
  "name": "string",
  "state": "waiting",
  "progress": null,
  "returnvalue": null,
  "failedReason": null,
  "stacktrace": null,
  "attemptsMade": 1,
  "processedOn": null,
  "finishedOn": null,
  "logs": [
    "string"
  ]
}

400Invalid request or local strategy not supported

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Access denied

Content-Type: application/json

{
  "error": "string"
}

404Job not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/scheduler/queue-jobs/:jobId?queue=string" \
  -H "Accept: application/json"

GET/scheduler/targets

List available queues and commands

Returns all registered queue names (from module workers) and command IDs (from the command registry) that can be used as schedule targets.

Responses

200Available targets

Content-Type: application/json

{
  "queues": [
    {
      "value": "string",
      "label": "string"
    }
  ],
  "commands": [
    {
      "value": "string",
      "label": "string"
    }
  ]
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/scheduler/targets" \
  -H "Accept: application/json"

POST/scheduler/trigger

Manually trigger a schedule

Executes a scheduled job immediately, bypassing the scheduled time. Only works with async queue strategy.

Request body (application/json)

{
  "id": "string"
}

Responses

200Schedule triggered successfully

Content-Type: application/json

{
  "ok": true,
  "jobId": "string",
  "message": "string"
}

400Invalid request or local strategy not supported

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Access denied

Content-Type: application/json

{
  "error": "string"
}

404Schedule not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/scheduler/trigger" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"id\": \"string\"
}"

Search

Showing 15 of 15 endpoints

GET/search/embeddings

Auth requiredsearch.embeddings.view

Get embeddings configuration

Returns current embedding provider and model configuration. Requires features: search.embeddings.view

Responses

200Embeddings settings

Content-Type: application/json

{
  "settings": {
    "openaiConfigured": true,
    "autoIndexingEnabled": true,
    "autoIndexingLocked": true,
    "lockReason": null,
    "embeddingConfig": null,
    "configuredProviders": [
      "openai"
    ],
    "indexedDimension": null,
    "reindexRequired": true,
    "documentCount": null
  }
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/search/embeddings" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/search/embeddings

Auth requiredsearch.embeddings.manage

Update embeddings configuration

Updates the embedding provider and model settings. Requires features: search.embeddings.manage

Request body (application/json)

{}

Responses

200Updated settings

Content-Type: application/json

{
  "settings": {
    "openaiConfigured": true,
    "autoIndexingEnabled": true,
    "autoIndexingLocked": true,
    "lockReason": null,
    "embeddingConfig": null,
    "configuredProviders": [
      "openai"
    ],
    "indexedDimension": null,
    "reindexRequired": true,
    "documentCount": null
  }
}

400Invalid request

Content-Type: application/json

{
  "error": "string"
}

409Auto-indexing disabled via environment

Content-Type: application/json

{
  "error": "string"
}

500Update failed

Content-Type: application/json

{
  "error": "string"
}

503Configuration service unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/search/embeddings" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{}"

POST/search/embeddings/reindex

Auth requiredsearch.embeddings.manage

Trigger vector reindex

Starts a vector embedding reindex operation. Requires features: search.embeddings.manage

Request body (application/json)

{}

Responses

200Reindex result

Content-Type: application/json

{
  "ok": true
}

409Reindex already in progress

Content-Type: application/json

{
  "error": "string",
  "lock": {
    "type": "fulltext",
    "action": "string",
    "startedAt": "string",
    "elapsedMinutes": 1,
    "processedCount": null,
    "totalCount": null
  }
}

500Reindex failed

Content-Type: application/json

{
  "error": "string"
}

503Search indexer unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/search/embeddings/reindex" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{}"

POST/search/embeddings/reindex/cancel

Auth requiredsearch.embeddings.manage

Cancel vector reindex

Cancels an in-progress vector reindex operation. Requires features: search.embeddings.manage

Responses

200Cancel result

Content-Type: application/json

{
  "ok": true,
  "jobsRemoved": 1
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/search/embeddings/reindex/cancel" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/search/index

Auth requiredsearch.view

List vector index entries

Returns paginated list of entries in the vector search index. Requires features: search.view

Parameters

Name	In	Required	Schema	Description
entityId	query	No	any	Filter by entity ID (e.g., "customers:customer_person_profile", "catalog:catalog_product")
limit	query	No	any	Maximum entries to return (default: 50, max: 200)
offset	query	No	any	Offset for pagination (default: 0)

Responses

200Index entries

Content-Type: application/json

{
  "entries": [
    {
      "id": "string",
      "entityId": "string",
      "recordId": "string",
      "tenantId": "string",
      "organizationId": null
    }
  ],
  "limit": 1,
  "offset": 1
}

500Failed to fetch index

Content-Type: application/json

{
  "error": "string"
}

503Vector strategy unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/search/index" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

DELETE/search/index

Auth requiredsearch.embeddings.manage

Purge vector index

Purges entries from the vector search index. Requires confirmAll=true when purging all entities. Requires features: search.embeddings.manage

Parameters

Name	In	Required	Schema	Description
entityId	query	No	any	Specific entity ID to purge (e.g., "customers:customer_person_profile", "catalog:catalog_product")
confirmAll	query	No	any	Required when purging all entities

Responses

200Purge result

Content-Type: application/json

{
  "ok": true
}

400Missing confirmAll parameter

Content-Type: application/json

{
  "error": "string"
}

500Purge failed

Content-Type: application/json

{
  "error": "string"
}

503Search indexer unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/search/index" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/search/reindex

Auth requiredsearch.reindex

Trigger fulltext reindex

Starts a fulltext (Meilisearch) reindex operation. Can clear, recreate, or fully reindex. Requires features: search.reindex

Request body (application/json)

{}

Responses

200Reindex result

Content-Type: application/json

{
  "ok": true,
  "action": "clear",
  "entityId": null
}

409Reindex already in progress

Content-Type: application/json

{
  "error": "string",
  "lock": {
    "type": "fulltext",
    "action": "string",
    "startedAt": "string",
    "elapsedMinutes": 1,
    "processedCount": null,
    "totalCount": null
  }
}

500Reindex failed

Content-Type: application/json

{
  "error": "string"
}

503Search service unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/search/reindex" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{}"

POST/search/reindex/cancel

Auth requiredsearch.reindex

Cancel fulltext reindex

Cancels an in-progress fulltext reindex operation. Requires features: search.reindex

Responses

200Cancel result

Content-Type: application/json

{
  "ok": true,
  "jobsRemoved": 1
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/search/reindex/cancel" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/search/search

Auth requiredsearch.view

Search across all indexed entities

Performs a search using configured strategies (fulltext, vector, tokens). Use for search playground. Requires features: search.view

Parameters

Name	In	Required	Schema	Description
q	query	Yes	any	Search query (required)
limit	query	No	any	Maximum results to return (default: 50, max: 100)
strategies	query	No	any	Comma-separated strategies to use: fulltext, vector, tokens (e.g., "fulltext,vector")
entityTypes	query	No	any	Comma-separated entity types to filter results (e.g., "customers:customer_person_profile,catalog:catalog_product,sales:sales_order")

Responses

200Search results

Content-Type: application/json

{
  "results": [
    {
      "entityId": "string",
      "recordId": "string",
      "score": 1,
      "source": "fulltext"
    }
  ],
  "strategiesUsed": [
    "fulltext"
  ],
  "timing": 1,
  "query": "string",
  "limit": 1
}

400Missing query parameter

Content-Type: application/json

{
  "error": "string"
}

500Search failed

Content-Type: application/json

{
  "error": "string"
}

503Search service unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/search/search?q=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/search/search/global

Auth requiredsearch.view

Global search (Cmd+K)

Performs a global search using saved tenant strategies. Does NOT accept strategies from URL. Requires features: search.view

Parameters

Name	In	Required	Schema	Description
q	query	Yes	any	Search query (required)
limit	query	No	any	Maximum results to return (default: 50, max: 100)
entityTypes	query	No	any	Comma-separated entity types to filter results (e.g., "customers:customer_person_profile,catalog:catalog_product,sales:sales_order")

Responses

200Search results

Content-Type: application/json

{
  "results": [
    {
      "entityId": "string",
      "recordId": "string",
      "score": 1,
      "source": "fulltext"
    }
  ],
  "strategiesUsed": [
    "fulltext"
  ],
  "strategiesEnabled": [
    "fulltext"
  ],
  "timing": 1,
  "query": "string",
  "limit": 1
}

400Missing query parameter

Content-Type: application/json

{
  "error": "string"
}

500Search failed

Content-Type: application/json

{
  "error": "string"
}

503Search service unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/search/search/global?q=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/search/settings

Auth requiredsearch.view

Get search settings and status

Returns search module configuration, available strategies, and reindex lock status. Requires features: search.view

Responses

200Search settings

Content-Type: application/json

{
  "settings": {
    "strategies": [
      {
        "id": "string",
        "name": "string",
        "priority": 1,
        "available": true
      }
    ],
    "fulltextConfigured": true,
    "fulltextStats": null,
    "vectorConfigured": true,
    "tokensEnabled": true,
    "defaultStrategies": [
      "string"
    ],
    "reindexLock": null,
    "fulltextReindexLock": null,
    "vectorReindexLock": null
  }
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/search/settings" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/search/settings/fulltext

Auth requiredsearch.view

Get fulltext search configuration

Returns Meilisearch configuration status and index statistics. Requires features: search.view

Responses

200Fulltext settings

Content-Type: application/json

{
  "driver": null,
  "configured": true,
  "envVars": {
    "MEILISEARCH_HOST": {
      "set": true,
      "hint": "string"
    },
    "MEILISEARCH_API_KEY": {
      "set": true,
      "hint": "string"
    }
  },
  "optionalEnvVars": {
    "MEILISEARCH_INDEX_PREFIX": {
      "set": true,
      "hint": "string"
    },
    "SEARCH_EXCLUDE_ENCRYPTED_FIELDS": {
      "set": true,
      "hint": "string"
    }
  }
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/search/settings/fulltext" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/search/settings/global-search

Auth requiredsearch.view

Get global search strategies

Returns the enabled strategies for Cmd+K global search. Requires features: search.view

Responses

200Global search settings

Content-Type: application/json

{
  "enabledStrategies": [
    "fulltext"
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/search/settings/global-search" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/search/settings/global-search

Auth requiredsearch.manage

Update global search strategies

Sets which strategies are enabled for Cmd+K global search. Requires features: search.manage

Request body (application/json)

{
  "enabledStrategies": [
    "fulltext"
  ]
}

Responses

200Updated settings

Content-Type: application/json

{
  "ok": true,
  "enabledStrategies": [
    "fulltext"
  ]
}

400Invalid request

Content-Type: application/json

{
  "error": "string"
}

500Internal error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/search/settings/global-search" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"enabledStrategies\": [
    \"fulltext\"
  ]
}"

GET/search/settings/vector-store

Auth requiredsearch.view

Get vector store configuration

Returns vector store configuration status. Requires features: search.view

Responses

200Vector store settings

Content-Type: application/json

{
  "currentDriver": "pgvector",
  "configured": true,
  "drivers": [
    {
      "id": "pgvector",
      "name": "string",
      "configured": true,
      "implemented": true,
      "envVars": [
        {
          "name": "string",
          "set": true,
          "hint": "string"
        }
      ]
    }
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/search/settings/vector-store" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Audit & Action Logs

Showing 4 of 4 endpoints

GET/audit_logs/audit-logs/access

Auth requiredaudit_logs.view_self

Retrieve access logs

Fetches paginated access audit logs scoped to the authenticated user. Tenant administrators can optionally expand the search to other actors or organizations. Requires features: audit_logs.view_self

Parameters

Name	In	Required	Schema	Description
organizationId	query	No	any	Limit results to a specific organization
actorUserId	query	No	any	Filter by actor user id (tenant administrators only)
resourceKind	query	No	any	Restrict to a resource kind such as `order` or `product`
accessType	query	No	any	Access type filter, e.g. `read` or `export`
page	query	No	any	Page number (default 1)
pageSize	query	No	any	Page size (default 50)
limit	query	No	any	Explicit maximum number of records when paginating manually
before	query	No	any	Return logs created before this ISO-8601 timestamp
after	query	No	any	Return logs created after this ISO-8601 timestamp

Responses

200Access logs returned successfully

Content-Type: application/json

{
  "items": [
    {
      "id": "string",
      "resourceKind": "string",
      "resourceId": "string",
      "accessType": "string",
      "actorUserId": null,
      "actorUserName": null,
      "tenantId": null,
      "tenantName": null,
      "organizationId": null,
      "organizationName": null,
      "fields": [
        "string"
      ],
      "context": null,
      "createdAt": "string"
    }
  ],
  "canViewTenant": true,
  "page": 1,
  "pageSize": 1,
  "total": 1,
  "totalPages": 1
}

400Invalid filters supplied

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/audit_logs/audit-logs/access" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/audit_logs/audit-logs/actions

Auth requiredaudit_logs.view_self

Fetch action logs

Returns recent action audit log entries. Tenant administrators can widen the scope to other actors or organizations, and callers can optionally restrict results to undoable actions. Requires features: audit_logs.view_self

Parameters

Name	In	Required	Schema	Description
organizationId	query	No	any	Limit results to a specific organization
actorUserId	query	No	any	Filter logs created by a specific actor (tenant administrators only)
resourceKind	query	No	any	Filter by resource kind (e.g., "order", "product")
resourceId	query	No	any	Filter by resource ID (UUID of the specific record)
includeRelated	query	No	any	When `true`, also returns changes to child entities linked via parentResourceKind/parentResourceId
undoableOnly	query	No	any	When `true`, only undoable actions are returned
limit	query	No	any	Maximum number of records to return (default 50)
page	query	No	any	Page number (default 1)
pageSize	query	No	any	Page size (default 50, max 200)
before	query	No	any	Return actions created before this ISO-8601 timestamp
after	query	No	any	Return actions created after this ISO-8601 timestamp

Responses

200Action logs retrieved successfully

Content-Type: application/json

{
  "items": [
    {
      "id": "string",
      "commandId": "string",
      "actionLabel": null,
      "executionState": "done",
      "actorUserId": null,
      "actorUserName": null,
      "tenantId": null,
      "tenantName": null,
      "organizationId": null,
      "organizationName": null,
      "resourceKind": null,
      "resourceId": null,
      "parentResourceKind": null,
      "parentResourceId": null,
      "undoToken": null,
      "createdAt": "string",
      "updatedAt": "string",
      "snapshotBefore": null,
      "snapshotAfter": null,
      "changes": null,
      "context": null
    }
  ],
  "canViewTenant": true,
  "page": 1,
  "pageSize": 1,
  "total": 1,
  "totalPages": 1
}

400Invalid filter values

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/audit_logs/audit-logs/actions?includeRelated=false&undoableOnly=false" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/audit_logs/audit-logs/actions/redo

Auth requiredaudit_logs.redo_self

Redo by action log id

Redoes the latest undone command owned by the caller. Requires the action to still be eligible for redo within tenant and organization scope. Requires features: audit_logs.redo_self

Request body (application/json)

{
  "logId": "string"
}

Responses

200Redo executed successfully

Content-Type: application/json

{
  "ok": true,
  "logId": null,
  "undoToken": null
}

400Log not eligible for redo

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/audit_logs/audit-logs/actions/redo" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"logId\": \"string\"
}"

POST/audit_logs/audit-logs/actions/undo

Auth requiredaudit_logs.undo_self

Undo action by token

Replays the undo handler registered for a command. The provided undo token must match the latest undoable log entry accessible to the caller. Requires features: audit_logs.undo_self

Request body (application/json)

{
  "undoToken": "string"
}

Responses

200Undo applied successfully

Content-Type: application/json

{
  "ok": true,
  "logId": "string"
}

400Invalid or unavailable undo token

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/audit_logs/audit-logs/actions/undo" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"undoToken\": \"string\"
}"

Notifications

Showing 13 of 13 endpoints

GET/notifications

Auth required

List notifications

Returns a paginated collection of notifications.

Parameters

Name	In	Required	Schema	Description
status	query	No	any	—
type	query	No	any	—
severity	query	No	any	—
sourceEntityType	query	No	any	—
sourceEntityId	query	No	any	—
since	query	No	any	—
page	query	No	any	—
pageSize	query	No	any	—
ids	query	No	any	Comma-separated list of record UUIDs to filter by (max 200).

Responses

200Paginated notifications

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "type": "string",
      "title": "string",
      "body": null,
      "titleKey": null,
      "bodyKey": null,
      "titleVariables": null,
      "bodyVariables": null,
      "icon": null,
      "severity": "string",
      "status": "string",
      "actions": [
        {
          "id": "string",
          "label": "string"
        }
      ],
      "sourceModule": null,
      "sourceEntityType": null,
      "sourceEntityId": null,
      "linkHref": null,
      "createdAt": "string",
      "readAt": null,
      "actionTaken": null
    }
  ],
  "total": 1,
  "page": 1,
  "pageSize": 1,
  "totalPages": 1
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/notifications?page=1&pageSize=20" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/notifications

Auth requirednotifications.create

Create notification

Creates a notification for a user. Requires features: notifications.create

Request body (application/json)

{
  "type": "string",
  "severity": "info",
  "recipientUserId": "00000000-0000-4000-8000-000000000000"
}

Responses

201Notification created

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/notifications" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"type\": \"string\",
  \"severity\": \"info\",
  \"recipientUserId\": \"00000000-0000-4000-8000-000000000000\"
}"

POST/notifications/{id}/action

Auth required

POST /notifications/{id}/action

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

201Success response

Content-Type: application/json

"string"

Example

curl -X POST "https://mercato-pr-97.tournee.io/notifications/:id/action" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/notifications/{id}/dismiss

Auth required

PUT /notifications/{id}/dismiss

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X PUT "https://mercato-pr-97.tournee.io/notifications/:id/dismiss" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/notifications/{id}/read

Auth required

PUT /notifications/{id}/read

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X PUT "https://mercato-pr-97.tournee.io/notifications/:id/read" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/notifications/{id}/restore

Auth required

PUT /notifications/{id}/restore

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X PUT "https://mercato-pr-97.tournee.io/notifications/:id/restore" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/notifications/batch

Auth requirednotifications.create

POST /notifications/batch

Requires features: notifications.create

Responses

201Success response

Content-Type: application/json

"string"

Example

curl -X POST "https://mercato-pr-97.tournee.io/notifications/batch" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/notifications/feature

Auth requirednotifications.create

POST /notifications/feature

Requires features: notifications.create

Responses

201Success response

Content-Type: application/json

"string"

Example

curl -X POST "https://mercato-pr-97.tournee.io/notifications/feature" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/notifications/mark-all-read

Auth required

PUT /notifications/mark-all-read

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X PUT "https://mercato-pr-97.tournee.io/notifications/mark-all-read" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/notifications/role

Auth requirednotifications.create

POST /notifications/role

Requires features: notifications.create

Responses

201Success response

Content-Type: application/json

"string"

Example

curl -X POST "https://mercato-pr-97.tournee.io/notifications/role" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/notifications/settings

Auth requirednotifications.manage

GET /notifications/settings

Requires features: notifications.manage

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/notifications/settings" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/notifications/settings

Auth requirednotifications.manage

POST /notifications/settings

Requires features: notifications.manage

Responses

201Success response

Content-Type: application/json

"string"

Example

curl -X POST "https://mercato-pr-97.tournee.io/notifications/settings" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/notifications/unread-count

Auth required

GET /notifications/unread-count

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/notifications/unread-count" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Entity Translations

Showing 2 of 2 endpoints

GET/translations/locales

List supported translation locales

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/translations/locales" \
  -H "Accept: application/json"

PUT/translations/locales

Update supported translation locales

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X PUT "https://mercato-pr-97.tournee.io/translations/locales" \
  -H "Accept: application/json"

Attachments

Showing 14 of 14 endpoints

GET/attachments

Auth requiredattachments.view

List attachments for a record

Returns uploaded attachments for the given entity record, ordered by newest first. Requires features: attachments.view

Parameters

Name	In	Required	Schema	Description
entityId	query	Yes	any	Entity identifier that owns the attachments
recordId	query	Yes	any	Record identifier within the entity

Responses

200Attachments found for the record

Content-Type: application/json

{
  "items": [
    {
      "id": "string",
      "url": "string",
      "fileName": "string",
      "fileSize": 1,
      "createdAt": "string",
      "mimeType": null,
      "content": null
    }
  ]
}

400Missing entity or record identifiers

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/attachments?entityId=string&recordId=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/attachments

Auth requiredattachments.manage

Upload attachment

Uploads a new attachment using multipart form-data and stores metadata for later retrieval. Requires features: attachments.manage

Request body (multipart/form-data)

entityId=string
recordId=string
file=string

Responses

200Attachment stored successfully

Content-Type: application/json

{
  "ok": true,
  "item": {
    "id": "string",
    "url": "string",
    "fileName": "string",
    "fileSize": 1,
    "content": null
  }
}

400Payload validation error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/attachments" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: multipart/form-data" \
  -d "{
  \"entityId\": \"string\",
  \"recordId\": \"string\",
  \"file\": \"string\"
}"

DELETE/attachments

Auth requiredattachments.manage

Delete attachment

Removes an uploaded attachment and deletes the stored asset. Requires features: attachments.manage

Parameters

Name	In	Required	Schema	Description
id	query	Yes	any	—

Responses

200Attachment deleted

Content-Type: application/json

{
  "ok": true
}

400Missing attachment identifier

Content-Type: application/json

{
  "error": "string"
}

404Attachment not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/attachments?id=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/attachments/file/{id}

Download or serve attachment file

Returns the raw file content for an attachment. Path parameter: {id} - Attachment UUID. Query parameter: ?download=1 - Force file download with Content-Disposition header. Access control is enforced based on partition settings.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200File content with appropriate MIME type

Content-Type: application/json

"string"

400Missing attachment ID

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized - authentication required for private partitions

Content-Type: application/json

{
  "error": "string"
}

403Forbidden - insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

404Attachment or file not found

Content-Type: application/json

{
  "error": "string"
}

500Partition misconfigured

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/attachments/file/:id" \
  -H "Accept: application/json"

GET/attachments/image/{id}/{slug}

Serve image with optional resizing

Returns an image attachment with optional on-the-fly resizing and cropping. Resized images are cached for performance. Only works with image MIME types. Path parameter: {id} - Attachment UUID. Query parameters: ?width=N (1-4000 pixels), ?height=N (1-4000 pixels), ?cropType=cover|contain (resize behavior).

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—
slug	path	No	any	—

Responses

200Binary image content (Content-Type: image/jpeg, image/png, etc.)

Content-Type: application/json

"string"

400Invalid parameters, missing ID, or non-image attachment

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized - authentication required for private partitions

Content-Type: application/json

{
  "error": "string"
}

403Forbidden - insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

404Image not found

Content-Type: application/json

{
  "error": "string"
}

500Partition misconfigured or image rendering failed

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/attachments/image/:id/:slug" \
  -H "Accept: application/json"

GET/attachments/library

Auth requiredattachments.view

List attachments

Returns paginated list of attachments with optional filtering by search term, partition, and tags. Includes available tags and partitions. Requires features: attachments.view

Parameters

Name	In	Required	Schema	Description
page	query	No	any	Page number for pagination
pageSize	query	No	any	Number of items per page (max 100)
search	query	No	any	Search by file name (case-insensitive)
partition	query	No	any	Filter by partition code
tags	query	No	any	Filter by tags (comma-separated)
sortField	query	No	any	Field to sort by
sortDir	query	No	any	Sort direction

Responses

200Attachments list with pagination and metadata

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "fileName": "string",
      "fileSize": 1,
      "mimeType": "string",
      "partitionCode": "string",
      "partitionTitle": null,
      "url": null,
      "createdAt": "string",
      "tags": [
        "string"
      ],
      "assignments": [],
      "content": null
    }
  ],
  "total": 1,
  "page": 1,
  "pageSize": 1,
  "totalPages": 1,
  "availableTags": [
    "string"
  ],
  "partitions": [
    {
      "code": "string",
      "title": "string",
      "description": null,
      "isPublic": true
    }
  ]
}

400Invalid query parameters

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/attachments/library?page=1&pageSize=25" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/attachments/library/{id}

Auth requiredattachments.view

Get attachment details

Returns complete details of an attachment including metadata, tags, assignments, and custom fields. Requires features: attachments.view

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Attachment details

Content-Type: application/json

{
  "item": {
    "id": "00000000-0000-4000-8000-000000000000",
    "fileName": "string",
    "fileSize": 1,
    "mimeType": "string",
    "partitionCode": "string",
    "partitionTitle": null,
    "tags": [
      "string"
    ],
    "assignments": [],
    "content": null,
    "customFields": null
  }
}

400Invalid attachment ID

Content-Type: application/json

{
  "error": "string"
}

404Attachment not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/attachments/library/:id" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PATCH/attachments/library/{id}

Auth requiredattachments.manage

Update attachment metadata

Updates attachment tags, assignments, and custom fields. Emits CRUD side effects for indexing and events. Requires features: attachments.manage

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{}

Responses

200Attachment updated successfully

Content-Type: application/json

{
  "ok": true
}

400Invalid payload or attachment ID

Content-Type: application/json

{
  "error": "string"
}

404Attachment not found

Content-Type: application/json

{
  "error": "string"
}

500Failed to save attributes

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PATCH "https://mercato-pr-97.tournee.io/attachments/library/:id" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{}"

DELETE/attachments/library/{id}

Auth requiredattachments.manage

Delete attachment

Permanently deletes an attachment file from storage and database. Emits CRUD side effects. Requires features: attachments.manage

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Attachment deleted successfully

Content-Type: application/json

{
  "ok": true
}

400Invalid attachment ID

Content-Type: application/json

{
  "error": "string"
}

404Attachment not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/attachments/library/:id" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/attachments/partitions

Auth requiredattachments.manage

List all attachment partitions

Returns all configured attachment partitions with storage settings, OCR configuration, and access control settings. Requires features: attachments.manage

Responses

200List of partitions

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "code": "string",
      "title": "string",
      "description": null,
      "isPublic": true,
      "requiresOcr": true,
      "ocrModel": null,
      "createdAt": null,
      "updatedAt": null,
      "envKey": "string"
    }
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/attachments/partitions" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/attachments/partitions

Auth requiredattachments.manage

Create new partition

Creates a new attachment partition with specified storage and OCR settings. Requires unique partition code. Requires features: attachments.manage

Request body (application/json)

{
  "code": "string",
  "title": "string",
  "description": null,
  "ocrModel": null
}

Responses

201Partition created successfully

Content-Type: application/json

{
  "item": {
    "id": "00000000-0000-4000-8000-000000000000",
    "code": "string",
    "title": "string",
    "description": null,
    "isPublic": true,
    "requiresOcr": true,
    "ocrModel": null,
    "createdAt": null,
    "updatedAt": null,
    "envKey": "string"
  }
}

400Invalid payload or partition code

Content-Type: application/json

{
  "error": "string"
}

409Partition code already exists

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/attachments/partitions" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"code\": \"string\",
  \"title\": \"string\",
  \"description\": null,
  \"ocrModel\": null
}"

PUT/attachments/partitions

Auth requiredattachments.manage

Update partition

Updates an existing partition. Partition code cannot be changed. Title, description, OCR settings, and access control can be modified. Requires features: attachments.manage

Request body (application/json)

{
  "code": "string",
  "title": "string",
  "description": null,
  "ocrModel": null,
  "id": "00000000-0000-4000-8000-000000000000"
}

Responses

200Partition updated successfully

Content-Type: application/json

{
  "item": {
    "id": "00000000-0000-4000-8000-000000000000",
    "code": "string",
    "title": "string",
    "description": null,
    "isPublic": true,
    "requiresOcr": true,
    "ocrModel": null,
    "createdAt": null,
    "updatedAt": null,
    "envKey": "string"
  }
}

400Invalid payload or code change attempt

Content-Type: application/json

{
  "error": "string"
}

404Partition not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/attachments/partitions" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"code\": \"string\",
  \"title\": \"string\",
  \"description\": null,
  \"ocrModel\": null,
  \"id\": \"00000000-0000-4000-8000-000000000000\"
}"

DELETE/attachments/partitions

Auth requiredattachments.manage

Delete partition

Deletes a partition. Default partitions cannot be deleted. Partitions with existing attachments cannot be deleted. Requires features: attachments.manage

Responses

200Partition deleted successfully

Content-Type: application/json

{
  "ok": true
}

400Invalid ID or default partition deletion attempt

Content-Type: application/json

{
  "error": "string"
}

404Partition not found

Content-Type: application/json

{
  "error": "string"
}

409Partition in use

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/attachments/partitions" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/attachments/transfer

Auth requiredattachments.manage

Transfer attachments to different record

Transfers one or more attachments from one record to another within the same entity type. Updates attachment assignments and metadata to reflect the new record. Requires features: attachments.manage

Request body (application/json)

{
  "entityId": "string",
  "attachmentIds": [
    "00000000-0000-4000-8000-000000000000"
  ],
  "toRecordId": "string"
}

Responses

200Attachments transferred successfully

Content-Type: application/json

{
  "ok": true,
  "updated": 1
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

404Attachments not found

Content-Type: application/json

{
  "error": "string"
}

500Attachment model missing

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/attachments/transfer" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"attachmentIds\": [
    \"00000000-0000-4000-8000-000000000000\"
  ],
  \"toRecordId\": \"string\"
}"

API Keys

Showing 3 of 3 endpoints

GET/api_keys/keys

Auth requiredapi_keys.view

List API keys

Returns paginated API keys visible to the current user, including per-key role assignments and organization context. Requires features: api_keys.view

Parameters

Name	In	Required	Schema	Description
page	query	No	any	—
pageSize	query	No	any	—
search	query	No	any	—

Responses

200Collection of API keys

Content-Type: application/json

{
  "items": [
    {
      "id": "string",
      "name": "string",
      "description": null,
      "keyPrefix": "string",
      "organizationId": null,
      "organizationName": null,
      "createdAt": "string",
      "lastUsedAt": null,
      "expiresAt": null,
      "roles": [
        {
          "id": "string",
          "name": null
        }
      ]
    }
  ],
  "total": 1,
  "page": 1,
  "pageSize": 1,
  "totalPages": 1
}

400Tenant context missing

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/api_keys/keys" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/api_keys/keys

Auth requiredapi_keys.create

Create API key

Creates a new API key, returning the one-time secret value together with the generated key prefix and scope details. Requires features: api_keys.create

Request body (application/json)

{
  "name": "string",
  "description": null,
  "tenantId": null,
  "organizationId": null,
  "roles": [],
  "expiresAt": null
}

Responses

201API key created successfully

Content-Type: application/json

{
  "id": "string",
  "name": "string",
  "keyPrefix": "string",
  "tenantId": null,
  "organizationId": null,
  "roles": [
    {
      "id": "string",
      "name": null
    }
  ]
}

400Invalid payload or missing tenant context

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/api_keys/keys" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"name\": \"string\",
  \"description\": null,
  \"tenantId\": null,
  \"organizationId\": null,
  \"roles\": [],
  \"expiresAt\": null
}"

DELETE/api_keys/keys

Auth requiredapi_keys.delete

Delete API key

Removes an API key by identifier. The key must belong to the current tenant and fall within the requester organization scope. Requires features: api_keys.delete

Parameters

Name	In	Required	Schema	Description
id	query	Yes	any	API key identifier to delete

Responses

200Key deleted successfully

Content-Type: application/json

{
  "success": true
}

400Missing or invalid identifier

Content-Type: application/json

{
  "error": "string"
}

404Key not found within scope

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/api_keys/keys?id=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Feature Toggles

Showing 12 of 12 endpoints

GET/feature_toggles/check/boolean

Auth required

Check if feature is enabled

Checks if a feature toggle is enabled for the current context.

Parameters

Name	In	Required	Schema	Description
identifier	query	Yes	any	Feature toggle identifier

Responses

200Feature status

Content-Type: application/json

{
  "enabled": true,
  "source": "override",
  "toggleId": "string",
  "identifier": "string",
  "tenantId": "string"
}

400Bad Request

Content-Type: application/json

{
  "error": "string"
}

404Tenant not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/feature_toggles/check/boolean?identifier=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/feature_toggles/check/json

Auth required

Get json config

Gets the json configuration for a feature toggle.

Parameters

Name	In	Required	Schema	Description
identifier	query	Yes	any	Feature toggle identifier

Responses

200Json config

Content-Type: application/json

{
  "valueType": "json",
  "source": "override",
  "toggleId": "string",
  "identifier": "string",
  "tenantId": "string"
}

400Bad Request

Content-Type: application/json

{
  "error": "string"
}

404Tenant not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/feature_toggles/check/json?identifier=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/feature_toggles/check/number

Auth required

Get number config

Gets the number configuration for a feature toggle.

Parameters

Name	In	Required	Schema	Description
identifier	query	Yes	any	Feature toggle identifier

Responses

200Number config

Content-Type: application/json

{
  "valueType": "number",
  "value": 1,
  "source": "override",
  "toggleId": "string",
  "identifier": "string",
  "tenantId": "string"
}

400Bad Request

Content-Type: application/json

{
  "error": "string"
}

404Tenant not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/feature_toggles/check/number?identifier=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/feature_toggles/check/string

Auth required

Get string config

Gets the string configuration for a feature toggle.

Parameters

Name	In	Required	Schema	Description
identifier	query	Yes	any	Feature toggle identifier

Responses

200String config

Content-Type: application/json

{
  "valueType": "string",
  "value": "string",
  "source": "override",
  "toggleId": "string",
  "identifier": "string",
  "tenantId": "string"
}

400Bad Request

Content-Type: application/json

{
  "error": "string"
}

404Tenant not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/feature_toggles/check/string?identifier=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/feature_toggles/global

Auth requiredfeature_toggles.view

List global feature toggles

Returns all global feature toggles with filtering and pagination. Requires superadmin role. Requires features: feature_toggles.view

Parameters

Name	In	Required	Schema	Description
page	query	No	any	Page number for pagination
pageSize	query	No	any	Number of items per page (max 200)
search	query	No	any	Case-insensitive search across identifier, name, description, and category
type	query	No	any	Filter by toggle type (boolean, string, number, json)
category	query	No	any	Filter by category (case-insensitive partial match)
name	query	No	any	Filter by name (case-insensitive partial match)
identifier	query	No	any	Filter by identifier (case-insensitive partial match)
sortField	query	No	any	Field to sort by
sortDir	query	No	any	Sort direction (ascending or descending)

Responses

200Feature toggles collection

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "identifier": "string",
      "name": "string",
      "description": null,
      "category": null,
      "type": "boolean",
      "defaultValue": null
    }
  ],
  "total": 1,
  "page": 1,
  "pageSize": 1,
  "totalPages": 1
}

400Invalid query parameters

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/feature_toggles/global?page=1&pageSize=50" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/feature_toggles/global

Auth requiredfeature_toggles.manage

Create global feature toggle

Creates a new global feature toggle. Requires superadmin role. Requires features: feature_toggles.manage

Request body (application/json)

{
  "identifier": "string",
  "name": "string",
  "description": null,
  "category": null,
  "type": "boolean",
  "defaultValue": null
}

Responses

201Feature toggle created

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000"
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/feature_toggles/global" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"identifier\": \"string\",
  \"name\": \"string\",
  \"description\": null,
  \"category\": null,
  \"type\": \"boolean\",
  \"defaultValue\": null
}"

PUT/feature_toggles/global

Auth requiredfeature_toggles.manage

Update global feature toggle

Updates an existing global feature toggle. Requires superadmin role. Requires features: feature_toggles.manage

Request body (application/json)

{
  "id": "00000000-0000-4000-8000-000000000000",
  "description": null,
  "category": null,
  "defaultValue": null
}

Responses

200Feature toggle updated

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000"
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

404Feature toggle not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/feature_toggles/global" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"id\": \"00000000-0000-4000-8000-000000000000\",
  \"description\": null,
  \"category\": null,
  \"defaultValue\": null
}"

DELETE/feature_toggles/global

Auth requiredfeature_toggles.manage

Delete global feature toggle

Soft deletes a global feature toggle by ID. Requires superadmin role. Requires features: feature_toggles.manage

Parameters

Name	In	Required	Schema	Description
id	query	Yes	any	Feature toggle identifier

Responses

200Feature toggle deleted

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000"
}

400Invalid identifier

Content-Type: application/json

{
  "error": "string"
}

404Feature toggle not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/feature_toggles/global?id=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/feature_toggles/global/{id}

Auth requiredfeature_toggles.view

Fetch feature toggle by ID

Returns complete details of a feature toggle. Requires features: feature_toggles.view

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Feature toggle detail

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000",
  "identifier": "string",
  "name": "string",
  "description": null,
  "category": null,
  "type": "boolean",
  "defaultValue": null
}

400Invalid identifier

Content-Type: application/json

{
  "error": "string"
}

404Feature toggle not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/feature_toggles/global/:id" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/feature_toggles/global/{id}/override

Auth requiredfeature_toggles.view

Fetch feature toggle override

Returns feature toggle override. Requires features: feature_toggles.view

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Feature toggle overrides

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000",
  "tenantName": "string",
  "tenantId": "00000000-0000-4000-8000-000000000000",
  "toggleType": "boolean"
}

400Invalid request

Content-Type: application/json

{
  "error": "string"
}

404Feature toggle not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/feature_toggles/global/:id/override" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/feature_toggles/overrides

Auth requiredfeature_toggles.view

List overrides

Returns list of feature toggle overrides. Requires features: feature_toggles.view

Parameters

Name	In	Required	Schema	Description
category	query	No	any	—
name	query	No	any	—
identifier	query	No	any	—
sortField	query	No	any	—
sortDir	query	No	any	—
page	query	No	any	—
pageSize	query	No	any	—

Responses

200List of overrides

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "toggleId": "00000000-0000-4000-8000-000000000000",
      "overrideState": "enabled",
      "identifier": "string",
      "name": "string",
      "category": null,
      "defaultState": true,
      "tenantName": null
    }
  ],
  "total": 1,
  "page": 1,
  "pageSize": 1,
  "totalPages": 1,
  "isSuperAdmin": true
}

400Invalid query parameters

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/feature_toggles/overrides?page=1&pageSize=25" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/feature_toggles/overrides

Auth requiredfeature_toggles.manage

Change override state

Enable, disable or inherit a feature toggle for a specific tenant. Requires features: feature_toggles.manage

Request body (application/json)

{
  "toggleId": "00000000-0000-4000-8000-000000000000",
  "isOverride": true
}

Responses

200Override updated

Content-Type: application/json

{
  "ok": true,
  "overrideToggleId": null
}

400Validation failed

Content-Type: application/json

{
  "error": "string"
}

404Not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/feature_toggles/overrides" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"toggleId\": \"00000000-0000-4000-8000-000000000000\",
  \"isOverride\": true
}"

Business Rules

Showing 17 of 17 endpoints

POST/business_rules/execute

Auth requiredbusiness_rules.execute

Execute rules for given context

Manually executes applicable business rules for the specified entity type, event, and data. Supports dry-run mode to test rules without executing actions. Requires features: business_rules.execute

Request body (application/json)

{
  "entityType": "string",
  "dryRun": false
}

Responses

200Rules executed successfully

Content-Type: application/json

{
  "allowed": true,
  "executedRules": [
    {
      "ruleId": "string",
      "ruleName": "string",
      "conditionResult": true,
      "executionTime": 1
    }
  ],
  "totalExecutionTime": 1
}

400Invalid request payload

Content-Type: application/json

{
  "error": "string"
}

500Execution error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/business_rules/execute" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityType\": \"string\",
  \"dryRun\": false
}"

POST/business_rules/execute/{ruleId}

Auth requiredbusiness_rules.execute

Execute a specific rule by its database UUID

Directly executes a specific business rule identified by its UUID, bypassing the normal entityType/eventType discovery mechanism. Useful for workflows and targeted rule execution. Requires features: business_rules.execute

Parameters

Name	In	Required	Schema	Description
ruleId	path	Yes	any	The database UUID of the business rule to execute

Request body (application/json)

{
  "dryRun": false
}

Responses

200Rule executed successfully

Content-Type: application/json

{
  "success": true,
  "ruleId": "string",
  "ruleName": "string",
  "conditionResult": true,
  "actionsExecuted": null,
  "executionTime": 1
}

400Invalid request payload or rule ID

Content-Type: application/json

{
  "error": "string"
}

404Rule not found

Content-Type: application/json

{
  "error": "string"
}

500Execution error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/business_rules/execute/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"dryRun\": false
}"

GET/business_rules/logs

Auth requiredbusiness_rules.view_logs

List rule execution logs

Returns rule execution history for the current tenant and organization with filtering and pagination. Useful for audit trails and debugging. Requires features: business_rules.view_logs

Parameters

Name	In	Required	Schema	Description
id	query	No	any	—
page	query	No	any	—
pageSize	query	No	any	—
ruleId	query	No	any	—
entityId	query	No	any	—
entityType	query	No	any	—
executionResult	query	No	any	—
executedBy	query	No	any	—
executedAtFrom	query	No	any	—
executedAtTo	query	No	any	—
sortField	query	No	any	—
sortDir	query	No	any	—

Responses

200Rule execution logs collection

Content-Type: application/json

{
  "items": [
    {
      "id": "string",
      "ruleId": "string",
      "ruleName": "string",
      "ruleType": "string",
      "entityId": "00000000-0000-4000-8000-000000000000",
      "entityType": "string",
      "executionResult": "SUCCESS",
      "inputContext": null,
      "outputContext": null,
      "errorMessage": null,
      "executionTimeMs": 1,
      "executedAt": "string",
      "tenantId": "00000000-0000-4000-8000-000000000000",
      "organizationId": null,
      "executedBy": null
    }
  ],
  "total": 1,
  "totalPages": 1
}

400Invalid query parameters

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/business_rules/logs?page=1&pageSize=50&sortDir=desc" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/business_rules/logs/{id}

Auth requiredbusiness_rules.view_logs

Get execution log detail

Returns detailed information about a specific rule execution, including full context and results. Requires features: business_rules.view_logs

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Log entry details

Content-Type: application/json

{
  "id": "string",
  "rule": {
    "id": "00000000-0000-4000-8000-000000000000",
    "ruleId": "string",
    "ruleName": "string",
    "ruleType": "string",
    "entityType": "string"
  },
  "entityId": "00000000-0000-4000-8000-000000000000",
  "entityType": "string",
  "executionResult": "SUCCESS",
  "inputContext": null,
  "outputContext": null,
  "errorMessage": null,
  "executionTimeMs": 1,
  "executedAt": "string",
  "tenantId": "00000000-0000-4000-8000-000000000000",
  "organizationId": null,
  "executedBy": null
}

400Invalid log id

Content-Type: application/json

{
  "error": "string"
}

404Log entry not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/business_rules/logs/:id" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/business_rules/rules

Auth requiredbusiness_rules.view

List business rules

Returns business rules for the current tenant and organization with filtering and pagination. Requires features: business_rules.view

Parameters

Name	In	Required	Schema	Description
id	query	No	any	—
page	query	No	any	—
pageSize	query	No	any	—
search	query	No	any	—
ruleId	query	No	any	—
ruleType	query	No	any	—
entityType	query	No	any	—
eventType	query	No	any	—
enabled	query	No	any	—
ruleCategory	query	No	any	—
sortField	query	No	any	—
sortDir	query	No	any	—

Responses

200Business rules collection

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "ruleId": "string",
      "ruleName": "string",
      "description": null,
      "ruleType": "GUARD",
      "ruleCategory": null,
      "entityType": "string",
      "eventType": null,
      "enabled": true,
      "priority": 1,
      "version": 1,
      "effectiveFrom": null,
      "effectiveTo": null,
      "tenantId": "00000000-0000-4000-8000-000000000000",
      "organizationId": "00000000-0000-4000-8000-000000000000",
      "createdAt": "string",
      "updatedAt": "string"
    }
  ],
  "total": 1,
  "totalPages": 1
}

400Invalid query parameters

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/business_rules/rules?page=1&pageSize=50&sortDir=desc" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/business_rules/rules

Auth requiredbusiness_rules.manage

Create business rule

Creates a new business rule for the current tenant and organization. Requires features: business_rules.manage

Request body (application/json)

{
  "ruleId": "string",
  "ruleName": "string",
  "description": null,
  "ruleType": "GUARD",
  "ruleCategory": null,
  "entityType": "string",
  "eventType": null,
  "enabled": true,
  "priority": 100,
  "version": 1,
  "effectiveFrom": null,
  "effectiveTo": null,
  "tenantId": "string",
  "organizationId": "string",
  "createdBy": null,
  "conditionExpression": null,
  "successActions": null,
  "failureActions": null
}

Responses

201Business rule created

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000"
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/business_rules/rules" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"ruleId\": \"string\",
  \"ruleName\": \"string\",
  \"description\": null,
  \"ruleType\": \"GUARD\",
  \"ruleCategory\": null,
  \"entityType\": \"string\",
  \"eventType\": null,
  \"enabled\": true,
  \"priority\": 100,
  \"version\": 1,
  \"effectiveFrom\": null,
  \"effectiveTo\": null,
  \"tenantId\": \"string\",
  \"organizationId\": \"string\",
  \"createdBy\": null,
  \"conditionExpression\": null,
  \"successActions\": null,
  \"failureActions\": null
}"

PUT/business_rules/rules

Auth requiredbusiness_rules.manage

Update business rule

Updates an existing business rule. Requires features: business_rules.manage

Request body (application/json)

{
  "description": null,
  "ruleCategory": null,
  "eventType": null,
  "enabled": true,
  "priority": 100,
  "version": 1,
  "effectiveFrom": null,
  "effectiveTo": null,
  "conditionExpression": null,
  "successActions": null,
  "failureActions": null,
  "id": "string"
}

Responses

200Business rule updated

Content-Type: application/json

{
  "ok": true
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

404Business rule not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/business_rules/rules" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"description\": null,
  \"ruleCategory\": null,
  \"eventType\": null,
  \"enabled\": true,
  \"priority\": 100,
  \"version\": 1,
  \"effectiveFrom\": null,
  \"effectiveTo\": null,
  \"conditionExpression\": null,
  \"successActions\": null,
  \"failureActions\": null,
  \"id\": \"string\"
}"

DELETE/business_rules/rules

Auth requiredbusiness_rules.manage

Delete business rule

Soft deletes a business rule by identifier. Requires features: business_rules.manage

Parameters

Name	In	Required	Schema	Description
id	query	Yes	any	Business rule identifier

Responses

200Business rule deleted

Content-Type: application/json

{
  "ok": true
}

400Invalid identifier

Content-Type: application/json

{
  "error": "string"
}

404Business rule not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/business_rules/rules?id=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/business_rules/rules/{id}

Auth requiredbusiness_rules.view

Fetch business rule by ID

Returns complete details of a business rule including conditions and actions. Requires features: business_rules.view

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Business rule detail

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000",
  "ruleId": "string",
  "ruleName": "string",
  "description": null,
  "ruleType": "GUARD",
  "ruleCategory": null,
  "entityType": "string",
  "eventType": null,
  "successActions": null,
  "failureActions": null,
  "enabled": true,
  "priority": 1,
  "version": 1,
  "effectiveFrom": null,
  "effectiveTo": null,
  "tenantId": "00000000-0000-4000-8000-000000000000",
  "organizationId": "00000000-0000-4000-8000-000000000000",
  "createdBy": null,
  "updatedBy": null,
  "createdAt": "string",
  "updatedAt": "string"
}

400Invalid identifier

Content-Type: application/json

{
  "error": "string"
}

404Business rule not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/business_rules/rules/:id" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/business_rules/sets

Auth requiredbusiness_rules.view

List rule sets

Returns rule sets for the current tenant and organization with filtering and pagination. Requires features: business_rules.view

Parameters

Name	In	Required	Schema	Description
id	query	No	any	—
page	query	No	any	—
pageSize	query	No	any	—
search	query	No	any	—
setId	query	No	any	—
enabled	query	No	any	—
sortField	query	No	any	—
sortDir	query	No	any	—

Responses

200Rule sets collection

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "setId": "string",
      "setName": "string",
      "description": null,
      "enabled": true,
      "tenantId": "00000000-0000-4000-8000-000000000000",
      "organizationId": "00000000-0000-4000-8000-000000000000",
      "createdBy": null,
      "updatedBy": null,
      "createdAt": "string",
      "updatedAt": "string"
    }
  ],
  "total": 1,
  "totalPages": 1
}

400Invalid query parameters

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/business_rules/sets?page=1&pageSize=50&sortDir=asc" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/business_rules/sets

Auth requiredbusiness_rules.manage_sets

Create rule set

Creates a new rule set for organizing business rules. Requires features: business_rules.manage_sets

Request body (application/json)

{
  "setId": "string",
  "setName": "string",
  "description": null,
  "enabled": true,
  "tenantId": "string",
  "organizationId": "string",
  "createdBy": null
}

Responses

201Rule set created

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000"
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/business_rules/sets" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"setId\": \"string\",
  \"setName\": \"string\",
  \"description\": null,
  \"enabled\": true,
  \"tenantId\": \"string\",
  \"organizationId\": \"string\",
  \"createdBy\": null
}"

PUT/business_rules/sets

Auth requiredbusiness_rules.manage_sets

Update rule set

Updates an existing rule set. Requires features: business_rules.manage_sets

Request body (application/json)

{
  "description": null,
  "enabled": true,
  "id": "string"
}

Responses

200Rule set updated

Content-Type: application/json

{
  "ok": true
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

404Rule set not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/business_rules/sets" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"description\": null,
  \"enabled\": true,
  \"id\": \"string\"
}"

DELETE/business_rules/sets

Auth requiredbusiness_rules.manage_sets

Delete rule set

Soft deletes a rule set by identifier. Requires features: business_rules.manage_sets

Parameters

Name	In	Required	Schema	Description
id	query	Yes	any	Rule set identifier

Responses

200Rule set deleted

Content-Type: application/json

{
  "ok": true
}

400Invalid identifier

Content-Type: application/json

{
  "error": "string"
}

404Rule set not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/business_rules/sets?id=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/business_rules/sets/{id}

Auth requiredbusiness_rules.view

Get rule set detail

Returns detailed information about a specific rule set, including all member rules. Requires features: business_rules.view

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Rule set details

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000",
  "setId": "string",
  "setName": "string",
  "description": null,
  "enabled": true,
  "tenantId": "00000000-0000-4000-8000-000000000000",
  "organizationId": "00000000-0000-4000-8000-000000000000",
  "createdBy": null,
  "updatedBy": null,
  "createdAt": "string",
  "updatedAt": "string",
  "members": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "ruleId": "00000000-0000-4000-8000-000000000000",
      "ruleName": "string",
      "ruleType": "string",
      "sequence": 1,
      "enabled": true
    }
  ]
}

400Invalid rule set id

Content-Type: application/json

{
  "error": "string"
}

404Rule set not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/business_rules/sets/:id" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/business_rules/sets/{id}/members

Auth requiredbusiness_rules.manage_sets

Add rule to set

Adds a business rule to a rule set with specified sequence and enabled state. Requires features: business_rules.manage_sets

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{
  "ruleId": "00000000-0000-4000-8000-000000000000",
  "sequence": 0,
  "enabled": true
}

Responses

201Member added

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000"
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

404Rule set or rule not found

Content-Type: application/json

{
  "error": "string"
}

409Rule already in set

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/business_rules/sets/:id/members" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"ruleId\": \"00000000-0000-4000-8000-000000000000\",
  \"sequence\": 0,
  \"enabled\": true
}"

PUT/business_rules/sets/{id}/members

Auth requiredbusiness_rules.manage_sets

Update set member

Updates sequence or enabled state of a rule set member. Requires features: business_rules.manage_sets

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{
  "memberId": "00000000-0000-4000-8000-000000000000"
}

Responses

200Member updated

Content-Type: application/json

{
  "ok": true
}

400Invalid payload

Content-Type: application/json

{
  "error": "string"
}

404Member not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/business_rules/sets/:id/members" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"memberId\": \"00000000-0000-4000-8000-000000000000\"
}"

DELETE/business_rules/sets/{id}/members

Auth requiredbusiness_rules.manage_sets

Remove rule from set

Removes a business rule from a rule set (hard delete). Requires features: business_rules.manage_sets

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—
memberId	query	Yes	any	Member identifier

Responses

200Member removed

Content-Type: application/json

{
  "ok": true
}

400Invalid identifier

Content-Type: application/json

{
  "error": "string"
}

404Member not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/business_rules/sets/:id/members?memberId=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Disciplines

Showing 5 of 5 endpoints

GET/discipline

GET /discipline

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/discipline" \
  -H "Accept: application/json"

POST/discipline

Auth requireddiscipline.manage

POST /discipline

Requires features: discipline.manage

Responses

201Success response

Content-Type: application/json

"string"

Example

curl -X POST "https://mercato-pr-97.tournee.io/discipline" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/discipline/{id}

GET /discipline/{id}

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/discipline/:id" \
  -H "Accept: application/json"

PUT/discipline/{id}

Auth requireddiscipline.manage

PUT /discipline/{id}

Requires features: discipline.manage

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Success response

Content-Type: application/json

"string"

Example

curl -X PUT "https://mercato-pr-97.tournee.io/discipline/:id" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

DELETE/discipline/{id}

Auth requireddiscipline.manage

DELETE /discipline/{id}

Requires features: discipline.manage

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

204Success

No response body.

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/discipline/:id" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Auth

Showing 1 of 1 endpoints

GET/auth/users/consents

Auth requiredauth.users.edit

List user consents

Returns all consent records for a given user, with integrity verification status. Requires features: auth.users.edit

Parameters

Name	In	Required	Schema	Description
userId	query	Yes	any	—

Responses

200Consent list returned

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/auth/users/consents?userId=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Configs

Showing 6 of 6 endpoints

GET/configs/cache

Auth requiredconfigs.cache.view

Get cache statistics

Returns detailed cache statistics including total entries and breakdown by cache segments. Requires cache service to be available. Requires features: configs.cache.view

Responses

200Cache statistics

Content-Type: application/json

{
  "total": 1,
  "segments": {
    "key": 1
  }
}

500Failed to resolve cache stats

Content-Type: application/json

{
  "error": "string"
}

503Cache service unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/configs/cache" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/configs/cache

Auth requiredconfigs.cache.manage

Purge cache

Purges cache entries. Supports two actions: purgeAll (clears entire cache) or purgeSegment (clears specific segment). Returns updated cache statistics after purge. Requires features: configs.cache.manage

Request body (application/json)

{
  "action": "purgeAll"
}

Responses

200Cache segment cleared successfully

Content-Type: application/json

{
  "action": "purgeSegment",
  "segment": "string",
  "deleted": 1,
  "stats": {
    "total": 1,
    "segments": {
      "key": 1
    }
  }
}

400Invalid request - missing segment identifier for purgeSegment action

Content-Type: application/json

{
  "error": "string"
}

500Failed to purge cache

Content-Type: application/json

{
  "error": "string"
}

503Cache service unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/configs/cache" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"action\": \"purgeAll\"
}"

GET/configs/system-status

Auth requiredconfigs.system_status.view

Get system health status

Returns comprehensive system health information including environment details, version, resource usage, and service connectivity status. Requires features: configs.system_status.view

Responses

200System status snapshot

Content-Type: application/json

{
  "generatedAt": "string",
  "runtimeMode": "development",
  "categories": [
    {
      "key": "profiling",
      "labelKey": "string",
      "descriptionKey": null,
      "items": [
        {
          "key": "string",
          "category": "profiling",
          "kind": "boolean",
          "labelKey": "string",
          "descriptionKey": "string",
          "docUrl": null,
          "defaultValue": null,
          "state": "enabled",
          "value": null,
          "normalizedValue": null
        }
      ]
    }
  ]
}

500Failed to load system status

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/configs/system-status" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/configs/system-status

Auth requiredconfigs.manage

Clear system cache

Purges the entire cache for the current tenant. Useful for troubleshooting or forcing fresh data loading. Requires features: configs.manage

Responses

200Cache cleared successfully

Content-Type: application/json

{
  "cleared": true
}

500Failed to purge cache

Content-Type: application/json

{
  "error": "string"
}

503Cache service unavailable

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/configs/system-status" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/configs/upgrade-actions

Auth requiredconfigs.manage

List pending upgrade actions

Returns a list of pending upgrade actions for the current version. These are one-time setup tasks that need to be executed after upgrading to a new version. Requires organization and tenant context. Requires features: configs.manage

Responses

200List of pending upgrade actions

Content-Type: application/json

{
  "version": "string",
  "actions": [
    {
      "id": "string",
      "version": "string",
      "message": "string",
      "ctaLabel": "string",
      "successMessage": "string",
      "loadingLabel": "string"
    }
  ]
}

400Missing organization or tenant context

Content-Type: application/json

{
  "error": "string"
}

500Failed to load upgrade actions

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/configs/upgrade-actions" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/configs/upgrade-actions

Auth requiredconfigs.manage

Execute upgrade action

Executes a specific upgrade action by ID. Typically used for one-time setup tasks like seeding example data after version upgrade. Returns execution status and localized success message. Requires features: configs.manage

Request body (application/json)

{
  "actionId": "string"
}

Responses

200Upgrade action executed successfully

Content-Type: application/json

{
  "status": "string",
  "message": "string",
  "version": "string"
}

400Invalid request body or missing context

Content-Type: application/json

{
  "error": "string"
}

500Failed to execute upgrade action

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/configs/upgrade-actions" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"actionId\": \"string\"
}"

Customer Accounts Admin

Showing 15 of 15 endpoints

GET/customer_accounts/admin/roles

List customer roles (admin)

Returns all customer roles for the tenant.

Responses

200Role list

Content-Type: application/json

{
  "ok": true,
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "name": "string",
      "slug": "string",
      "description": null,
      "isDefault": true,
      "isSystem": true,
      "customerAssignable": true,
      "createdAt": "string"
    }
  ],
  "total": 1,
  "totalPages": 1,
  "page": 1
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/admin/roles" \
  -H "Accept: application/json"

POST/customer_accounts/admin/roles

Create customer role (admin)

Creates a new customer role with an empty ACL.

Request body (application/json)

{
  "name": "string",
  "slug": "string"
}

Responses

201Role created

Content-Type: application/json

{
  "ok": true,
  "role": {
    "id": "00000000-0000-4000-8000-000000000000",
    "name": "string",
    "slug": "string",
    "description": null,
    "isDefault": true,
    "isSystem": true,
    "customerAssignable": true,
    "createdAt": "string"
  }
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

409Slug already exists

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/admin/roles" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"name\": \"string\",
  \"slug\": \"string\"
}"

GET/customer_accounts/admin/roles/{id}

Get customer role detail (admin)

Returns full customer role details including ACL features.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Role detail with ACL

Content-Type: application/json

{
  "ok": true,
  "role": {
    "id": "00000000-0000-4000-8000-000000000000",
    "name": "string",
    "slug": "string",
    "description": null,
    "isDefault": true,
    "isSystem": true,
    "customerAssignable": true,
    "createdAt": "string",
    "updatedAt": null,
    "acl": {
      "features": [
        "string"
      ],
      "isPortalAdmin": true
    }
  }
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404Role not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/admin/roles/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json"

PUT/customer_accounts/admin/roles/{id}

Update customer role (admin)

Updates a customer role. System roles are protected from name changes.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{}

Responses

200Role updated

Content-Type: application/json

{
  "ok": true
}

400Validation failed or system role restriction

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404Role not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/customer_accounts/admin/roles/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{}"

DELETE/customer_accounts/admin/roles/{id}

Delete customer role (admin)

Soft deletes a customer role and its ACL. System roles and roles with assigned users cannot be deleted.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Role deleted

Content-Type: application/json

{
  "ok": true
}

400System role or has assigned users

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404Role not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/customer_accounts/admin/roles/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json"

PUT/customer_accounts/admin/roles/{id}/acl

Update customer role ACL (admin)

Updates the ACL (features and portal admin flag) for a customer role. Invalidates RBAC cache after update.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{
  "features": [
    "string"
  ]
}

Responses

200ACL updated

Content-Type: application/json

{
  "ok": true
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404Role not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/customer_accounts/admin/roles/00000000-0000-4000-8000-000000000000/acl" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"features\": [
    \"string\"
  ]
}"

GET/customer_accounts/admin/users

List customer users (admin)

Returns a paginated list of customer users with roles. Supports filtering by status, company, role, and search.

Parameters

Name	In	Required	Schema	Description
page	query	No	any	—
pageSize	query	No	any	—
status	query	No	any	—
customerEntityId	query	No	any	—
roleId	query	No	any	—
search	query	No	any	—

Responses

200Paginated user list

Content-Type: application/json

{
  "ok": true,
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "email": "string",
      "displayName": "string",
      "emailVerified": true,
      "isActive": true,
      "lockedUntil": null,
      "lastLoginAt": null,
      "customerEntityId": null,
      "personEntityId": null,
      "createdAt": "string",
      "roles": [
        {
          "id": "00000000-0000-4000-8000-000000000000",
          "name": "string",
          "slug": "string"
        }
      ]
    }
  ],
  "total": 1,
  "totalPages": 1,
  "page": 1
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/admin/users" \
  -H "Accept: application/json"

POST/customer_accounts/admin/users

Create customer user (admin)

Creates a new customer user directly. Staff-initiated, bypasses signup flow.

Request body (application/json)

{
  "email": "user@example.com",
  "password": "string",
  "displayName": "string"
}

Responses

201User created

Content-Type: application/json

{
  "ok": true,
  "user": {
    "id": "00000000-0000-4000-8000-000000000000",
    "email": "string",
    "displayName": "string"
  }
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

409Email already exists

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/admin/users" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"email\": \"user@example.com\",
  \"password\": \"string\",
  \"displayName\": \"string\"
}"

POST/customer_accounts/admin/users-invite

Invite customer user (admin)

Creates a staff-initiated invitation for a new customer user. The invitedByUserId is set from the staff auth context.

Request body (application/json)

{
  "email": "user@example.com",
  "roleIds": [
    "00000000-0000-4000-8000-000000000000"
  ]
}

Responses

201Invitation created

Content-Type: application/json

{
  "ok": true,
  "invitation": {
    "id": "00000000-0000-4000-8000-000000000000",
    "email": "string",
    "expiresAt": "string"
  }
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/admin/users-invite" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"email\": \"user@example.com\",
  \"roleIds\": [
    \"00000000-0000-4000-8000-000000000000\"
  ]
}"

GET/customer_accounts/admin/users/{id}

Get customer user detail (admin)

Returns full customer user details including CRM links, roles, and active session count.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200User detail

Content-Type: application/json

{
  "ok": true,
  "user": {
    "id": "00000000-0000-4000-8000-000000000000",
    "email": "string",
    "displayName": "string",
    "emailVerified": true,
    "isActive": true,
    "lockedUntil": null,
    "lastLoginAt": null,
    "failedLoginAttempts": 1,
    "customerEntityId": null,
    "personEntityId": null,
    "createdAt": "string",
    "updatedAt": null,
    "roles": [
      {
        "id": "00000000-0000-4000-8000-000000000000",
        "name": "string",
        "slug": "string"
      }
    ],
    "activeSessionCount": 1
  }
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404User not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/admin/users/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json"

PUT/customer_accounts/admin/users/{id}

Update customer user (admin)

Updates a customer user. Staff can update status, lock, CRM links, and roles. Role assignment bypasses customer_assignable check.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{
  "lockedUntil": null,
  "personEntityId": null,
  "customerEntityId": null
}

Responses

200User updated

Content-Type: application/json

{
  "ok": true
}

400Validation failed or role not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404User not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/customer_accounts/admin/users/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"lockedUntil\": null,
  \"personEntityId\": null,
  \"customerEntityId\": null
}"

DELETE/customer_accounts/admin/users/{id}

Delete customer user (admin)

Soft deletes a customer user and revokes all their active sessions.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200User deleted

Content-Type: application/json

{
  "ok": true
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404User not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/customer_accounts/admin/users/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json"

POST/customer_accounts/admin/users/{id}/reset-password

Reset customer user password (admin)

Allows staff to set a new password for a customer user.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{
  "newPassword": "string"
}

Responses

200Password reset

Content-Type: application/json

{
  "ok": true
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404User not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/admin/users/00000000-0000-4000-8000-000000000000/reset-password" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"newPassword\": \"string\"
}"

POST/customer_accounts/admin/users/{id}/send-reset-link

Send password reset link for customer user (admin)

Creates a password reset token for a customer user and returns a reset link URL. The admin must prepend the appropriate portal domain/slug to the relative URL.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Reset link generated

Content-Type: application/json

{
  "ok": true,
  "resetLink": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404User not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/admin/users/00000000-0000-4000-8000-000000000000/send-reset-link" \
  -H "Accept: application/json"

POST/customer_accounts/admin/users/{id}/verify-email

Verify customer user email (admin)

Allows staff to manually mark a customer user email as verified.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Email verified

Content-Type: application/json

{
  "ok": true
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404User not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/admin/users/00000000-0000-4000-8000-000000000000/verify-email" \
  -H "Accept: application/json"

Customer Authentication

Showing 8 of 8 endpoints

POST/customer_accounts/email/verify

Verify customer email address

Validates the email verification token and marks the email as verified.

Request body (application/json)

{
  "token": "string"
}

Responses

200Email verified

Content-Type: application/json

{
  "ok": true
}

400Invalid or expired token

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/email/verify" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"token\": \"string\"
}"

POST/customer_accounts/invitations/accept

Accept customer invitation

Accepts an invitation, creates the user account, assigns roles, and auto-logs in.

