Base URL
All API requests are made to:
All responses are JSON with a top-level success boolean field unless otherwise noted (e.g., PDF downloads).
API groups
The platform exposes two API groups with different authentication requirements and rate limits.
Public API
No authentication required. Rate limited to 60 requests per minute. These endpoints power the public quote builder SPA and allow anonymous users to browse service blocks and submit quotes.
| Method | Path | Description |
|---|
GET | /api/quote-blocks | All active categories and their blocks |
GET | /api/quote-blocks/category/{categoryId} | Blocks for a specific category |
POST | /api/quote-blocks/calculate | Calculate price for a block configuration |
POST | /api/quotes/save-draft | Save a quote as a draft |
POST | /api/quotes/submit | Submit a quote and generate a PDF |
POST | /api/quotes/generate-pdf | Generate and download a PDF for arbitrary quote data |
GET | /api/health | Health check |
Protected API
Requires authentication via Laravel Sanctum. Rate limited to 30 requests per minute. These endpoints are intended for admin dashboards and integrations.
| Method | Path | Description |
|---|
GET | /api/v1/quotes/statistics | Aggregate quote statistics |
GET | /api/v1/quotes/recent | Recent quotes with items |
POST | /api/v1/quotes/{id}/duplicate | Duplicate an existing quote |
GET | /api/v1/quotes/export | Export quotes to CSV |
GET | /api/v1/admin/quote-blocks | List all quote blocks (admin) |
POST | /api/v1/admin/quote-blocks | Create a quote block (admin) |
GET | /api/v1/admin/quote-blocks/{id} | Get a single quote block (admin) |
PUT | /api/v1/admin/quote-blocks/{id} | Update a quote block (admin) |
DELETE | /api/v1/admin/quote-blocks/{id} | Delete a quote block (admin) |
POST | /api/v1/admin/quote-blocks/reorder | Reorder quote blocks (admin) |
Authentication
The protected API uses Laravel Sanctum and supports two authentication strategies.
Bearer token
Include a Sanctum personal access token in the Authorization header:
curl https://your-domain.com/api/v1/quotes/statistics \
--header "Authorization: Bearer YOUR_TOKEN"
SPA cookie-based (CSRF)
For browser-based SPAs on the same domain, use cookie authentication. First, fetch the CSRF cookie, then include the X-XSRF-TOKEN header on subsequent requests.
Fetch the CSRF cookie
curl --cookie-jar cookies.txt \
https://your-domain.com/sanctum/csrf-cookie
Authenticate
Log in via the standard web auth flow. The session cookie is set automatically.
Make authenticated API requests
Include the X-XSRF-TOKEN header extracted from the cookie jar on all subsequent requests.
The CSRF setup endpoint is GET /sanctum/csrf-cookie. It sets an XSRF-TOKEN cookie that must be reflected as an X-XSRF-TOKEN request header.
Rate limiting
| API group | Limit |
|---|
| Public API | 60 requests / minute |
| Protected API | 30 requests / minute |
429 Too Many Requests.
Response format
All JSON responses include a success field:
{
"success": true,
"...": "..."
}
422 with an errors object:
{
"success": false,
"errors": {
"client.email": ["The client.email field is required."]
}
}
500:
{
"success": false,
"message": "Error al procesar la cotización. Por favor, intenta nuevamente."
}
Health check
curl https://your-domain.com/api/health
{
"status": "healthy",
"timestamp": "2024-01-15T10:30:00.000000Z"
}