The Maleku System REST API powers a full-stack multi-vendor tourism marketplace for Costa Rica. It is built on FastAPI and exposes a versioned JSON API that lets client applications browse and book properties, tours, vehicles, boats, and more — while giving vendors a complete management interface and superadmins full platform oversight. All responses are JSON; all authenticated requests must carry a JWT Bearer token issued at login or registration.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/IvanchoDev89/maleku-system/llms.txt
Use this file to discover all available pages before exploring further.
Base URL
| Environment | URL |
|---|---|
| Production | https://api.costaricatravel.dev/api/v1 |
| Local dev | http://localhost:8000/api/v1 |
https://api.costaricatravel.dev/api/v1/auth/login.
Interactive Docs
When the server is running in debug mode, auto-generated interactive documentation is available at:| Interface | Path |
|---|---|
| Swagger UI | /docs |
| ReDoc | /redoc |
| OpenAPI spec (JSON) | /openapi.json |
The interactive docs UIs are disabled in production (
DEBUG=false). Use the endpoints at https://api.costaricatravel.dev/docs only in staging or local environments.Authentication
All protected endpoints require a JWT Bearer token in theAuthorization header:
POST /auth/register or POST /auth/login. Access tokens expire after 60 minutes by default (ACCESS_TOKEN_EXPIRE_MINUTES in config). Use POST /auth/refresh with your refresh token to obtain a new access token before expiry.
See the full Authentication reference for registration, login, refresh, logout, password reset, and email verification flows.
Versioning
All endpoints live under the/api/v1/ prefix. The current and only stable version is v1. Breaking changes will be introduced under a new version prefix (e.g. /api/v2/) rather than altering existing routes.
Pagination
Most list endpoints return a paginatedPaginatedResponse envelope. Use page and page_size query parameters to control the window of results.
| Parameter | Type | Default | Maximum | Description |
|---|---|---|---|---|
page | integer | 1 | — | 1-based page number |
page_size | integer | 20 | 100 | Items per page |
skip + limit as an alternative style. Check the individual endpoint reference for which parameters it supports.
Paginated response envelope:
Rate Limiting
The API enforces per-IP rate limits to protect platform stability.| Scope | Limit |
|---|---|
| General endpoints | 60 requests / minute |
Auth endpoints (/auth/login, /auth/register) | 5 requests / minute |
| Forgot-password | 3 requests / minute |
| Booking creation | 10 requests / minute |
429 Too Many Requests with a Retry-After header indicating how many seconds to wait before retrying. Rate limit state is tracked via Redis.
Rate limit response headers (on successful requests):
Error Responses
The API uses standard HTTP status codes. All error bodies follow a consistent JSON format:422) include a structured detail array that names the field(s) that failed:
| Code | Meaning | Common Causes |
|---|---|---|
400 | Bad Request | Invalid JSON, missing required fields, email already registered |
401 | Unauthorized | Missing or invalid token, expired access token, revoked token |
403 | Forbidden | Insufficient role or permission, inactive account, email not verified |
404 | Not Found | Resource does not exist or has been soft-deleted |
409 | Conflict | Duplicate email, booking date conflict |
422 | Unprocessable Entity | Pydantic schema validation failed |
423 | Locked | Account locked after too many failed login attempts |
429 | Too Many Requests | Rate limit exceeded |
500 | Internal Server Error | Unexpected server-side failure (logged via Sentry) |
API Resources
Authentication
Register, login, refresh tokens, logout, password reset, and email verification.
Properties
Browse, create, and manage accommodation listings across Costa Rica.
Tours
Adventure, wildlife, beach, and cultural tours with filters and full-text search.
Vehicles & Boats
Vehicle rentals (SUVs, 4x4s) and boat charters available from vendors.
Bookings
Create and manage property, tour, vehicle, and boat bookings.
Payments
Stripe-powered checkout, webhook events, and commission handling.
Reviews
Read and submit reviews for properties, tours, vehicles, boats, and vendors.
Search
Full-text cross-entity search with location, price, and map data.
Destinations
Costa Rica destination guides linked to listings and tours.
Vendors
Vendor profiles, dashboards, verification status, and public listings.
Users
User profile management and admin user administration.
Superadmin
Platform-wide controls: user management, vendor approvals, audit logs, and settings.