Request body (application/json)

{
  "token": "string",
  "password": "string",
  "displayName": "string"
}

Responses

201Invitation accepted and user created

Content-Type: application/json

{
  "ok": true,
  "user": {
    "id": "00000000-0000-4000-8000-000000000000",
    "email": "user@example.com",
    "displayName": "string",
    "emailVerified": true
  },
  "resolvedFeatures": [
    "string"
  ]
}

400Invalid or expired invitation

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/invitations/accept" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"token\": \"string\",
  \"password\": \"string\",
  \"displayName\": \"string\"
}"

POST/customer_accounts/login

Authenticate customer credentials

Validates customer credentials and issues JWT + session cookies.

Request body (application/json)

{
  "email": "user@example.com",
  "password": "string"
}

Responses

200Login successful

Content-Type: application/json

{
  "ok": true,
  "user": {
    "id": "00000000-0000-4000-8000-000000000000",
    "email": "user@example.com",
    "displayName": "string",
    "emailVerified": true
  },
  "resolvedFeatures": [
    "string"
  ]
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Invalid credentials

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

423Account locked

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

429Too many login attempts

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/login" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"email\": \"user@example.com\",
  \"password\": \"string\"
}"

POST/customer_accounts/magic-link/request

Request magic link login

Sends a magic link to the customer email. Always returns 200 to prevent enumeration.

Request body (application/json)

{
  "email": "user@example.com"
}

Responses

200Request accepted

Content-Type: application/json

{
  "ok": true
}

429Too many requests

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/magic-link/request" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"email\": \"user@example.com\"
}"

POST/customer_accounts/magic-link/verify

Verify magic link token

Validates the magic link token, auto-verifies email, and creates a session.

Request body (application/json)

{
  "token": "string"
}

Responses

200Login successful

Content-Type: application/json

{
  "ok": true,
  "user": {
    "id": "00000000-0000-4000-8000-000000000000",
    "email": "user@example.com",
    "displayName": "string",
    "emailVerified": true
  },
  "resolvedFeatures": [
    "string"
  ]
}

400Invalid or expired token

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Account not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/magic-link/verify" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"token\": \"string\"
}"

POST/customer_accounts/password/reset-confirm

Confirm customer password reset

Validates the reset token and sets a new password. Revokes all existing sessions.

Request body (application/json)

{
  "token": "string",
  "password": "string"
}

Responses

200Password reset successful

Content-Type: application/json

{
  "ok": true
}

400Invalid or expired token

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/password/reset-confirm" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"token\": \"string\",
  \"password\": \"string\"
}"

POST/customer_accounts/password/reset-request

Request customer password reset

Initiates a password reset flow. Always returns 200 to prevent email enumeration.

Request body (application/json)

{
  "email": "user@example.com"
}

Responses

200Request accepted

Content-Type: application/json

{
  "ok": true
}

429Too many requests

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/password/reset-request" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"email\": \"user@example.com\"
}"

POST/customer_accounts/signup

Register a new customer account

Accepts a signup request and always returns 202 to prevent account enumeration.

Request body (application/json)

{
  "email": "user@example.com",
  "password": "string",
  "displayName": "string"
}

Responses

202Signup accepted

Content-Type: application/json

{
  "ok": true
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

429Too many signup attempts

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/signup" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"email\": \"user@example.com\",
  \"password\": \"string\",
  \"displayName\": \"string\"
}"

Customer Portal

Showing 18 of 18 endpoints

GET/customer_accounts/portal/events/stream

Subscribe to portal events via SSE (Portal Event Bridge)

Long-lived SSE connection that receives server-side events marked with portalBroadcast: true. Events are filtered by the customer's tenant and organization.

Responses

200Event stream (text/event-stream)

Content-Type: application/json

"string"

401Not authenticated

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/portal/events/stream" \
  -H "Accept: application/json"

POST/customer_accounts/portal/feature-check

Check customer portal feature access

Checks which of the requested features the authenticated customer user has. Used by portal menu injection for feature-gating.

Request body (application/json)

{
  "features": [
    "string"
  ]
}

Responses

200Feature check result

Content-Type: application/json

{
  "ok": true,
  "granted": [
    "string"
  ]
}

400Invalid request

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/portal/feature-check" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"features\": [
    \"string\"
  ]
}"

POST/customer_accounts/portal/logout

Customer logout

Revokes the current session and clears authentication cookies.

Responses

200Logged out

Content-Type: application/json

{
  "ok": true
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/portal/logout" \
  -H "Accept: application/json"

GET/customer_accounts/portal/notifications

List customer notifications

Returns paginated notifications for the authenticated customer user. Dismissed notifications are excluded by default unless ?status=dismissed is specified.

Responses

200Notification list

Content-Type: application/json

{
  "ok": true,
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "type": "string",
      "title": "string",
      "body": null,
      "titleKey": null,
      "bodyKey": null,
      "titleVariables": null,
      "bodyVariables": null,
      "icon": null,
      "severity": "info",
      "status": "unread",
      "actions": [
        {
          "id": "string",
          "label": "string"
        }
      ],
      "sourceModule": null,
      "sourceEntityType": null,
      "sourceEntityId": null,
      "linkHref": null,
      "createdAt": "string",
      "readAt": null,
      "actionTaken": null
    }
  ],
  "total": 1,
  "page": 1,
  "pageSize": 1
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/portal/notifications" \
  -H "Accept: application/json"

PUT/customer_accounts/portal/notifications/{id}/dismiss

Dismiss notification

Dismisses a single notification for the authenticated customer user.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Notification dismissed

Content-Type: application/json

{
  "ok": true
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404Notification not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/customer_accounts/portal/notifications/00000000-0000-4000-8000-000000000000/dismiss" \
  -H "Accept: application/json"

PUT/customer_accounts/portal/notifications/{id}/read

Mark notification as read

Marks a single notification as read for the authenticated customer user.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Notification marked as read

Content-Type: application/json

{
  "ok": true
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404Notification not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/customer_accounts/portal/notifications/00000000-0000-4000-8000-000000000000/read" \
  -H "Accept: application/json"

PUT/customer_accounts/portal/notifications/mark-all-read

Mark all notifications as read

Marks all unread notifications as read for the authenticated customer user.

Responses

200All notifications marked as read

Content-Type: application/json

{
  "ok": true,
  "count": 1
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/customer_accounts/portal/notifications/mark-all-read" \
  -H "Accept: application/json"

GET/customer_accounts/portal/notifications/unread-count

Get unread notification count

Returns the number of unread notifications for the authenticated customer user.

Responses

200Unread count

Content-Type: application/json

{
  "ok": true,
  "unreadCount": 1
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/portal/notifications/unread-count" \
  -H "Accept: application/json"

POST/customer_accounts/portal/password-change

Change customer password

Changes the authenticated customer user password after verifying the current password.

Request body (application/json)

{
  "currentPassword": "string",
  "newPassword": "string"
}

Responses

200Password changed

Content-Type: application/json

{
  "ok": true
}

400Current password incorrect or validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/portal/password-change" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"currentPassword\": \"string\",
  \"newPassword\": \"string\"
}"

GET/customer_accounts/portal/profile

Get customer profile

Returns the authenticated customer user profile with roles and permissions.

Responses

200Profile data

Content-Type: application/json

{
  "ok": true,
  "user": {
    "id": "00000000-0000-4000-8000-000000000000",
    "email": "string",
    "displayName": "string",
    "emailVerified": true,
    "customerEntityId": null,
    "personEntityId": null,
    "isActive": true,
    "lastLoginAt": null,
    "createdAt": "string"
  },
  "roles": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "name": "string",
      "slug": "string"
    }
  ],
  "resolvedFeatures": [
    "string"
  ],
  "isPortalAdmin": true
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/portal/profile" \
  -H "Accept: application/json"

PUT/customer_accounts/portal/profile

Update customer profile

Updates the authenticated customer user profile.

Request body (application/json)

{}

Responses

200Profile updated

Content-Type: application/json

{
  "ok": true,
  "user": {
    "id": "00000000-0000-4000-8000-000000000000",
    "email": "string",
    "displayName": "string"
  }
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/customer_accounts/portal/profile" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{}"

GET/customer_accounts/portal/sessions

List customer sessions

Returns active sessions for the authenticated customer user.

Responses

200Session list

Content-Type: application/json

{
  "ok": true,
  "sessions": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "ipAddress": null,
      "userAgent": null,
      "lastUsedAt": null,
      "createdAt": "string",
      "expiresAt": "string",
      "isCurrent": true
    }
  ]
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/portal/sessions" \
  -H "Accept: application/json"

POST/customer_accounts/portal/sessions-refresh

Refresh customer JWT from session token

Uses the session cookie to issue a fresh JWT access token.

Responses

200Token refreshed

Content-Type: application/json

{
  "ok": true,
  "resolvedFeatures": [
    "string"
  ]
}

401Invalid session

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/portal/sessions-refresh" \
  -H "Accept: application/json"

DELETE/customer_accounts/portal/sessions/{id}

Revoke a customer session

Revokes a specific session (not the current one).

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Session revoked

Content-Type: application/json

{
  "ok": true
}

400Cannot revoke current session

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404Session not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/customer_accounts/portal/sessions/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json"

GET/customer_accounts/portal/users

List company portal users

Lists portal users associated with the same company. Paginated (default pageSize 25, max 100).

Parameters

Name	In	Required	Schema	Description
page	query	No	any	—
pageSize	query	No	any	—

Responses

200Paginated user list

Content-Type: application/json

{
  "ok": true,
  "users": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "email": "string",
      "displayName": "string",
      "emailVerified": true,
      "isActive": true,
      "lastLoginAt": null,
      "createdAt": "string",
      "roles": [
        {
          "id": "00000000-0000-4000-8000-000000000000",
          "name": "string",
          "slug": "string"
        }
      ]
    }
  ],
  "total": 1,
  "totalPages": 1,
  "page": 1,
  "pageSize": 1
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/customer_accounts/portal/users" \
  -H "Accept: application/json"

POST/customer_accounts/portal/users-invite

Invite a user to the company portal

Creates an invitation for a new user to join the company portal.

Request body (application/json)

{
  "email": "user@example.com",
  "roleIds": [
    "00000000-0000-4000-8000-000000000000"
  ]
}

Responses

201Invitation created

Content-Type: application/json

{
  "ok": true,
  "invitation": {
    "id": "00000000-0000-4000-8000-000000000000",
    "email": "string",
    "expiresAt": "string"
  }
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions or non-assignable role

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/customer_accounts/portal/users-invite" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"email\": \"user@example.com\",
  \"roleIds\": [
    \"00000000-0000-4000-8000-000000000000\"
  ]
}"

DELETE/customer_accounts/portal/users/{id}

Delete a company portal user

Soft deletes a portal user and revokes all their sessions.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200User deleted

Content-Type: application/json

{
  "ok": true
}

400Cannot delete self

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404User not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/customer_accounts/portal/users/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json"

PUT/customer_accounts/portal/users/{id}/roles

Update portal user roles

Assigns new roles to a company portal user.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{
  "roleIds": [
    "00000000-0000-4000-8000-000000000000"
  ]
}

Responses

200Roles updated

Content-Type: application/json

{
  "ok": true
}

400Validation failed

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

401Not authenticated

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

404User not found

Content-Type: application/json

{
  "ok": false,
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/customer_accounts/portal/users/00000000-0000-4000-8000-000000000000/roles" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"roleIds\": [
    \"00000000-0000-4000-8000-000000000000\"
  ]
}"

Dashboards

Showing 9 of 9 endpoints

GET/dashboards/layout

Auth requireddashboards.view

Load the current dashboard layout

Returns the saved widget layout together with the widgets the current user is allowed to place. Requires features: dashboards.view

Responses

200Current dashboard layout and available widgets.

Content-Type: application/json

{
  "layout": {
    "items": [
      {
        "id": "00000000-0000-4000-8000-000000000000",
        "widgetId": "string",
        "order": 1
      }
    ]
  },
  "allowedWidgetIds": [
    "string"
  ],
  "canConfigure": true,
  "context": {
    "userId": "00000000-0000-4000-8000-000000000000",
    "tenantId": null,
    "organizationId": null,
    "userName": null,
    "userEmail": null,
    "userLabel": "string"
  },
  "widgets": [
    {
      "id": "string",
      "title": "string",
      "description": null,
      "defaultSize": "sm",
      "defaultEnabled": true,
      "defaultSettings": null,
      "features": [
        "string"
      ],
      "moduleId": "string",
      "icon": null,
      "loaderKey": "string",
      "supportsRefresh": true
    }
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/dashboards/layout" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/dashboards/layout

Auth requireddashboards.configure

Persist dashboard layout changes

Saves the provided widget ordering, sizes, and settings for the current user. Requires features: dashboards.configure

Request body (application/json)

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "widgetId": "string",
      "order": 1
    }
  ]
}

Responses

200Layout updated successfully.

Content-Type: application/json

{
  "ok": true
}

400Invalid layout payload

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/dashboards/layout" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"items\": [
    {
      \"id\": \"00000000-0000-4000-8000-000000000000\",
      \"widgetId\": \"string\",
      \"order\": 1
    }
  ]
}"

PATCH/dashboards/layout/{itemId}

Auth requireddashboards.configure

Update a dashboard layout item

Adjusts the size or settings for a single widget within the dashboard layout. Requires features: dashboards.configure

Parameters

Name	In	Required	Schema	Description
itemId	path	Yes	any	—

Request body (application/json)

{}

Responses

200Layout item updated.

Content-Type: application/json

{
  "ok": true
}

400Invalid payload or missing item id

Content-Type: application/json

{
  "error": "string"
}

404Item not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PATCH "https://mercato-pr-97.tournee.io/dashboards/layout/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{}"

GET/dashboards/roles/widgets

Auth requireddashboards.admin.assign-widgets

Fetch widget assignments for a role

Returns the widgets explicitly assigned to the given role together with the evaluation scope. Requires features: dashboards.admin.assign-widgets

Parameters

Name	In	Required	Schema	Description
roleId	query	Yes	any	—
tenantId	query	No	any	—
organizationId	query	No	any	—

Responses

200Current widget configuration for the role.

Content-Type: application/json

{
  "widgetIds": [
    "string"
  ],
  "hasCustom": true,
  "scope": {
    "tenantId": null,
    "organizationId": null
  }
}

400Missing role identifier

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/dashboards/roles/widgets?roleId=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/dashboards/roles/widgets

Auth requireddashboards.admin.assign-widgets

Update widgets assigned to a role

Persists the widget list for a role within the provided tenant and organization scope. Requires features: dashboards.admin.assign-widgets

Request body (application/json)

{
  "roleId": "00000000-0000-4000-8000-000000000000",
  "widgetIds": [
    "string"
  ]
}

Responses

200Widgets updated successfully.

Content-Type: application/json

{
  "ok": true,
  "widgetIds": [
    "string"
  ]
}

400Invalid payload or unknown widgets

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/dashboards/roles/widgets" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"roleId\": \"00000000-0000-4000-8000-000000000000\",
  \"widgetIds\": [
    \"string\"
  ]
}"

GET/dashboards/users/widgets

Auth requireddashboards.admin.assign-widgets

Read widget overrides for a user

Returns the widgets inherited and explicitly configured for the requested user within the current scope. Requires features: dashboards.admin.assign-widgets

Parameters

Name	In	Required	Schema	Description
userId	query	Yes	any	—
tenantId	query	No	any	—
organizationId	query	No	any	—

Responses

200Widget settings for the user.

Content-Type: application/json

{
  "mode": "inherit",
  "widgetIds": [
    "string"
  ],
  "hasCustom": true,
  "effectiveWidgetIds": [
    "string"
  ],
  "scope": {
    "tenantId": null,
    "organizationId": null
  }
}

400Missing user identifier

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/dashboards/users/widgets?userId=00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/dashboards/users/widgets

Auth requireddashboards.admin.assign-widgets

Update user-specific dashboard widgets

Sets the widget override mode and allowed widgets for a user. Passing `mode: inherit` clears overrides. Requires features: dashboards.admin.assign-widgets

Request body (application/json)

{
  "userId": "00000000-0000-4000-8000-000000000000",
  "mode": "inherit",
  "widgetIds": [
    "string"
  ]
}

Responses

200Overrides saved.

Content-Type: application/json

{
  "ok": true,
  "mode": "inherit",
  "widgetIds": [
    "string"
  ]
}

400Invalid payload or unknown widgets

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/dashboards/users/widgets" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"userId\": \"00000000-0000-4000-8000-000000000000\",
  \"mode\": \"inherit\",
  \"widgetIds\": [
    \"string\"
  ]
}"

GET/dashboards/widgets/catalog

Auth requireddashboards.admin.assign-widgets

List available dashboard widgets

Returns the catalog of widgets that modules expose, including defaults and feature requirements. Requires features: dashboards.admin.assign-widgets

Responses

200Widgets available for assignment.

Content-Type: application/json

{
  "items": [
    {
      "id": "string",
      "title": "string",
      "description": null,
      "defaultSize": "sm",
      "defaultEnabled": true,
      "defaultSettings": null,
      "features": [
        "string"
      ],
      "moduleId": "string",
      "icon": null,
      "loaderKey": "string",
      "supportsRefresh": true
    }
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/dashboards/widgets/catalog" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/dashboards/widgets/data

Auth requiredanalytics.view

Fetch aggregated data for dashboard widgets

Executes an aggregation query against the specified entity type and returns the result. Supports date range filtering, grouping, and period-over-period comparison. Requires features: analytics.view

Request body (application/json)

{
  "entityType": "string",
  "metric": {
    "field": "string",
    "aggregate": "count"
  }
}

Responses

200Aggregated data for the widget.

Content-Type: application/json

{
  "value": null,
  "data": [
    {
      "value": null
    }
  ],
  "metadata": {
    "fetchedAt": "string",
    "recordCount": 1
  }
}

400Invalid request payload

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/dashboards/widgets/data" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityType\": \"string\",
  \"metric\": {
    \"field\": \"string\",
    \"aggregate\": \"count\"
  }
}"

Dictionaries

Showing 9 of 9 endpoints

GET/dictionaries

Auth requireddictionaries.view

List dictionaries

Returns dictionaries accessible to the current organization, optionally including inactive records. Requires features: dictionaries.view

Parameters

Name	In	Required	Schema	Description
includeInactive	query	No	any	—

Responses

200Dictionary collection.

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "key": "string",
      "name": "string",
      "description": null,
      "isSystem": true,
      "isActive": true,
      "managerVisibility": null,
      "organizationId": null,
      "createdAt": "string",
      "updatedAt": null
    }
  ]
}

500Failed to load dictionaries

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/dictionaries" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/dictionaries

Auth requireddictionaries.manage

Create dictionary

Registers a dictionary scoped to the current organization. Requires features: dictionaries.manage

Request body (application/json)

{
  "key": "string",
  "name": "string"
}

Responses

201Dictionary created.

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000",
  "key": "string",
  "name": "string",
  "description": null,
  "isSystem": true,
  "isActive": true,
  "managerVisibility": null,
  "organizationId": null,
  "createdAt": "string",
  "updatedAt": null
}

400Validation failed

Content-Type: application/json

{
  "error": "string"
}

409Dictionary key already exists

Content-Type: application/json

{
  "error": "string"
}

500Failed to create dictionary

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/dictionaries" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"key\": \"string\",
  \"name\": \"string\"
}"

GET/dictionaries/{dictionaryId}

Auth requireddictionaries.view

Get dictionary

Returns details for the specified dictionary, including inheritance flags. Requires features: dictionaries.view

Parameters

Name	In	Required	Schema	Description
dictionaryId	path	Yes	any	—

Responses

200Dictionary details.

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000",
  "key": "string",
  "name": "string",
  "description": null,
  "isSystem": true,
  "isActive": true,
  "managerVisibility": null,
  "organizationId": null,
  "createdAt": "string",
  "updatedAt": null
}

400Invalid parameters

Content-Type: application/json

{
  "error": "string"
}

404Dictionary not found

Content-Type: application/json

{
  "error": "string"
}

500Failed to load dictionary

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/dictionaries/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PATCH/dictionaries/{dictionaryId}

Auth requireddictionaries.manage

Update dictionary

Updates mutable attributes of the dictionary. Currency dictionaries are protected from modification. Requires features: dictionaries.manage

Parameters

Name	In	Required	Schema	Description
dictionaryId	path	Yes	any	—

Request body (application/json)

{}

Responses

200Dictionary updated.

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000",
  "key": "string",
  "name": "string",
  "description": null,
  "isSystem": true,
  "isActive": true,
  "managerVisibility": null,
  "organizationId": null,
  "createdAt": "string",
  "updatedAt": null
}

400Validation failed or protected dictionary

Content-Type: application/json

{
  "error": "string"
}

404Dictionary not found

Content-Type: application/json

{
  "error": "string"
}

409Dictionary key already exists

Content-Type: application/json

{
  "error": "string"
}

500Failed to update dictionary

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PATCH "https://mercato-pr-97.tournee.io/dictionaries/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{}"

DELETE/dictionaries/{dictionaryId}

Auth requireddictionaries.manage

Delete dictionary

Soft deletes the dictionary unless it is the protected currency dictionary. Requires features: dictionaries.manage

Parameters

Name	In	Required	Schema	Description
dictionaryId	path	Yes	any	—

Responses

200Dictionary archived.

Content-Type: application/json

{
  "ok": true
}

400Protected dictionary cannot be deleted

Content-Type: application/json

{
  "error": "string"
}

404Dictionary not found

Content-Type: application/json

{
  "error": "string"
}

500Failed to delete dictionary

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/dictionaries/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/dictionaries/{dictionaryId}/entries

Auth requireddictionaries.view

List dictionary entries

Returns entries for the specified dictionary ordered alphabetically. Requires features: dictionaries.view

Parameters

Name	In	Required	Schema	Description
dictionaryId	path	Yes	any	—

Responses

200Dictionary entries.

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "value": "string",
      "label": "string",
      "color": null,
      "icon": null,
      "createdAt": "string",
      "updatedAt": null
    }
  ]
}

400Invalid parameters

Content-Type: application/json

{
  "error": "string"
}

404Dictionary not found

Content-Type: application/json

{
  "error": "string"
}

500Failed to load dictionary entries

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/dictionaries/00000000-0000-4000-8000-000000000000/entries" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/dictionaries/{dictionaryId}/entries

Auth requireddictionaries.manage

Create dictionary entry

Creates a new entry in the specified dictionary. Requires features: dictionaries.manage

Parameters

Name	In	Required	Schema	Description
dictionaryId	path	Yes	any	—

Request body (application/json)

{
  "value": "string",
  "color": null,
  "icon": null
}

Responses

201Dictionary entry created.

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000",
  "value": "string",
  "label": "string",
  "color": null,
  "icon": null,
  "createdAt": "string",
  "updatedAt": null
}

400Validation failed

Content-Type: application/json

{
  "error": "string"
}

404Dictionary not found

Content-Type: application/json

{
  "error": "string"
}

500Failed to create dictionary entry

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/dictionaries/00000000-0000-4000-8000-000000000000/entries" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"value\": \"string\",
  \"color\": null,
  \"icon\": null
}"

PATCH/dictionaries/{dictionaryId}/entries/{entryId}

Auth requireddictionaries.manage

Update dictionary entry

Updates the specified dictionary entry using the command bus pipeline. Requires features: dictionaries.manage

Parameters

Name	In	Required	Schema	Description
dictionaryId	path	Yes	any	—
entryId	path	Yes	any	—

Request body (application/json)

{
  "color": null,
  "icon": null
}

Responses

200Dictionary entry updated.

Content-Type: application/json

{
  "id": "00000000-0000-4000-8000-000000000000",
  "value": "string",
  "label": "string",
  "color": null,
  "icon": null,
  "createdAt": "string",
  "updatedAt": null
}

400Validation failed

Content-Type: application/json

{
  "error": "string"
}

404Dictionary or entry not found

Content-Type: application/json

{
  "error": "string"
}

500Failed to update entry

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PATCH "https://mercato-pr-97.tournee.io/dictionaries/00000000-0000-4000-8000-000000000000/entries/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"color\": null,
  \"icon\": null
}"

DELETE/dictionaries/{dictionaryId}/entries/{entryId}

Auth requireddictionaries.manage

Delete dictionary entry

Deletes the specified dictionary entry via the command bus. Requires features: dictionaries.manage

Parameters

Name	In	Required	Schema	Description
dictionaryId	path	Yes	any	—
entryId	path	Yes	any	—

Responses

200Entry deleted.

Content-Type: application/json

{
  "ok": true
}

400Validation failed

Content-Type: application/json

{
  "error": "string"
}

404Dictionary or entry not found

Content-Type: application/json

{
  "error": "string"
}

500Failed to delete entry

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/dictionaries/00000000-0000-4000-8000-000000000000/entries/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Entities

Showing 17 of 17 endpoints

GET/entities/definitions

Auth required

List active custom field definitions

Returns active custom field definitions for the supplied entity ids, respecting tenant scope and tombstones.

Parameters

Name	In	Required	Schema	Description
entityId	query	No	any	—
entityIds	query	No	any	—
fieldset	query	No	any	—

Responses

200Definition list

Content-Type: application/json

{
  "items": [
    {
      "key": "string",
      "kind": "string",
      "label": "string",
      "entityId": "string"
    }
  ]
}

400Missing entity id

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/entities/definitions" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/entities/definitions

Auth requiredentities.definitions.manage

Upsert custom field definition

Creates or updates a custom field definition for the current tenant/org scope. Requires features: entities.definitions.manage

Request body (application/json)

{
  "entityId": "string",
  "key": "string",
  "kind": "text"
}

Responses

200Definition saved

Content-Type: application/json

{
  "ok": true,
  "item": {
    "id": "00000000-0000-4000-8000-000000000000",
    "key": "string",
    "kind": "string",
    "configJson": {}
  }
}

400Validation failed

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/entities/definitions" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"key\": \"string\",
  \"kind\": \"text\"
}"

DELETE/entities/definitions

Auth requiredentities.definitions.manage

Soft delete custom field definition

Marks the specified definition inactive and tombstones it for the current scope. Requires features: entities.definitions.manage

Request body (application/json)

{
  "entityId": "string",
  "key": "string"
}

Responses

200Definition deleted

Content-Type: application/json

{
  "ok": true
}

400Missing entity id or key

Content-Type: application/json

{
  "error": "string"
}

404Definition not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/entities/definitions" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"key\": \"string\"
}"

POST/entities/definitions.batch

Auth requiredentities.definitions.manage

Save multiple custom field definitions

Creates or updates multiple definitions for a single entity in one transaction. Requires features: entities.definitions.manage

Request body (application/json)

{
  "entityId": "string",
  "definitions": [
    {
      "key": "string",
      "kind": "text"
    }
  ]
}

Responses

200Definitions saved

Content-Type: application/json

{
  "ok": true
}

400Validation error

Content-Type: application/json

{
  "error": "string"
}

500Unexpected failure

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/entities/definitions.batch" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"definitions\": [
    {
      \"key\": \"string\",
      \"kind\": \"text\"
    }
  ]
}"

GET/entities/definitions.manage

Auth requiredentities.definitions.manage

Get management snapshot

Returns scoped custom field definitions (including inactive tombstones) for administration interfaces. Requires features: entities.definitions.manage

Parameters

Name	In	Required	Schema	Description
entityId	query	Yes	any	—

Responses

200Scoped definitions and deleted keys

Content-Type: application/json

{
  "items": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "key": "string",
      "kind": "string",
      "configJson": null,
      "organizationId": null,
      "tenantId": null
    }
  ],
  "deletedKeys": [
    "string"
  ]
}

400Missing entity id

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/entities/definitions.manage?entityId=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/entities/definitions.restore

Auth requiredentities.definitions.manage

Restore definition

Reactivates a previously soft-deleted definition within the current tenant/org scope. Requires features: entities.definitions.manage

Request body (application/json)

{
  "entityId": "string",
  "key": "string"
}

Responses

200Definition restored

Content-Type: application/json

{
  "ok": true
}

400Missing entity id or key

Content-Type: application/json

{
  "error": "string"
}

404Definition not found

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/entities/definitions.restore" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"key\": \"string\"
}"

GET/entities/encryption

Auth requiredentities.definitions.manage

Fetch encryption map

Returns the encrypted field map for the current tenant/organization scope. Requires features: entities.definitions.manage

Parameters

Name	In	Required	Schema	Description
entityId	query	Yes	any	—

Responses

200Map

Content-Type: application/json

{
  "entityId": "string",
  "fields": [
    {
      "field": "string",
      "hashField": null
    }
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/entities/encryption?entityId=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/entities/encryption

Auth requiredentities.definitions.manage

Upsert encryption map

Creates or updates the encryption map for the current tenant/organization scope. Requires features: entities.definitions.manage

Request body (application/json)

{
  "entityId": "string",
  "tenantId": null,
  "organizationId": null,
  "fields": [
    {
      "field": "string",
      "hashField": null
    }
  ]
}

Responses

200Saved

Content-Type: application/json

{
  "ok": true
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/entities/encryption" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"tenantId\": null,
  \"organizationId\": null,
  \"fields\": [
    {
      \"field\": \"string\",
      \"hashField\": null
    }
  ]
}"

GET/entities/entities

Auth required

List available entities

Returns generated and custom entities scoped to the caller with field counts per entity.

Responses

200List of entities

Content-Type: application/json

{
  "items": [
    {
      "entityId": "string",
      "source": "code",
      "label": "string",
      "count": 1
    }
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/entities/entities" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/entities/entities

Auth requiredentities.definitions.manage

Upsert custom entity

Creates or updates a tenant/org scoped custom entity definition. Requires features: entities.definitions.manage

Request body (application/json)

{
  "entityId": "string",
  "label": "string",
  "description": null,
  "showInSidebar": false
}

Responses

200Entity saved

Content-Type: application/json

{
  "ok": true,
  "item": {
    "id": "00000000-0000-4000-8000-000000000000",
    "entityId": "string",
    "label": "string"
  }
}

400Validation error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/entities/entities" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"label\": \"string\",
  \"description\": null,
  \"showInSidebar\": false
}"

DELETE/entities/entities

Auth requiredentities.definitions.manage

Soft delete custom entity

Marks the specified custom entity inactive within the current scope. Requires features: entities.definitions.manage

Request body (application/json)

{
  "entityId": "string"
}

Responses

200Entity deleted

Content-Type: application/json

{
  "ok": true
}

400Missing entity id

Content-Type: application/json

{
  "error": "string"
}

404Entity not found in scope

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/entities/entities" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\"
}"

GET/entities/records

Auth requiredentities.records.view

List records

Returns paginated records for the supplied entity. Supports custom field filters, exports, and soft-delete toggles. Requires features: entities.records.view

Parameters

Name	In	Required	Schema	Description
entityId	query	Yes	any	—
page	query	No	any	—
pageSize	query	No	any	—
sortField	query	No	any	—
sortDir	query	No	any	—
withDeleted	query	No	any	—
format	query	No	any	—
exportScope	query	No	any	—
export_scope	query	No	any	—
all	query	No	any	—
full	query	No	any	—

Responses

200Paginated records

Content-Type: application/json

{
  "items": [
    {}
  ],
  "total": 1,
  "page": 1,
  "pageSize": 1,
  "totalPages": 1
}

400Missing entity id

Content-Type: application/json

{
  "error": "string"
}

500Unexpected failure

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/entities/records?entityId=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

POST/entities/records

Auth requiredentities.records.manage

Create record

Creates a record for the given entity. When `recordId` is omitted or not a UUID the data engine will generate one automatically. Requires features: entities.records.manage

Request body (application/json)

{
  "entityId": "string",
  "values": {}
}

Responses

200Record created

Content-Type: application/json

{
  "ok": true
}

400Validation failure

Content-Type: application/json

{
  "error": "string"
}

500Unexpected failure

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/entities/records" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"values\": {}
}"

PUT/entities/records

Auth requiredentities.records.manage

Update record

Updates an existing record. If the provided recordId is not a UUID the record will be created instead to support optimistic flows. Requires features: entities.records.manage

Request body (application/json)

{
  "entityId": "string",
  "recordId": "string",
  "values": {}
}

Responses

200Record updated

Content-Type: application/json

{
  "ok": true
}

400Validation failure

Content-Type: application/json

{
  "error": "string"
}

500Unexpected failure

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/entities/records" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"recordId\": \"string\",
  \"values\": {}
}"

DELETE/entities/records

Auth requiredentities.records.manage

Delete record

Soft deletes the specified record within the current tenant/org scope. Requires features: entities.records.manage

Request body (application/json)

{
  "entityId": "string",
  "recordId": "string"
}

Responses

200Record deleted

Content-Type: application/json

{
  "ok": true
}

400Missing entity id or record id

Content-Type: application/json

{
  "error": "string"
}

404Record not found

Content-Type: application/json

{
  "error": "string"
}

500Unexpected failure

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/entities/records" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityId\": \"string\",
  \"recordId\": \"string\"
}"

GET/entities/relations/options

Auth requiredentities.definitions.view

List relation options

Returns up to 200 option entries for populating relation dropdowns, automatically resolving label fields when omitted. Requires features: entities.definitions.view

Parameters

Name	In	Required	Schema	Description
entityId	query	Yes	any	—
labelField	query	No	any	—
q	query	No	any	—
ids	query	No	any	—
routeContextFields	query	No	any	—

Responses

200Option list

Content-Type: application/json

{
  "items": [
    {
      "value": "string",
      "label": "string"
    }
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/entities/relations/options?entityId=string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

GET/entities/sidebar-entities

Auth required

Get sidebar entities

Returns custom entities flagged with `showInSidebar` for the current tenant/org scope.

Responses

200Sidebar entities for navigation

Content-Type: application/json

{
  "items": [
    {
      "entityId": "string",
      "label": "string",
      "href": "string"
    }
  ]
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/entities/sidebar-entities" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Query Index

Showing 3 of 3 endpoints

POST/query_index/purge

Auth requiredquery_index.purge

Purge query index records

Queues a purge job to remove indexed records for an entity type within the active scope. Requires features: query_index.purge

Request body (application/json)

{
  "entityType": "string"
}

Responses

200Purge job accepted.

Content-Type: application/json

{
  "ok": true
}

400Missing entity type

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/query_index/purge" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityType\": \"string\"
}"

POST/query_index/reindex

Auth requiredquery_index.reindex

Trigger query index rebuild

Queues a reindex job for the specified entity type within the current tenant scope. Requires features: query_index.reindex

Request body (application/json)

{
  "entityType": "string"
}

Responses

200Reindex job accepted.

Content-Type: application/json

{
  "ok": true
}

400Missing entity type

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/query_index/reindex" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d "{
  \"entityType\": \"string\"
}"

GET/query_index/status

Auth requiredquery_index.status.view

Inspect query index coverage

Returns entity counts comparing base tables with the query index along with the latest job status. Requires features: query_index.status.view

Responses

200Current query index status.

Content-Type: application/json

{
  "items": [
    {
      "entityId": "string",
      "label": "string",
      "baseCount": null,
      "indexCount": null,
      "vectorCount": null,
      "ok": true,
      "job": {
        "status": "idle",
        "startedAt": null,
        "finishedAt": null,
        "heartbeatAt": null,
        "processedCount": null,
        "totalCount": null,
        "scope": null
      }
    }
  ],
  "errors": [
    {
      "id": "string",
      "source": "string",
      "handler": "string",
      "entityType": null,
      "recordId": null,
      "tenantId": null,
      "organizationId": null,
      "message": "string",
      "stack": null,
      "payload": null,
      "occurredAt": "string"
    }
  ],
  "logs": [
    {
      "id": "string",
      "source": "string",
      "handler": "string",
      "level": "info",
      "entityType": null,
      "recordId": null,
      "tenantId": null,
      "organizationId": null,
      "message": "string",
      "details": null,
      "occurredAt": "string"
    }
  ]
}

400Tenant or organization context required

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/query_index/status" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Translations

Showing 3 of 3 endpoints

GET/translations/{entityType}/{entityId}

Auth requiredtranslations.view

Get entity translations

Returns the full translation record for a single entity. Requires features: translations.view

Parameters

Name	In	Required	Schema	Description
entityType	path	Yes	any	—
entityId	path	Yes	any	—

Responses

200Translation record found.

Content-Type: application/json

"string"

404No translations found for this entity

Content-Type: application/json

"string"

Example

curl -X GET "https://mercato-pr-97.tournee.io/translations/string/string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

PUT/translations/{entityType}/{entityId}

Auth requiredtranslations.manage

Create or update entity translations

Full replacement of translations JSONB for an entity. Requires features: translations.manage

Parameters

Name	In	Required	Schema	Description
entityType	path	Yes	any	—
entityId	path	Yes	any	—

Responses

200Translations saved.

Content-Type: application/json

"string"

400Validation failed

Content-Type: application/json

"string"

Example

curl -X PUT "https://mercato-pr-97.tournee.io/translations/string/string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

DELETE/translations/{entityType}/{entityId}

Auth requiredtranslations.manage

Delete entity translations

Removes all translations for an entity. Requires features: translations.manage

Parameters

Name	In	Required	Schema	Description
entityType	path	Yes	any	—
entityId	path	Yes	any	—

Responses

204Translations deleted.

No response body.

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/translations/string/string" \
  -H "Accept: application/json" \
  -H "authorization: Bearer <token>"

Workflows

Showing 20 of 21 endpoints

GET/workflows/definitions

List workflow definitions

Get a list of workflow definitions with optional filters. Supports pagination and search.

Parameters

Name	In	Required	Schema	Description
workflowId	query	Yes	any	—
enabled	query	No	any	—
search	query	No	any	—
limit	query	No	any	—
offset	query	No	any	—

Responses

200List of workflow definitions with pagination

Content-Type: application/json

{
  "data": [
    {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "workflowId": "checkout-flow",
      "workflowName": "Checkout Flow",
      "description": "Complete checkout workflow for processing orders",
      "version": 1,
      "definition": {
        "steps": [
          {
            "stepId": "start",
            "stepName": "Start",
            "stepType": "START"
          },
          {
            "stepId": "validate-cart",
            "stepName": "Validate Cart",
            "stepType": "AUTOMATED"
          },
          {
            "stepId": "end",
            "stepName": "End",
            "stepType": "END"
          }
        ],
        "transitions": [
          {
            "transitionId": "start-to-validate",
            "fromStepId": "start",
            "toStepId": "validate-cart",
            "trigger": "auto"
          },
          {
            "transitionId": "validate-to-end",
            "fromStepId": "validate-cart",
            "toStepId": "end",
            "trigger": "auto"
          }
        ]
      },
      "enabled": true,
      "tenantId": "123e4567-e89b-12d3-a456-426614174001",
      "organizationId": "123e4567-e89b-12d3-a456-426614174002",
      "createdAt": "2025-12-08T10:00:00.000Z",
      "updatedAt": "2025-12-08T10:00:00.000Z"
    }
  ],
  "pagination": {
    "total": 1,
    "limit": 50,
    "offset": 0,
    "hasMore": false
  }
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/workflows/definitions?workflowId=string&limit=50&offset=0" \
  -H "Accept: application/json"

POST/workflows/definitions

Create workflow definition

Create a new workflow definition. The definition must include at least START and END steps with at least one transition connecting them.

Request body (application/json)

{
  "workflowId": "checkout-flow",
  "workflowName": "Checkout Flow",
  "description": "Complete checkout workflow for processing orders",
  "version": 1,
  "definition": {
    "steps": [
      {
        "stepId": "start",
        "stepName": "Start",
        "stepType": "START"
      },
      {
        "stepId": "validate-cart",
        "stepName": "Validate Cart",
        "stepType": "AUTOMATED",
        "description": "Validate cart items and check inventory"
      },
      {
        "stepId": "payment",
        "stepName": "Process Payment",
        "stepType": "AUTOMATED",
        "description": "Charge payment method",
        "retryPolicy": {
          "maxAttempts": 3,
          "backoffMs": 1000
        }
      },
      {
        "stepId": "end",
        "stepName": "End",
        "stepType": "END"
      }
    ],
    "transitions": [
      {
        "transitionId": "start-to-validate",
        "fromStepId": "start",
        "toStepId": "validate-cart",
        "trigger": "auto"
      },
      {
        "transitionId": "validate-to-payment",
        "fromStepId": "validate-cart",
        "toStepId": "payment",
        "trigger": "auto"
      },
      {
        "transitionId": "payment-to-end",
        "fromStepId": "payment",
        "toStepId": "end",
        "trigger": "auto",
        "activities": [
          {
            "activityName": "Send Order Confirmation",
            "activityType": "SEND_EMAIL",
            "config": {
              "to": "{{context.customerEmail}}",
              "subject": "Order Confirmation #{{context.orderId}}",
              "template": "order_confirmation"
            }
          }
        ]
      }
    ]
  },
  "enabled": true
}

Responses

201Workflow definition created successfully

Content-Type: application/json

{
  "data": {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "workflowId": "checkout-flow",
    "workflowName": "Checkout Flow",
    "description": "Complete checkout workflow for processing orders",
    "version": 1,
    "definition": {
      "steps": [
        {
          "stepId": "start",
          "stepName": "Start",
          "stepType": "START"
        },
        {
          "stepId": "validate-cart",
          "stepName": "Validate Cart",
          "stepType": "AUTOMATED"
        },
        {
          "stepId": "payment",
          "stepName": "Process Payment",
          "stepType": "AUTOMATED"
        },
        {
          "stepId": "end",
          "stepName": "End",
          "stepType": "END"
        }
      ],
      "transitions": [
        {
          "transitionId": "start-to-validate",
          "fromStepId": "start",
          "toStepId": "validate-cart",
          "trigger": "auto"
        },
        {
          "transitionId": "validate-to-payment",
          "fromStepId": "validate-cart",
          "toStepId": "payment",
          "trigger": "auto"
        },
        {
          "transitionId": "payment-to-end",
          "fromStepId": "payment",
          "toStepId": "end",
          "trigger": "auto"
        }
      ]
    },
    "enabled": true,
    "tenantId": "123e4567-e89b-12d3-a456-426614174001",
    "organizationId": "123e4567-e89b-12d3-a456-426614174002",
    "createdAt": "2025-12-08T10:00:00.000Z",
    "updatedAt": "2025-12-08T10:00:00.000Z"
  },
  "message": "Workflow definition created successfully"
}

400Validation error - invalid workflow structure

Content-Type: application/json

{
  "error": "Validation failed",
  "details": [
    {
      "code": "invalid_type",
      "message": "Workflow must have at least START and END steps",
      "path": [
        "definition",
        "steps"
      ]
    }
  ]
}

409Conflict - workflow with same ID and version already exists

Content-Type: application/json

{
  "error": "Workflow definition with ID \"checkout-flow\" and version 1 already exists"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/workflows/definitions" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"workflowId\": \"string\",
  \"workflowName\": \"string\",
  \"description\": null,
  \"version\": 1,
  \"definition\": {
    \"steps\": [
      {
        \"stepId\": \"string\",
        \"stepName\": \"string\",
        \"stepType\": \"START\"
      }
    ],
    \"transitions\": [
      {
        \"transitionId\": \"string\",
        \"fromStepId\": \"string\",
        \"toStepId\": \"string\",
        \"trigger\": \"auto\",
        \"continueOnActivityFailure\": false,
        \"priority\": 0
      }
    ]
  },
  \"metadata\": null,
  \"enabled\": true
}"

GET/workflows/definitions/{id}

Get workflow definition

Get a single workflow definition by ID. Returns the complete workflow structure including steps and transitions (with embedded activities).

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Workflow definition found

Content-Type: application/json

{
  "data": {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "workflowId": "checkout-flow",
    "workflowName": "Checkout Flow",
    "description": "Complete checkout workflow for processing orders",
    "version": 1,
    "definition": {
      "steps": [
        {
          "stepId": "start",
          "stepName": "Start",
          "stepType": "START"
        },
        {
          "stepId": "validate-cart",
          "stepName": "Validate Cart",
          "stepType": "AUTOMATED",
          "description": "Validate cart items and check inventory"
        },
        {
          "stepId": "payment",
          "stepName": "Process Payment",
          "stepType": "AUTOMATED",
          "description": "Charge payment method",
          "retryPolicy": {
            "maxAttempts": 3,
            "backoffMs": 1000
          }
        },
        {
          "stepId": "end",
          "stepName": "End",
          "stepType": "END"
        }
      ],
      "transitions": [
        {
          "transitionId": "start-to-validate",
          "fromStepId": "start",
          "toStepId": "validate-cart",
          "trigger": "auto"
        },
        {
          "transitionId": "validate-to-payment",
          "fromStepId": "validate-cart",
          "toStepId": "payment",
          "trigger": "auto"
        },
        {
          "transitionId": "payment-to-end",
          "fromStepId": "payment",
          "toStepId": "end",
          "trigger": "auto",
          "activities": [
            {
              "activityName": "Send Order Confirmation",
              "activityType": "SEND_EMAIL",
              "config": {
                "to": "{{context.customerEmail}}",
                "subject": "Order Confirmation #{{context.orderId}}",
                "template": "order_confirmation"
              }
            }
          ]
        }
      ]
    },
    "enabled": true,
    "tenantId": "123e4567-e89b-12d3-a456-426614174001",
    "organizationId": "123e4567-e89b-12d3-a456-426614174002",
    "createdAt": "2025-12-08T10:00:00.000Z",
    "updatedAt": "2025-12-08T10:00:00.000Z"
  }
}

404Workflow definition not found

Content-Type: application/json

{
  "error": "Workflow definition not found"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/workflows/definitions/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json"

PUT/workflows/definitions/{id}

Update workflow definition

Update an existing workflow definition. Supports partial updates - only provided fields will be updated.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{
  "definition": {
    "steps": [
      {
        "stepId": "start",
        "stepName": "Start",
        "stepType": "START"
      },
      {
        "stepId": "validate-cart",
        "stepName": "Validate Cart",
        "stepType": "AUTOMATED"
      },
      {
        "stepId": "payment",
        "stepName": "Process Payment",
        "stepType": "AUTOMATED"
      },
      {
        "stepId": "confirmation",
        "stepName": "Order Confirmation",
        "stepType": "AUTOMATED"
      },
      {
        "stepId": "end",
        "stepName": "End",
        "stepType": "END"
      }
    ],
    "transitions": [
      {
        "transitionId": "start-to-validate",
        "fromStepId": "start",
        "toStepId": "validate-cart",
        "trigger": "auto"
      },
      {
        "transitionId": "validate-to-payment",
        "fromStepId": "validate-cart",
        "toStepId": "payment",
        "trigger": "auto"
      },
      {
        "transitionId": "payment-to-confirmation",
        "fromStepId": "payment",
        "toStepId": "confirmation",
        "trigger": "auto"
      },
      {
        "transitionId": "confirmation-to-end",
        "fromStepId": "confirmation",
        "toStepId": "end",
        "trigger": "auto"
      }
    ]
  },
  "enabled": true
}

Responses

200Workflow definition updated successfully

Content-Type: application/json

{
  "data": {
    "id": "123e4567-e89b-12d3-a456-426614174000",
    "workflowId": "checkout-flow",
    "workflowName": "Checkout Flow",
    "description": "Complete checkout workflow for processing orders",
    "version": 1,
    "definition": {
      "steps": [
        {
          "stepId": "start",
          "stepName": "Start",
          "stepType": "START"
        },
        {
          "stepId": "validate-cart",
          "stepName": "Validate Cart",
          "stepType": "AUTOMATED"
        },
        {
          "stepId": "payment",
          "stepName": "Process Payment",
          "stepType": "AUTOMATED"
        },
        {
          "stepId": "confirmation",
          "stepName": "Order Confirmation",
          "stepType": "AUTOMATED"
        },
        {
          "stepId": "end",
          "stepName": "End",
          "stepType": "END"
        }
      ],
      "transitions": [
        {
          "transitionId": "start-to-validate",
          "fromStepId": "start",
          "toStepId": "validate-cart",
          "trigger": "auto"
        },
        {
          "transitionId": "validate-to-payment",
          "fromStepId": "validate-cart",
          "toStepId": "payment",
          "trigger": "auto"
        },
        {
          "transitionId": "payment-to-confirmation",
          "fromStepId": "payment",
          "toStepId": "confirmation",
          "trigger": "auto"
        },
        {
          "transitionId": "confirmation-to-end",
          "fromStepId": "confirmation",
          "toStepId": "end",
          "trigger": "auto"
        }
      ]
    },
    "enabled": true,
    "tenantId": "123e4567-e89b-12d3-a456-426614174001",
    "organizationId": "123e4567-e89b-12d3-a456-426614174002",
    "createdAt": "2025-12-08T10:00:00.000Z",
    "updatedAt": "2025-12-08T11:30:00.000Z"
  },
  "message": "Workflow definition updated successfully"
}

400Validation error

Content-Type: application/json

{
  "error": "Validation failed",
  "details": [
    {
      "code": "invalid_type",
      "message": "Expected object, received string",
      "path": [
        "definition"
      ]
    }
  ]
}

