The Gestor Financiero REST API is built with FastAPI and served by uvicorn. It exposes a JSON-based interface that the React/Vite frontend consumes to manage financial projects, payments, expenses, budgets, and users for small businesses. Every route — exceptDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/JDzuu/AplicativoWEB_GestorFinanciero/llms.txt
Use this file to discover all available pages before exploring further.
/login and the interactive-docs endpoints — requires an active session, and all state-changing requests are protected by a CSRF token verified server-side.
Base URL
| Environment | URL |
|---|---|
| Development | http://localhost:8000 |
| Frontend override | Configurable via the VITE_API_URL environment variable in the frontend |
import.meta.env.VITE_API_URL at build time and falls back to http://localhost:8000 when the variable is not set.
Content Type
All requests must send aContent-Type: application/json header and a JSON body where applicable. All successful responses are returned as application/json. The only exceptions are the PDF-export endpoints (/proyectos/{id}/pdf and /presupuestos/{id}/pdf), which return application/pdf.
Authentication Model
The API uses session cookies — no API keys or Bearer tokens are required in normal usage. On a successfulPOST /login the server sets two cookies:
sesion— an HttpOnly cookie that carries the session token. The browser attaches it automatically to every subsequent request.csrftoken— a JavaScript-readable cookie used for CSRF protection on mutating requests.
Interactive Documentation
Swagger UI and ReDoc are available in development mode only. They are automatically disabled when theENTORNO environment variable is set to produccion.
| URL | Interface |
|---|---|
/docs | Swagger UI (try-it-out) |
/redoc | ReDoc (read-only reference) |
/openapi.json | