Skip to content

REST API

The public REST API is mounted at /v1 (apps/mcp-server/src/rest/router.ts). Reads are anonymous (they power the webapp and crawlers); writes reuse the same Keycloak bearer token + scopes as the MCP tools and are self-scoped to the caller's own data. Every response carries permissive CORS (*) and the security headers.

For acquiring a token and calling authenticated endpoints, see Using the REST API.

Version & metadata

MethodPathPurposeAuth
GET/v1/versionServer name + versionpublic
GET/v1/meta/enumsEnum vocabularies (types, fuel, transmission, …) for UI builderspublic

Listings

MethodPathPurposeAuth
GET/v1/listingsSearch (type, make, model, year/price/mileage, fuel, transmission, condition, sort, limit, offset)public
GET/v1/listings/compare?ids=…Compare 2–5 listingspublic
GET/v1/listings/:idFetch one (ETag caching)public
GET/v1/listings/:id/price-ratingFair-price ratingpublic
GET/v1/listings/:id/similar?limit=6Similar listingspublic
POST/v1/listingsCreatelistings:write
POST/v1/listings/bulkBulk create (≤50)listings:write
PATCH/v1/listings/:idUpdate (partial)listings:write
DELETE/v1/listings/:idDeletelistings:write
POST/v1/listings/bulk-deleteBulk delete (≤50)listings:write
POST/v1/search/nlNatural-language search → filters + resultspublic

Seller profiles (public)

MethodPathPurposeAuth
GET/v1/dealers/:idPublic seller profile by idpublic
GET/v1/dealers/slug/:slugPublic seller profile by slugpublic
GET/v1/dealers/:id/reviewsSeller reviews + aggregatepublic
POST/v1/dealers/:id/reviewsLeave/update a reviewlistings:read

My account — seller

MethodPathPurposeAuth
GET/v1/meMy profile + locations (auto-provisions)listings:read
PUT/v1/meUpdate my profilelistings:write
GET/v1/me/listings?status=…My listings (all statuses)listings:read
GET/v1/me/locationsMy locationslistings:read
POST/v1/me/locationsAdd a locationlistings:write
PATCH/v1/me/locations/:idUpdate a locationlistings:write
DELETE/v1/me/locations/:idDelete a locationlistings:write

My account — buyer

MethodPathPurposeAuth
GET/v1/me/accountBuyer profile + notification prefslistings:read
PUT/v1/me/accountUpdate buyer profilelistings:read
DELETE/v1/me/accountErase my account (all data + login)listings:read
GET/v1/me/favoritesMy watchlistlistings:read
POST/v1/me/favoritesAdd to watchlistlistings:read
DELETE/v1/me/favorites/:listingIdRemove from watchlistlistings:read
GET/v1/me/saved-searchesMy saved searcheslistings:read
POST/v1/me/saved-searchesSave a search (+ alerts)listings:read
DELETE/v1/me/saved-searches/:idDelete a saved searchlistings:read

Account erasure is permanent

DELETE /v1/me/account is the GDPR / nDSG "right to erasure" endpoint. In one transaction it hard-deletes all of the caller's data — listings, seller profile + locations, buyer profile, favorites (theirs, and others' favorites of their listings), saved searches, reviews, org memberships and audit entries — then deletes their Keycloak login so the account can no longer sign in. It is self-scoped: a caller can only erase their own account. Returns 204. If the server has no account-deletion repository wired it returns 501; if no Keycloak admin service account is configured the data is still erased and only the login is left for an operator to remove. See Account deletion.

Organizations

MethodPathPurposeAuth
POST/v1/organizationsCreate (caller becomes owner)listings:write
GET/v1/organizations/:idPublic org page by idpublic
GET/v1/organizations/slug/:slugPublic org page by slugpublic
PATCH/v1/organizations/:idUpdate an org you ownlistings:write
GET/v1/me/organizationsMy orgs + roleslistings:read
GET/v1/organizations/:id/listings?status=…Org inventory (member-only)listings:read
GET/v1/organizations/:id/membersList members (member-only)listings:read
POST/v1/organizations/:id/membersAdd a memberlistings:write
DELETE/v1/organizations/:id/members/:userIdRemove a memberlistings:write

Geocoding & media

MethodPathPurposeAuth
GET/v1/geo/suggest?q=…&country=…&limit=5Forward geocoding for location pickerspublic
POST/v1/mediaUpload an image/video (raw body) → { url, contentType }listings:write

Moderation & admin (listings:moderate)

MethodPathPurpose
PATCH/v1/admin/listings/:id/moderationSet listing moderation status
POST/v1/admin/listings/:id/restoreRestore a soft-deleted listing
GET/v1/admin/moderation?moderationStatus=…&includeDeleted=…Moderation queue (all dealers)
GET/v1/admin/audit?entityId=…&actorId=…&action=…Append-only audit log
POST/v1/admin/run-alertsTrigger a saved-search alert pass (normally cron)
PATCH/v1/admin/reviews/:id/moderationSet review moderation status

Liveness

MethodPathPurpose
GET/healthzLiveness
GET/readyzReadiness

A-Market — AI-first marketplace for cars, motorcycles and scooters.