Skip to content

HocTapAZ API Guide

This guide is the entry point for API usage in go-platform. The core rule is: frontend and external clients call API Gateway through the legacy-compatible /api/* surface; native services expose /v1/* routes for gateway adapters, service-to-service calls, migration tools, and smoke tests.

Environments

EnvironmentFrontend baseAPI baseNotes
Local Go platformhttp://127.0.0.1:5201-5206http://localhost:8085Use VITE_API_BASE_URL=http://localhost:8085.
V2 dev Pageshttps://v2.dev.*.hoctapaz.comhttps://hoctapaz.com until a dedicated v2 gateway is cut overCurrent Cloudflare frontend bundles use VITE_API_BASE_URL=https://hoctapaz.com.
Internal service testsn/ahttp://<service>:8080/v1 or local service portsUse native /v1/* only when testing a service or adapter directly.

Do not point frontend apps directly at service /v1/* routes. The browser contract is the API Gateway/BFF contract.

Public Gateway Contract

API Gateway owns the public compatibility layer:

  • /api/* legacy-compatible HTTP routes.
  • /api/v1/* compatibility rewrite where legacy callers still use it.
  • Authorization: Bearer <accessToken> and hoctapaz.accessToken cookie extraction.
  • X-Organization-Id, X-Request-Id, and X-Correlation-Id propagation.
  • SSE pass-through for import, classification, attempt, and exam event streams.
  • Legacy response envelopes and validation semantics while a route is migrating.

Success responses generally preserve the legacy envelope:

json
{
  "success": true,
  "data": {},
  "message": "OK"
}

Native /v1/* services may use canonical internal errors, but gateway adapters must translate public /api/* errors back to the expected legacy shape.

Required Headers

HeaderPublic /api/*Native /v1/*Purpose
Authorization: Bearer <token>Required for authenticated routesRequired only when a service endpoint verifies tokens directlyAccess token auth.
Cookie: hoctapaz.accessToken=<token>Supported by gatewayNot a general service contractBrowser compatibility.
X-Organization-IdRequired on tenant-scoped routesForwarded by gateway or set in service testsTenant and organization scope.
X-Request-IdOptional caller-providedForwarded or generatedRequest tracing.
X-Correlation-IdOptional caller-providedForwarded or generatedCross-service tracing.
X-User-IdGateway-derivedRequired on many native service testsActor identity.
X-User-RoleGateway-derivedRequired on role-guarded native endpointsActor role.

For native service tests, pass X-User-Id, X-User-Role, and X-Organization-Id explicitly only when the service API requires actor context. For browser traffic, let gateway derive those headers from the token.

Route State Lifecycle

Routes move one slice at a time:

StateMeaning
legacy_proxyPublic traffic is still served by legacy NestJS.
shadow_readGateway returns the legacy response and calls native for diff evidence.
native_readGateway serves the native read response after parity evidence is accepted.
native_write_shadow_validateWrite authority is controlled while resulting state is compared.
native_writeNative service is authoritative for that write route.
removedRoute is removed only after callers and ops confirm it is unused.

No route should move from legacy_proxy to native_write without documented legacy evidence, OpenAPI contract, adapter mapping, tests, and rollback notes.

Calling Examples

Local public login through gateway:

bash
curl -sS http://localhost:8085/api/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"email":"teacher@hoctapaz.com","password":"password123"}'

Local authenticated question-type read through gateway:

bash
curl -sS 'http://localhost:8085/api/question-types?summary=true' \
  -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  -H 'X-Organization-Id: org_local_center'

Native service smoke test, bypassing gateway intentionally:

bash
curl -sS 'http://localhost:8098/v1/question-types?summary=true' \
  -H 'X-User-Id: usr_teacher' \
  -H 'X-User-Role: TEACHER' \
  -H 'X-Organization-Id: org_local_center'

Use native examples only for service development, route-table rehearsals, and migration validation. Product clients should stay on /api/*.

OpenAPI Source

Native contracts live under:

  • contracts/openapi/api-gateway.yaml
  • contracts/openapi/services/*.yaml

Generate frontend gateway types with:

bash
pnpm frontend:generate-api

The generated client is intentionally gateway-oriented. Do not generate browser clients from every service OpenAPI file unless a service is explicitly promoted to a public BFF surface.

Service Guide Index

ServiceGuidePublic exposure
API GatewayAPI GatewayPublic /api/* and health surface.
Auth ServiceAuth ServiceRehearsed through selected /api/auth/* routes only.
User ServiceUser ServiceInternal/native until gateway adapter is promoted.
School ServiceSchool ServiceOrganization read rehearsals only.
Classroom ServiceClassroom ServiceKept legacy-proxied until response hydration is complete.
Course ServiceCourse ServiceSelected student course rehearsals only.
Document ServiceDocument ServiceStorage/media adapters under controlled route tables.
DOCX Import ServiceDOCX Import ServiceImport status/create/approval rehearsals through gateway examples.
Question Bank ServiceQuestion Bank ServiceQuestion type/read/classification slices under gateway route tables.
Exam ServiceExam ServiceInternal until exam authoring/publish adapters are promoted.
Attempt ServiceAttempt ServiceAttempt start/save/submit/event route rehearsals.
AI Classifier ServiceAI Classifier ServiceApply route only; job runtime remains legacy-proxied.
Analytics ServiceAnalytics ServiceInternal/native read foundation until public adapter cutover.
Notification ServiceNotification ServiceInbox/preferences/parent alert rehearsals.
Admin ServiceAdmin ServiceFeature maintenance and audit route rehearsals.

Cutover Checklist

Before promoting a route table entry:

  1. Capture legacy route evidence and current frontend request shape.
  2. Fill the native service OpenAPI contract.
  3. Add or update the gateway target_prefix mapping.
  4. Preserve auth, tenant, envelope, validation, and SSE behavior.
  5. Add unit, gateway adapter, parity, and browser/runtime verification.
  6. Document rollback by route-table switch or entry deletion.
  7. Update this guide and the service-specific API page.

Go-platform documentation is generated from repository Markdown.