404Workflow definition not found

Content-Type: application/json

{
  "error": "Workflow definition not found"
}

Example

curl -X PUT "https://mercato-pr-97.tournee.io/workflows/definitions/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"description\": null,
  \"metadata\": null,
  \"effectiveFrom\": null,
  \"effectiveTo\": null
}"

DELETE/workflows/definitions/{id}

Delete workflow definition

Soft delete a workflow definition. Cannot be deleted if there are active workflow instances (RUNNING or WAITING status) using this definition.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Workflow definition deleted successfully

Content-Type: application/json

{
  "message": "Workflow definition deleted successfully"
}

404Workflow definition not found

Content-Type: application/json

{
  "error": "Workflow definition not found"
}

409Cannot delete - active workflow instances exist

Content-Type: application/json

{
  "error": "Cannot delete workflow definition with 3 active instance(s)"
}

Example

curl -X DELETE "https://mercato-pr-97.tournee.io/workflows/definitions/00000000-0000-4000-8000-000000000000" \
  -H "Accept: application/json"

GET/workflows/events

List all workflow events

Get a paginated list of all workflow events with filtering options

Parameters

Name	In	Required	Schema	Description
page	query	No	any	—
pageSize	query	No	any	—
eventType	query	No	any	—
workflowInstanceId	query	No	any	—
userId	query	No	any	—
occurredAtFrom	query	No	any	—
occurredAtTo	query	No	any	—
sortField	query	No	any	—
sortDir	query	No	any	—

Responses

200List of workflow events

Content-Type: application/json

{
  "items": [
    {
      "id": "string",
      "workflowInstanceId": "00000000-0000-4000-8000-000000000000",
      "stepInstanceId": null,
      "eventType": "string",
      "occurredAt": "string",
      "userId": null,
      "workflowInstance": null
    }
  ],
  "total": 1,
  "page": 1,
  "pageSize": 1,
  "totalPages": 1
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/workflows/events?page=1&pageSize=50&sortField=occurredAt&sortDir=desc" \
  -H "Accept: application/json"

GET/workflows/events/{id}

Get workflow event by ID

Get detailed information about a specific workflow event

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Workflow event details

Content-Type: application/json

{
  "id": "string",
  "workflowInstanceId": "00000000-0000-4000-8000-000000000000",
  "stepInstanceId": null,
  "eventType": "string",
  "occurredAt": "string",
  "userId": null,
  "tenantId": "00000000-0000-4000-8000-000000000000",
  "organizationId": "00000000-0000-4000-8000-000000000000",
  "workflowInstance": null
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

404Workflow event not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/workflows/events/:id" \
  -H "Accept: application/json"

GET/workflows/instances

List workflow instances

Get a list of workflow instances with optional filters. Supports pagination and filtering by status, workflowId, correlationKey, etc.

Parameters

Name	In	Required	Schema	Description
workflowId	query	No	any	—
status	query	No	any	—
correlationKey	query	No	any	—
entityType	query	No	any	—
entityId	query	No	any	—
limit	query	No	any	—
offset	query	No	any	—

Responses

200List of workflow instances

Content-Type: application/json

{
  "data": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "definitionId": "00000000-0000-4000-8000-000000000000",
      "workflowId": "string",
      "version": 1,
      "status": "RUNNING",
      "currentStepId": "string",
      "correlationKey": null,
      "metadata": null,
      "startedAt": "string",
      "completedAt": null,
      "pausedAt": null,
      "cancelledAt": null,
      "errorMessage": null,
      "errorDetails": null,
      "pendingTransition": null,
      "retryCount": 1,
      "tenantId": "00000000-0000-4000-8000-000000000000",
      "organizationId": "00000000-0000-4000-8000-000000000000",
      "createdAt": "string",
      "updatedAt": "string",
      "deletedAt": null
    }
  ],
  "pagination": {
    "total": 1,
    "limit": 1,
    "offset": 1,
    "hasMore": true
  }
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/workflows/instances?limit=50&offset=0" \
  -H "Accept: application/json"

POST/workflows/instances

Start workflow instance

Start a new workflow instance from a workflow definition. The workflow will execute immediately.

Request body (application/json)

{
  "workflowId": "string"
}

Responses

201Workflow started successfully

Content-Type: application/json

{
  "data": {
    "instance": {
      "id": "00000000-0000-4000-8000-000000000000",
      "definitionId": "00000000-0000-4000-8000-000000000000",
      "workflowId": "string",
      "version": 1,
      "status": "RUNNING",
      "currentStepId": "string",
      "correlationKey": null,
      "metadata": null,
      "startedAt": "string",
      "completedAt": null,
      "pausedAt": null,
      "cancelledAt": null,
      "errorMessage": null,
      "errorDetails": null,
      "pendingTransition": null,
      "retryCount": 1,
      "tenantId": "00000000-0000-4000-8000-000000000000",
      "organizationId": "00000000-0000-4000-8000-000000000000",
      "createdAt": "string",
      "updatedAt": "string",
      "deletedAt": null
    },
    "execution": {
      "status": "RUNNING",
      "currentStep": "string",
      "message": "string"
    }
  },
  "message": "string"
}

400Bad request - Validation failed or definition disabled/invalid

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Forbidden - Insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

404Workflow definition not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/workflows/instances" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"workflowId\": \"string\"
}"

GET/workflows/instances/{id}

Get workflow instance

Get detailed information about a specific workflow instance including current state, context, and execution status.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Workflow instance details

Content-Type: application/json

{
  "data": {
    "id": "00000000-0000-4000-8000-000000000000",
    "definitionId": "00000000-0000-4000-8000-000000000000",
    "workflowId": "string",
    "version": 1,
    "status": "RUNNING",
    "currentStepId": "string",
    "correlationKey": null,
    "metadata": null,
    "startedAt": "string",
    "completedAt": null,
    "pausedAt": null,
    "cancelledAt": null,
    "errorMessage": null,
    "errorDetails": null,
    "pendingTransition": null,
    "retryCount": 1,
    "tenantId": "00000000-0000-4000-8000-000000000000",
    "organizationId": "00000000-0000-4000-8000-000000000000",
    "createdAt": "string",
    "updatedAt": "string",
    "deletedAt": null
  }
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

404Workflow instance not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/workflows/instances/:id" \
  -H "Accept: application/json"

POST/workflows/instances/{id}/advance

Manually advance workflow to next step

Manually advance a workflow instance to the next step. Useful for manual progression, step-by-step testing, user-triggered transitions, and approval flows. Validates transitions and auto-progresses if possible.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{}

Responses

200Workflow advanced successfully

Content-Type: application/json

{
  "data": {
    "instance": {
      "id": "00000000-0000-4000-8000-000000000000",
      "status": "string",
      "currentStepId": null,
      "previousStepId": null,
      "transitionFired": null
    }
  },
  "message": "string"
}

400Invalid request, no valid transitions, or workflow already completed/cancelled/failed

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

404Workflow instance not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/workflows/instances/:id/advance" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{}"

POST/workflows/instances/{id}/cancel

Cancel workflow instance

Cancel a running or paused workflow instance. The workflow will be marked as CANCELLED and will not execute further.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Workflow cancelled successfully

Content-Type: application/json

{
  "data": {
    "id": "00000000-0000-4000-8000-000000000000",
    "definitionId": "00000000-0000-4000-8000-000000000000",
    "workflowId": "string",
    "version": 1,
    "status": "RUNNING",
    "currentStepId": "string",
    "correlationKey": null,
    "metadata": null,
    "startedAt": "string",
    "completedAt": null,
    "pausedAt": null,
    "cancelledAt": null,
    "errorMessage": null,
    "errorDetails": null,
    "pendingTransition": null,
    "retryCount": 1,
    "tenantId": "00000000-0000-4000-8000-000000000000",
    "organizationId": "00000000-0000-4000-8000-000000000000",
    "createdAt": "string",
    "updatedAt": "string",
    "deletedAt": null
  },
  "message": "string"
}

400Bad request - Workflow cannot be cancelled in current status

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Forbidden - Insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

404Workflow instance not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/workflows/instances/:id/cancel" \
  -H "Accept: application/json"

GET/workflows/instances/{id}/events

Get workflow instance events

Get a chronological list of events for a workflow instance. Events track all state changes, transitions, and activities.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—
eventType	query	No	any	—
limit	query	No	any	—
offset	query	No	any	—

Responses

200List of workflow events

Content-Type: application/json

{
  "data": [
    {
      "id": "string",
      "workflowInstanceId": "00000000-0000-4000-8000-000000000000",
      "stepInstanceId": null,
      "eventType": "string",
      "occurredAt": "string",
      "userId": null,
      "tenantId": "00000000-0000-4000-8000-000000000000",
      "organizationId": "00000000-0000-4000-8000-000000000000"
    }
  ],
  "pagination": {
    "total": 1,
    "limit": 1,
    "offset": 1,
    "hasMore": true
  }
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

404Workflow instance not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/workflows/instances/:id/events?limit=100&offset=0" \
  -H "Accept: application/json"

POST/workflows/instances/{id}/retry

Retry failed workflow instance

Retry a failed workflow instance from its current step. The workflow will be reset to RUNNING status and execution will continue.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Workflow retry initiated successfully

Content-Type: application/json

{
  "data": {
    "instance": {
      "id": "00000000-0000-4000-8000-000000000000",
      "definitionId": "00000000-0000-4000-8000-000000000000",
      "workflowId": "string",
      "version": 1,
      "status": "RUNNING",
      "currentStepId": "string",
      "correlationKey": null,
      "metadata": null,
      "startedAt": "string",
      "completedAt": null,
      "pausedAt": null,
      "cancelledAt": null,
      "errorMessage": null,
      "errorDetails": null,
      "pendingTransition": null,
      "retryCount": 1,
      "tenantId": "00000000-0000-4000-8000-000000000000",
      "organizationId": "00000000-0000-4000-8000-000000000000",
      "createdAt": "string",
      "updatedAt": "string",
      "deletedAt": null
    },
    "execution": {
      "status": "RUNNING",
      "currentStep": "string",
      "events": [
        {
          "eventType": "string",
          "occurredAt": "string"
        }
      ],
      "executionTime": 1
    }
  },
  "message": "string"
}

400Bad request - Workflow cannot be retried in current status or execution error

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Forbidden - Insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

404Workflow instance not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/workflows/instances/:id/retry" \
  -H "Accept: application/json"

POST/workflows/instances/{id}/signal

Send signal to specific workflow

Sends a signal to a specific workflow instance waiting for a signal. The workflow must be in PAUSED status and waiting for the specified signal.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Request body (application/json)

{
  "signalName": "string"
}

Responses

200Signal sent successfully

Content-Type: application/json

{
  "success": true,
  "message": "string"
}

400Invalid request body or signal name mismatch

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

404Instance or definition not found

Content-Type: application/json

{
  "error": "string"
}

409Workflow not paused or not waiting for signal

Content-Type: application/json

{
  "error": "string"
}

500Internal server error or transition failed

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/workflows/instances/:id/signal" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"signalName\": \"string\"
}"

POST/workflows/instances/validate-start

Validate if workflow can be started

Evaluates pre-conditions defined on the START step and returns validation errors with localized messages if any fail. Returns canStart: true/false with details.

Request body (application/json)

{
  "workflowId": "string"
}

Responses

200Validation result (canStart, errors, validatedRules)

Content-Type: application/json

{
  "canStart": true,
  "workflowId": "string"
}

400Invalid request body or missing context

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/workflows/instances/validate-start" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"workflowId\": \"string\"
}"

POST/workflows/signals

Send signal to workflows by correlation key

Sends a signal to all workflow instances waiting for the specified signal that match the correlation key. Returns the count of workflows that received the signal.

Request body (application/json)

{
  "correlationKey": "string",
  "signalName": "string"
}

Responses

200Signal sent to matching workflows

Content-Type: application/json

{
  "success": true,
  "message": "string",
  "count": 1
}

400Missing tenant or organization context

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

403Insufficient permissions

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/workflows/signals" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "{
  \"correlationKey\": \"string\",
  \"signalName\": \"string\"
}"

GET/workflows/tasks

List user tasks

Returns paginated list of user tasks with optional filtering by status, assignee, workflow instance, overdue, and myTasks flags.

Parameters

Name	In	Required	Schema	Description
status	query	No	any	Filter by status (comma-separated for multiple: PENDING,IN_PROGRESS,COMPLETED,CANCELLED,ESCALATED)
assignedTo	query	No	any	Filter by assigned user ID
workflowInstanceId	query	No	any	Filter by workflow instance ID
overdue	query	No	any	Filter overdue tasks (true/false)
myTasks	query	No	any	Show only tasks assigned to or claimable by current user
limit	query	No	any	Number of results (max 100)
offset	query	No	any	Pagination offset

Responses

200User tasks list with pagination

Content-Type: application/json

{
  "data": [
    {
      "id": "00000000-0000-4000-8000-000000000000",
      "workflowInstanceId": "00000000-0000-4000-8000-000000000000",
      "stepInstanceId": "00000000-0000-4000-8000-000000000000",
      "taskName": "string",
      "description": null,
      "status": "PENDING",
      "formSchema": null,
      "formData": null,
      "assignedTo": null,
      "assignedToRoles": null,
      "claimedBy": null,
      "claimedAt": null,
      "dueDate": null,
      "escalatedAt": null,
      "escalatedTo": null,
      "completedBy": null,
      "completedAt": null,
      "tenantId": "00000000-0000-4000-8000-000000000000",
      "organizationId": "00000000-0000-4000-8000-000000000000",
      "createdAt": "string",
      "updatedAt": "string"
    }
  ],
  "pagination": {
    "total": 1,
    "limit": 1,
    "offset": 1,
    "hasMore": true
  }
}

400Invalid query parameters or missing tenant context

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/workflows/tasks?limit=50&offset=0" \
  -H "Accept: application/json"

GET/workflows/tasks/{id}

Get task details

Returns complete details of a user task by ID.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200User task details

Content-Type: application/json

{
  "data": {
    "id": "00000000-0000-4000-8000-000000000000",
    "workflowInstanceId": "00000000-0000-4000-8000-000000000000",
    "stepInstanceId": "00000000-0000-4000-8000-000000000000",
    "taskName": "string",
    "description": null,
    "status": "PENDING",
    "formSchema": null,
    "formData": null,
    "assignedTo": null,
    "assignedToRoles": null,
    "claimedBy": null,
    "claimedAt": null,
    "dueDate": null,
    "escalatedAt": null,
    "escalatedTo": null,
    "completedBy": null,
    "completedAt": null,
    "tenantId": "00000000-0000-4000-8000-000000000000",
    "organizationId": "00000000-0000-4000-8000-000000000000",
    "createdAt": "string",
    "updatedAt": "string"
  }
}

400Missing tenant or organization context

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

404Task not found

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X GET "https://mercato-pr-97.tournee.io/workflows/tasks/:id" \
  -H "Accept: application/json"

POST/workflows/tasks/{id}/claim

Claim a task from role queue

Allows a user to claim a task assigned to their role(s). Once claimed, the task moves to IN_PROGRESS status and is assigned to the claiming user.

Parameters

Name	In	Required	Schema	Description
id	path	Yes	any	—

Responses

200Task claimed successfully

Content-Type: application/json

{
  "data": {
    "id": "00000000-0000-4000-8000-000000000000",
    "workflowInstanceId": "00000000-0000-4000-8000-000000000000",
    "stepInstanceId": "00000000-0000-4000-8000-000000000000",
    "taskName": "string",
    "description": null,
    "status": "PENDING",
    "formSchema": null,
    "formData": null,
    "assignedTo": null,
    "assignedToRoles": null,
    "claimedBy": null,
    "claimedAt": null,
    "dueDate": null,
    "escalatedAt": null,
    "escalatedTo": null,
    "completedBy": null,
    "completedAt": null,
    "tenantId": "00000000-0000-4000-8000-000000000000",
    "organizationId": "00000000-0000-4000-8000-000000000000",
    "createdAt": "string",
    "updatedAt": "string"
  },
  "message": "string"
}

400Missing tenant or organization context

Content-Type: application/json

{
  "error": "string"
}

401Unauthorized

Content-Type: application/json

{
  "error": "string"
}

404Task not found

Content-Type: application/json

{
  "error": "string"
}

409Task already claimed

Content-Type: application/json

{
  "error": "string"
}

500Internal server error

Content-Type: application/json

{
  "error": "string"
}

Example

curl -X POST "https://mercato-pr-97.tournee.io/workflows/tasks/:id/claim" \
  -H "Accept: application/json"