# API Reference Working endpoint reference for the main PedAI flows. It covers the clinical, auth, Learning Hub, user data, and admin surfaces most commonly used by the frontend, but the source of truth is still `server.js` plus `src/routes/*.js`. Unless noted otherwise, authenticated endpoints require a valid web cookie or `Authorization: Bearer ` header. --- ## Table of Contents - [Authentication](#authentication) - [OIDC / SSO](#oidc--sso) - [AI Generation](#ai-generation) - [Transcription](#transcription) - [Text-to-Speech](#text-to-speech) - [Models](#models) - [Encounters](#encounters) - [Memories](#memories) - [Audio Backups](#audio-backups) - [Documents](#documents) - [User Preferences](#user-preferences) - [Phone Extensions And Pagers](#phone-extensions-and-pagers) - [Nextcloud Integration](#nextcloud-integration) - [Learning Hub (Public)](#learning-hub-public) - [Learning Hub CMS (Moderator+)](#learning-hub-cms-moderator) - [Admin - Users](#admin---users) - [Admin - Configuration](#admin---configuration) - [Logs](#logs) - [Milestones (Admin)](#milestones-admin) - [Health](#health) - [Metrics](#metrics) --- ## Authentication Base path: `/api/auth/` ### POST /api/auth/register Register a new user account. The first user to register is automatically assigned the admin role. Turnstile is required only when `TURNSTILE_SECRET_KEY` is configured. If SMTP is configured, the response asks the user to verify email; without SMTP, the account is auto-verified and logged in. - **Auth required:** No - **Request body:** ```json { "name": "string", "email": "string", "password": "string", "turnstileToken": "string" } ``` - **Response:** ```json { "success": true, "needsVerification": true, "message": "Check your email for verification link." } ``` --- ### GET /api/auth/verify-email Verify a user's email address via the link sent during registration. - **Auth required:** No - **Query parameters:** | Parameter | Type | Description | |-----------|--------|--------------------------------------| | `token` | string | Email verification token from the link | - **Response:** HTML status page for success or expired/invalid token. --- ### POST /api/auth/resend-verification Resend the email verification link. - **Auth required:** No - **Request body:** ```json { "email": "string" } ``` - **Response:** ```json { "success": true, "message": "Verification email sent." } ``` --- ### POST /api/auth/login Authenticate a user. Supports optional TOTP two-factor authentication. On success, sets an HTTP-only JWT cookie and returns user data. - **Auth required:** No - **Request body:** ```json { "email": "string", "password": "string", "totpCode": "string (optional, required if 2FA is enabled)", "turnstileToken": "string" } ``` - **Response:** ```json { "success": true, "token": "jwt-string", "sessionId": "string", "user": { "id": "number", "name": "string", "email": "string", "role": "admin | moderator | user", "totp_enabled": "boolean", "email_verified": "boolean" } } ``` If 2FA is enabled but `totpCode` is not provided: ```json { "requires2FA": true } ``` --- ### POST /api/auth/setup-2fa Generate a TOTP secret and QR code for setting up two-factor authentication. - **Auth required:** Yes - **Request body:** None - **Response:** ```json { "success": true, "secret": "string", "qrCode": "string (data URI)" } ``` --- ### POST /api/auth/verify-2fa Verify a TOTP code and enable two-factor authentication for the user. - **Auth required:** Yes - **Request body:** ```json { "code": "string" } ``` - **Response:** ```json { "success": true, "backupCodes": ["string"] } ``` --- ### POST /api/auth/disable-2fa Disable two-factor authentication. Requires password confirmation. - **Auth required:** Yes - **Request body:** ```json { "password": "string" } ``` - **Response:** ```json { "success": true } ``` --- ### POST /api/auth/forgot-password Initiate password reset. Sends a reset link to the user's email. - **Auth required:** No - **Request body:** ```json { "email": "string", "turnstileToken": "string" } ``` - **Response:** ```json { "success": true, "message": "If account exists, reset email sent" } ``` --- ### POST /api/auth/reset-password Reset the user's password using a valid reset token. - **Auth required:** No - **Request body:** ```json { "token": "string", "newPassword": "string" } ``` - **Response:** ```json { "success": true, "passwordWarning": "string (optional)" } ``` --- ### POST /api/auth/logout Log out the current user by deleting the current session row when a token is present and clearing the auth cookie. - **Auth required:** No - **Request body:** None - **Response:** ```json { "success": true } ``` --- ### GET /api/auth/me Retrieve the currently authenticated user's profile. - **Auth required:** Yes - **Response:** ```json { "user": { "id": "number", "name": "string", "email": "string", "role": "admin | moderator | user", "totp_enabled": "boolean", "email_verified": "boolean", "canLocalAuth": "boolean" } } ``` --- ### GET /api/auth/registration-status Check whether new user registration is enabled on this instance. - **Auth required:** No - **Response:** ```json { "registrationEnabled": true } ``` --- ## OIDC / SSO Base path: `/api/auth/` ### GET /api/auth/oidc-status Check whether OIDC single sign-on is configured and enabled. - **Auth required:** No - **Response:** ```json { "oidcEnabled": true, "disableLocalAuth": false, "buttonLabel": "Sign in with SSO" } ``` --- ### GET /api/auth/oidc Initiates the OIDC login flow. Redirects the user to the configured identity provider. - **Auth required:** No - **Response:** HTTP 302 redirect to the IdP authorization endpoint. --- ### GET /api/auth/oidc/callback Handles the callback from the identity provider after authentication. Processes the authorization code and creates/logs in the user. - **Auth required:** No - **Query parameters:** Standard OIDC callback parameters (`code`, `state`). - **Response:** Redirects to the application with a session cookie set. --- ## AI Generation All generation endpoints require authentication and stream or return AI-generated clinical text. Each accepts a `model` parameter to select the LLM. ### POST /api/generate-hpi-encounter Generate a History of Present Illness note from a patient encounter transcript. - **Auth required:** Yes - **Request body:** ```json { "transcript": "string", "patientAge": "string", "patientGender": "string", "model": "string", "setting": "string", "physicianMemories": "string (optional)" } ``` - **Response:** JSON with `success`, generated `hpi`, and resolved `model`. --- ### POST /api/generate-hpi-dictation Generate an HPI note from a physician's dictated summary (same parameters as encounter). - **Auth required:** Yes - **Request body:** ```json { "transcript": "string", "patientAge": "string", "patientGender": "string", "model": "string", "setting": "string", "physicianMemories": "string (optional)" } ``` - **Response:** JSON with `success`, generated `hpi`, and resolved `model`. --- ### POST /api/generate-soap Generate a SOAP note from a patient encounter transcript. - **Auth required:** Yes - **Request body:** ```json { "transcript": "string", "patientAge": "string", "patientGender": "string", "model": "string", "type": "string", "additionalInstructions": "string (optional)", "physicianMemories": "string (optional)" } ``` - **Response:** JSON with `success`, generated `soap`, and resolved `model`. --- ### POST /api/generate-chart-review Generate a chart review summary from clinical notes. - **Auth required:** Yes - **Request body:** ```json { "notes": "string", "visitType": "string", "model": "string" } ``` - **Response:** JSON with `success`, generated chart review content, and resolved `model`. --- ### POST /api/generate-hospital-course Generate a hospital course summary from clinical notes. - **Auth required:** Yes - **Request body:** ```json { "notes": "string", "patientAge": "string", "patientGender": "string", "model": "string", "format": "string", "physicianMemories": "string (optional)" } ``` - **Response:** JSON with `success`, generated summary, and resolved `model`. --- ### POST /api/well-visit/shadess Generate a SHADESS (Strengths, Home, Activities, Drugs, Emotions, Sexuality, Safety) assessment from well-visit responses. - **Auth required:** Yes - **Request body:** ```json { "responses": "object", "patientAge": "string", "model": "string" } ``` - **Response:** JSON with `success`, generated assessment, and resolved `model`. --- ### POST /api/sick-visit/note Generate a sick visit note from chief complaint, transcript/dictation, ROS/PE, and diagnosis context. - **Auth required:** Yes - **Request body:** ```json { "chiefComplaint": "string", "transcript": "string (optional)", "dictation": "string (optional)", "patientAge": "string", "patientGender": "string", "model": "string", "ros": "string (optional)", "physicalExam": "string (optional)", "diagnoses": "string (optional)", "physicianMemories": "string (optional)" } ``` - **Response:** JSON with `success`, generated note, and resolved `model`. --- ### POST /api/patient-education Generate a parent-facing education handout from an existing clinician note. The frontend exposes this as the Handout action beside generated notes. - **Auth required:** Yes - **Request body:** ```json { "noteText": "string", "diagnosis": "string (optional)", "medications": "string (optional)", "patientAge": "string (optional)", "language": "string (optional, defaults to English)", "readingLevel": "string (optional)", "model": "string (optional)" } ``` - **Response:** ```json { "success": true, "handout": "plain-text parent handout", "model": "string" } ``` --- ### POST /api/generate-milestone-narrative Generate a developmental milestone narrative from milestone data. - **Auth required:** Yes - **Request body:** ```json { "milestones": "object | array", "patientAge": "string", "patientGender": "string", "model": "string" } ``` - **Response:** JSON with `success`, generated narrative, and resolved `model`. --- ### POST /api/generate-milestone-summary Generate a concise summary from a previously generated milestone narrative. - **Auth required:** Yes - **Request body:** ```json { "narrative": "string", "model": "string" } ``` - **Response:** JSON with `success`, generated summary, and resolved `model`. --- ### POST /api/refine Refine existing clinical text according to provided instructions. - **Auth required:** Yes - **Request body:** ```json { "currentDocument": "string", "instructions": "string", "sourceContext": "string (optional)", "model": "string" } ``` - **Response:** JSON with `success`, refined text, and resolved `model`. --- ### POST /api/shorten Shorten a block of clinical text while preserving key information. - **Auth required:** Yes - **Request body:** ```json { "document": "string", "model": "string" } ``` - **Response:** JSON with `success`, shortened text, and resolved `model`. --- ### POST /api/clarify Improve clarity and readability of clinical text. - **Auth required:** Yes - **Request body:** ```json { "document": "string", "context": "string (optional)", "model": "string" } ``` - **Response:** JSON with `success`, clarified text, and resolved `model`. --- ## Transcription ### GET /api/transcribe/status Check whether speech-to-text transcription is available and which provider is configured. - **Auth required:** Yes - **Response:** ```json { "available": true, "provider": "litellm | none" } ``` --- ### POST /api/transcribe Transcribe an audio file to text. Accepts multipart form data with the audio file. - **Auth required:** Yes - **Content-Type:** `multipart/form-data` - **File size limit:** 25 MB - **Form fields:** | Field | Type | Description | |---------|------|--------------------| | `audio` | file | Audio file to transcribe | - **Response:** ```json { "success": true, "text": "string", "provider": "string", "duration": "number (seconds)" } ``` --- ## Text-to-Speech ### POST /api/text-to-speech Convert text to speech. Returns an audio stream. - **Auth required:** Yes - **Request body:** ```json { "text": "string", "voice": "string (optional)" } ``` - **Response:** Audio stream (`audio/mpeg`). - **Response headers:** | Header | Description | |------------------|------------------------------------| | `X-TTS-Provider` | The TTS provider used for synthesis | --- ## Models ### GET /api/models List available AI models for the current instance. - **Auth required:** Yes - **Response:** ```json { "provider": "string", "models": [ { "id": "string", "name": "string", "cost": "string", "category": "string" } ], "defaultModel": "string" } ``` --- ## Encounters ### GET /api/encounters/saved List active, unexpired saved encounters for the authenticated user. - **Auth required:** Yes - **Response:** ```json { "success": true, "encounters": [ { "id": "number", "label": "string", "enc_type": "string", "status": "string", "created_at": "string (ISO 8601)", "updated_at": "string (ISO 8601)", "expires_at": "string (ISO 8601)", "transcript_preview": "string", "note_preview": "string" } ] } ``` --- ### GET /api/encounters/saved/:id Retrieve a single saved encounter with full data. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-----------------| | `id` | number | Encounter ID | - **Response:** ```json { "success": true, "encounter": { "id": "number", "label": "string", "enc_type": "string", "transcript": "string", "generated_note": "string", "partial_data": "stringified JSON", "created_at": "string (ISO 8601)", "updated_at": "string (ISO 8601)" } } ``` --- ### POST /api/encounters/saved Create or update a saved encounter. Uses `idempotency_key` to prevent duplicates on create and `expected_version` for optimistic locking on updates. - **Auth required:** Yes - **Request body:** ```json { "id": "number (optional, update existing encounter)", "label": "string", "enc_type": "string", "transcript": "string", "generated_note": "string", "partial_data": "object (optional)", "status": "string (optional)", "idempotency_key": "string (optional)", "expected_version": "number (optional, update only)" } ``` - **Response:** ```json { "success": true, "id": "number", "version": "number (updates only)" } ``` --- ### DELETE /api/encounters/saved/:id Delete a saved encounter. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-----------------| | `id` | number | Encounter ID | - **Response:** ```json { "success": true } ``` --- ## Memories Physician memories are encrypted user templates and prompt preferences. Only AI-context categories are injected into generation prompts; `custom` and legacy `correction_*` rows are excluded from `/api/memories/context`. ### GET /api/memories List all memories for the authenticated user. Returns up to 200 entries. - **Auth required:** Yes - **Response:** ```json { "success": true, "memories": [ { "id": "number", "category": "string", "name": "string", "content": "string", "created_at": "string (ISO 8601)", "updated_at": "string (ISO 8601)" } ] } ``` --- ### POST /api/memories Create a new memory. - **Auth required:** Yes - **Request body:** ```json { "category": "string", "name": "string", "content": "string" } ``` - **Response:** ```json { "success": true, "id": "number", "originalSize": "number", "compressedSize": "number" } ``` --- ### PUT /api/memories/:id Update an existing memory. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-------------| | `id` | number | Memory ID | - **Request body:** ```json { "category": "string", "name": "string", "content": "string" } ``` - **Response:** ```json { "success": true } ``` --- ### DELETE /api/memories/:id Delete a memory. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-------------| | `id` | number | Memory ID | - **Response:** ```json { "success": true } ``` --- ### GET /api/memories/context Retrieve AI-context template/preference rows formatted for injection into AI generation prompts. `custom` rows and legacy `correction_*` rows are excluded. - **Auth required:** Yes - **Response:** ```json { "success": true, "context": "string" } ``` --- ## Audio Backups Temporary encrypted audio backup storage with automatic 24-hour expiry. ### POST /api/audio-backups Upload an audio backup. The file is gzip-compressed and encrypted on the server. - **Auth required:** Yes - **Content-Type:** `multipart/form-data` - **Form fields:** | Field | Type | Description | |---------|------|------------------------| | `audio` | file | Audio file to back up | - **Response:** ```json { "success": true, "id": "number" } ``` --- ### GET /api/audio-backups List unexpired audio backups for the authenticated user. - **Auth required:** Yes - **Response:** ```json { "success": true, "backups": [ { "id": "number", "module": "string", "mime_type": "string", "size_bytes": "number", "compressed_bytes": "number", "created_at": "string (ISO 8601)", "expires_at": "string (ISO 8601)" } ] } ``` --- ### GET /api/audio-backups/:id/audio Download a decompressed audio backup. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-------------------| | `id` | number | Audio backup ID | - **Response:** Binary audio stream with appropriate content-type header. --- ### DELETE /api/audio-backups/:id Delete an audio backup. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-------------------| | `id` | number | Audio backup ID | - **Response:** ```json { "success": true } ``` --- ## Documents S3-backed document storage for clinical files. ### GET /api/documents List all documents for the authenticated user. - **Auth required:** Yes - **Response:** ```json { "success": true, "s3_configured": true, "documents": [ { "id": "number", "filename": "string", "mime_type": "string", "size_bytes": "number", "description": "string", "created_at": "string (ISO 8601)" } ] } ``` --- ### POST /api/documents/upload Upload a document to S3 storage. - **Auth required:** Yes - **Content-Type:** `multipart/form-data` - **File size limit:** 10 MB - **Allowed types:** PDF, images (JPEG, PNG, GIF), Word documents (.doc, .docx), plain text (.txt), CSV (.csv) - **Form fields:** | Field | Type | Description | |--------|------|---------------------| | `file` | file | Document to upload | - **Response:** ```json { "success": true, "id": "number", "filename": "string" } ``` --- ### GET /api/documents/:id/download Download a document. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|---------------| | `id` | number | Document ID | - **Response:** JSON containing a short-lived pre-signed download URL. ```json { "success": true, "url": "string" } ``` --- ### DELETE /api/documents/:id Delete a document from S3 storage. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|---------------| | `id` | number | Document ID | - **Response:** ```json { "success": true } ``` --- ## User Preferences ### GET /api/user/preferences Get the authenticated user's preferences. - **Auth required:** Yes - **Response:** ```json { "success": true, "stt_model": "string", "tts_voice": "string" } ``` --- ### POST /api/user/preferences Save user preferences. - **Auth required:** Yes - **Request body:** ```json { "stt_model": "string", "tts_voice": "string" } ``` - **Response:** ```json { "success": true } ``` --- ### GET /api/user/preferences/options List available STT models and TTS voices that the user can choose from. - **Auth required:** Yes - **Response:** ```json { "success": true, "sttModels": [ { "value": "string", "label": "string" } ], "ttsVoices": [ { "value": "string", "label": "string" } ], "sttProvider": "string", "ttsProvider": "string" } ``` --- ### POST /api/user/webdav-path Save the user's preferred WebDAV learning content path. - **Auth required:** Yes - **Request body:** ```json { "path": "string" } ``` - **Response:** ```json { "success": true } ``` --- ## Phone Extensions And Pagers Base path: `/api/extensions`. All endpoints require authentication and operate on the current user's personal directory. Portable import/export fields are `location`, `name`, `number`, `type`, and `notes`. Exports intentionally omit database IDs and user IDs. `type` is either `extension` or `pager`. ### GET /api/extensions List active or trashed phone directory entries. - **Auth required:** Yes - **Query parameters:** | Parameter | Type | Description | |-----------|------|-------------| | `trash` | string | `1` or `true` returns trashed entries instead of active entries. | | `q` | string | Case-insensitive search over location, name, number, and notes. | - **Response:** ```json { "success": true, "items": [ { "id": 1, "location": "ED", "name": "Charge Nurse", "number": "1234", "type": "extension", "notes": "Nights", "trashed_at": null, "created_at": "2026-05-08T00:00:00.000Z", "updated_at": "2026-05-08T00:00:00.000Z" } ] } ``` --- ### POST /api/extensions Create a phone extension or pager entry. - **Auth required:** Yes - **Request body:** ```json { "location": "ED", "name": "Charge Nurse", "number": "1234", "type": "extension", "notes": "Optional note" } ``` - **Response:** ```json { "success": true, "id": 1 } ``` --- ### PUT /api/extensions/:id Update an existing entry owned by the current user. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|------|-------------| | `id` | number | Entry ID. | - **Request body:** Same fields as `POST /api/extensions`. - **Response:** ```json { "success": true } ``` --- ### DELETE /api/extensions/:id Move an active entry to trash. This is a soft delete. - **Auth required:** Yes - **Response:** ```json { "success": true } ``` --- ### POST /api/extensions/:id/restore Restore a trashed entry. - **Auth required:** Yes - **Response:** ```json { "success": true } ``` --- ### DELETE /api/extensions/:id/purge Permanently delete a trashed entry. - **Auth required:** Yes - **Response:** ```json { "success": true } ``` --- ### GET /api/extensions/export Export active entries as `pedscribe-extensions.zip`. The ZIP contains `pedscribe-extensions.json`. - **Auth required:** Yes - **Response headers:** | Header | Description | |--------|-------------| | `Content-Type` | `application/zip` | | `Content-Disposition` | Attachment filename. | | `X-Export-Count` | Number of exported active entries. | - **JSON file shape inside ZIP:** ```json { "format": "pedscribe-phone-directory", "version": 1, "exported_at": "2026-05-08T00:00:00.000Z", "items": [ { "location": "ED", "name": "Charge Nurse", "number": "1234", "type": "extension", "notes": "Optional note" } ] } ``` --- ### POST /api/extensions/import Import entries from a JSON request body. Exact active duplicates are skipped. Exact trashed matches can be restored when requested. Possible duplicates are identified by loose matching (`location + number` or `number + type`) and skipped unless explicitly imported. - **Auth required:** Yes - **Request body:** Export payload object, an array of entry objects, or an object with `items` and `options`. ```json { "items": [ { "location": "ED", "name": "Charge Nurse", "number": "1234", "type": "extension", "notes": "Optional note" } ], "options": { "restoreTrashed": true, "importPossibleDuplicates": false } } ``` - **Response:** ```json { "success": true, "imported": 2, "restored": 1, "skipped": 1, "possibleSkipped": 1, "total": 3 } ``` --- ### POST /api/extensions/import/preview Preview a JSON import before committing it. The preview categorizes entries as new, exact active duplicates, exact trashed matches, or possible duplicates. - **Auth required:** Yes - **Request body:** Same JSON shapes accepted by `POST /api/extensions/import`. - **Response:** ```json { "success": true, "preview": { "summary": { "total": 3, "new": 1, "exactActive": 1, "exactTrashed": 0, "possible": 1 }, "entries": [] } } ``` --- ### POST /api/extensions/import-file Import entries from a multipart file upload. Accepts a PedScribe JSON export or a ZIP export containing JSON. Form fields `restoreTrashed=true` and `importPossibleDuplicates=true` control the same duplicate handling options as JSON import. - **Auth required:** Yes - **Request body:** `multipart/form-data` with field `file`. - **Limits:** Maximum upload size is 1 MB. At most 1000 valid entries are processed. - **Response:** Same as `POST /api/extensions/import`. --- ### POST /api/extensions/import-file/preview Preview a multipart JSON or ZIP import before committing it. - **Auth required:** Yes - **Request body:** `multipart/form-data` with field `file`. - **Response:** Same preview shape as `POST /api/extensions/import/preview`. --- ## Nextcloud Integration ### POST /api/nextcloud/connect Connect the user's account to a Nextcloud instance via WebDAV. - **Auth required:** Yes - **Request body:** ```json { "url": "string", "username": "string", "password": "string" } ``` - **Response:** ```json { "success": true, "message": "Connected to Nextcloud." } ``` --- ### POST /api/nextcloud/export Export text content to the connected Nextcloud instance. - **Auth required:** Yes - **Request body:** ```json { "text": "string", "title": "string" } ``` - **Response:** ```json { "success": true, "path": "string" } ``` --- ### POST /api/nextcloud/disconnect Disconnect the user's Nextcloud integration. - **Auth required:** Yes - **Request body:** None - **Response:** ```json { "success": true, "message": "Disconnected from Nextcloud." } ``` --- ## Learning Hub (Public) Public-facing learning content endpoints. Authentication is required to track progress and submit quizzes. ### GET /api/learning/categories List all learning content categories. - **Auth required:** Yes - **Response:** ```json [ { "id": "number", "name": "string", "slug": "string", "description": "string" } ] ``` --- ### GET /api/learning/feed Get a paginated feed of learning content. - **Auth required:** Yes - **Query parameters:** | Parameter | Type | Default | Description | |-----------|--------|---------|-----------------------| | `limit` | number | 20 | Items per page | | `offset` | number | 0 | Pagination offset | - **Response:** ```json [ { "id": "number", "title": "string", "slug": "string", "summary": "string", "category": "string", "created_at": "string (ISO 8601)" } ] ``` --- ### GET /api/learning/category/:slug Get all learning content within a specific category. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|----------------| | `slug` | string | Category slug | - **Response:** Array of content items in the category. --- ### GET /api/learning/content/:slug Get a single piece of learning content, including quiz questions, answer options, and the user's progress. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|---------------| | `slug` | string | Content slug | - **Response:** ```json { "id": "number", "title": "string", "slug": "string", "body": "string (markdown)", "category": "object", "questions": [ { "id": "number", "text": "string", "options": [ { "id": "number", "text": "string" } ] } ], "progress": { "completed": "boolean", "score": "number | null" } } ``` --- ### GET /api/learning/content/:slug/slides Render Marp-formatted markdown content as HTML presentation slides. - **Auth required:** Yes - **Path parameters:** | Parameter | Type | Description | |-----------|--------|---------------| | `slug` | string | Content slug | - **Response:** HTML presentation content. --- ### POST /api/learning/submit-quiz Submit quiz answers for a piece of learning content. - **Auth required:** Yes - **Request body:** ```json { "contentId": "number", "answers": [ { "questionId": "number", "optionIds": ["number"] } ] } ``` - **Response:** ```json { "success": true, "score": "number", "total": "number", "results": [ { "questionId": "number", "correct": "boolean" } ] } ``` --- ### GET /api/learning/search Keyword-based search across learning content. - **Auth required:** Yes - **Query parameters:** | Parameter | Type | Description | |-----------|--------|-----------------| | `q` | string | Search query | - **Response:** Array of matching content items. --- ### GET /api/learning/search/semantic Semantic (vector-based) search across learning content using embeddings. - **Auth required:** Yes - **Query parameters:** | Parameter | Type | Description | |-----------|--------|-----------------| | `q` | string | Search query | - **Response:** Array of matching content items ranked by semantic similarity. --- ### GET /api/learning/search/hybrid Combined keyword and semantic search for best-of-both-worlds results. - **Auth required:** Yes - **Query parameters:** | Parameter | Type | Description | |-----------|--------|-----------------| | `q` | string | Search query | - **Response:** Array of matching content items with combined ranking. --- ## Learning Hub CMS (Moderator+) Content management endpoints for learning content. Requires moderator or admin role. ### GET /api/admin/learning/categories List all learning categories (admin view). - **Auth required:** Yes (moderator+) - **Response:** Array of category objects. --- ### POST /api/admin/learning/categories Create a new learning category. - **Auth required:** Yes (moderator+) - **Request body:** ```json { "name": "string", "slug": "string", "description": "string" } ``` - **Response:** ```json { "success": true, "id": "number" } ``` --- ### PUT /api/admin/learning/categories/:id Update a learning category. - **Auth required:** Yes (moderator+) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|---------------| | `id` | number | Category ID | - **Request body:** ```json { "name": "string", "slug": "string", "description": "string" } ``` - **Response:** ```json { "success": true } ``` --- ### DELETE /api/admin/learning/categories/:id Delete a learning category. - **Auth required:** Yes (moderator+) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|---------------| | `id` | number | Category ID | - **Response:** ```json { "success": true } ``` --- ### GET /api/admin/learning/content List all learning content (admin view, includes unpublished). - **Auth required:** Yes (moderator+) - **Response:** Array of content objects. --- ### POST /api/admin/learning/content Create new learning content. - **Auth required:** Yes (moderator+) - **Request body:** ```json { "title": "string", "slug": "string", "body": "string (markdown)", "categoryId": "number", "questions": "array (optional)" } ``` - **Response:** ```json { "success": true, "id": "number" } ``` --- ### GET /api/admin/learning/content/:id Get a single content item for editing. - **Auth required:** Yes (moderator+) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|--------------| | `id` | number | Content ID | - **Response:** Full content object with questions and metadata. --- ### PUT /api/admin/learning/content/:id Update existing learning content. - **Auth required:** Yes (moderator+) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|--------------| | `id` | number | Content ID | - **Request body:** ```json { "title": "string", "slug": "string", "body": "string (markdown)", "categoryId": "number", "questions": "array (optional)" } ``` - **Response:** ```json { "success": true } ``` --- ### DELETE /api/admin/learning/content/:id Delete learning content. - **Auth required:** Yes (moderator+) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|--------------| | `id` | number | Content ID | - **Response:** ```json { "success": true } ``` --- ### POST /api/admin/learning/ai-generate Generate learning content or presentations using AI. Accepts either multipart form data (with file uploads) or JSON. - **Auth required:** Yes (moderator+) - **Content-Type:** `multipart/form-data` or `application/json` - **Request body (JSON):** ```json { "topic": "string", "type": "article | presentation", "model": "string" } ``` - **Request body (multipart):** Same fields plus uploaded reference files. - **Response:** ```json { "success": true, "content": "string (markdown)" } ``` --- ### POST /api/admin/learning/ai-refine Refine learning content body text using AI. - **Auth required:** Yes (moderator+) - **Request body:** ```json { "body": "string", "instructions": "string", "model": "string" } ``` - **Response:** ```json { "success": true, "content": "string" } ``` --- ### POST /api/admin/learning/preview-slides Preview Marp-formatted markdown as rendered presentation slides. - **Auth required:** Yes (moderator+) - **Request body:** ```json { "markdown": "string" } ``` - **Response:** ```json { "css": "string", "slides": ["string (HTML)"] } ``` --- ### POST /api/admin/learning/generate-pptx Generate a PowerPoint file from Marp markdown. - **Auth required:** Yes (moderator+) - **Request body:** ```json { "markdown": "string", "title": "string" } ``` - **Response:** Binary `.pptx` file download. --- ### GET /api/admin/learning/webdav-browse Browse files on the connected WebDAV/Nextcloud server. - **Auth required:** Yes (moderator+) - **Query parameters:** | Parameter | Type | Description | |-----------|--------|------------------------------| | `path` | string | Directory path to browse | - **Response:** Array of file/directory entries. --- ### GET /api/admin/learning/stats Get learning hub statistics (content counts, quiz completion rates, etc.). - **Auth required:** Yes (moderator+) - **Response:** ```json { "totalContent": "number", "totalCategories": "number", "totalQuizSubmissions": "number", "averageScore": "number" } ``` --- ## Admin - Users Requires admin role. ### GET /api/admin/users List all registered users. - **Auth required:** Yes (admin) - **Response:** ```json { "success": true, "users": [ { "id": "number", "name": "string", "email": "string", "role": "string", "email_verified": "boolean", "totp_enabled": "boolean", "disabled": "boolean", "created_at": "string (ISO 8601)" } ] } ``` --- ### GET /api/admin/users/:id Get detailed information and usage statistics for a specific user. - **Auth required:** Yes (admin) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-------------| | `id` | number | User ID | - **Response:** ```json { "success": true, "user": { "id": "number", "name": "string", "email": "string", "role": "string", "email_verified": "boolean", "totp_enabled": "boolean", "disabled": "boolean", "api_calls": "number", "last_login": "string (ISO 8601) | null" } } ``` --- ### POST /api/admin/users/:id/verify Manually verify a user's email address (bypass email verification). - **Auth required:** Yes (admin) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-------------| | `id` | number | User ID | - **Response:** ```json { "success": true } ``` --- ### POST /api/admin/users/:id/disable Disable a user account, preventing login. - **Auth required:** Yes (admin) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-------------| | `id` | number | User ID | - **Response:** ```json { "success": true } ``` --- ### POST /api/admin/users/:id/enable Re-enable a previously disabled user account. - **Auth required:** Yes (admin) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|-------------| | `id` | number | User ID | - **Response:** ```json { "success": true } ``` --- ## Admin - Configuration Requires admin role unless noted otherwise. ### GET /api/admin/config/announcement Get the current announcement banner. Any authenticated user can read this endpoint. - **Auth required:** Yes - **Response:** ```json { "success": true, "enabled": "boolean", "text": "string", "type": "info | warning | error | success" } ``` --- ### GET /api/admin/config Get all application configuration settings. - **Auth required:** Yes (admin) - **Response:** Object containing all configuration key-value pairs. --- ### PUT /api/admin/config/:key Update one application configuration setting. The key must use an allowed prefix such as `announcement.`, `feature.`, `email.`, `prompt.`, `registration_enabled`, `site.`, `smtp.`, `models.`, `tts.`, `stt.`, `embeddings.`, or `clinical_assistant.`. - **Auth required:** Yes (admin) - **Request body:** ```json { "value": "string" } ``` - **Response:** ```json { "success": true } ``` --- ### POST /api/admin/config/test-email Send a test email to verify SMTP configuration. - **Auth required:** Yes (admin) - **Request body:** ```json { "to": "string (email address)" } ``` - **Response:** ```json { "success": true, "message": "Test email sent." } ``` --- ### GET /api/admin/config/prompts Get all AI prompt templates, including any admin overrides. - **Auth required:** Yes (admin) - **Response:** Object mapping prompt keys to their current values. --- ### POST /api/admin/config/prompts/:key/reset Reset a specific AI prompt template back to its default value. - **Auth required:** Yes (admin) - **Path parameters:** | Parameter | Type | Description | |-----------|--------|---------------------| | `key` | string | Prompt template key | - **Response:** ```json { "success": true } ``` --- ### POST /api/admin/config/reset-defaults Reset all configuration settings to their default values. - **Auth required:** Yes (admin) - **Response:** ```json { "success": true } ``` --- ### GET /api/admin/config/smtp/status Check the current SMTP configuration status. - **Auth required:** Yes (admin) - **Response:** ```json { "configured": "boolean", "host": "string", "port": "string", "user": "string", "from": "string", "source": "env | database | none" } ``` --- ### PUT /api/admin/config/smtp Update SMTP email configuration. - **Auth required:** Yes (admin) - **Request body:** ```json { "host": "string", "port": "number", "user": "string", "pass": "string", "from": "string", "secure": "boolean" } ``` - **Response:** ```json { "success": true } ``` --- ### POST /api/admin/settings/registration Update registration settings (enable/disable new registrations). - **Auth required:** Yes (admin) - **Request body:** ```json { "enabled": "boolean" } ``` - **Response:** ```json { "success": true } ``` --- ### GET /api/auth/oidc/config Get the current OIDC/SSO configuration. - **Auth required:** Yes (admin) - **Response:** ```json { "success": true, "config": { "oidc.enabled": "string", "oidc.issuer": "string", "oidc.client_id": "string", "oidc.client_secret": "masked string", "oidc.disable_local_auth": "string", "oidc.button_label": "string" } } ``` --- ### PUT /api/auth/oidc/config Update the OIDC/SSO configuration. - **Auth required:** Yes (admin) - **Request body:** ```json { "oidc.enabled": "string", "oidc.issuer": "string", "oidc.client_id": "string", "oidc.client_secret": "string", "oidc.disable_local_auth": "string", "oidc.button_label": "string" } ``` - **Response:** ```json { "success": true } ``` --- ### GET /api/admin/config/models List all AI models with their enabled/disabled status. - **Auth required:** Yes (admin) - **Response:** ```json [ { "id": "string", "name": "string", "enabled": "boolean", "isDefault": "boolean", "category": "string" } ] ``` --- ### PUT /api/admin/config/models/toggle Enable or disable a specific AI model. - **Auth required:** Yes (admin) - **Request body:** ```json { "modelId": "string", "enabled": "boolean" } ``` - **Response:** ```json { "success": true } ``` --- ### PUT /api/admin/config/models/default Set the default AI model for all users. - **Auth required:** Yes (admin) - **Request body:** ```json { "modelId": "string" } ``` - **Response:** ```json { "success": true } ``` --- ### POST /api/admin/config/models/custom Add a custom AI model definition. - **Auth required:** Yes (admin) - **Request body:** ```json { "id": "string", "name": "string", "category": "string" } ``` - **Response:** ```json { "success": true } ``` --- ### GET /api/admin/config/models/discover Discover available models from the configured AI provider. - **Auth required:** Yes (admin) - **Response:** ```json { "success": true, "models": [ { "id": "string", "name": "string" } ] } ``` --- ## Logs Requires admin role. ### GET /api/logs/usage Get a 30-day usage summary broken down by model and endpoint. - **Auth required:** Yes (admin) - **Response:** ```json { "byModel": [ { "model": "string", "count": "number", "tokens": "number" } ], "byEndpoint": [ { "endpoint": "string", "count": "number" } ] } ``` --- ### GET /api/logs/audit Get the audit log of user actions (login, settings changes, etc.). - **Auth required:** Yes (admin) - **Response:** Array of audit log entries with timestamps, user IDs, and action descriptions. --- ### GET /api/logs/api Get API call metrics (request counts, latency, error rates). - **Auth required:** Yes (admin) - **Response:** Array of API metric entries. --- ### GET /api/logs/access Get user access history (login times, IP addresses). - **Auth required:** Yes (admin) - **Response:** Array of access log entries. --- ## Milestones (Admin) Developmental milestones management. Requires admin role. ### GET /api/admin/milestones List all developmental milestones in the database. - **Auth required:** Yes (admin) - **Response:** Array of milestone objects organized by age group and domain. --- ### POST /api/admin/milestones/seed Seed the database with the default set of developmental milestones. - **Auth required:** Yes (admin) - **Request body:** None - **Response:** ```json { "success": true, "count": "number" } ``` --- ## Health ### GET /api/health Application health check endpoint. - **Auth required:** No - **Response:** ```json { "ok": true } ``` --- ## Metrics ### GET /metrics Prometheus scrape endpoint for operational metrics. Metric names use the `ped_ai_` prefix and include HTTP request counters, durations, and in-flight request gauges. Unmatched 404 routes are collapsed under `route="unmatched"` to avoid unbounded path labels. - **Auth required:** No - **Response:** Prometheus text exposition format.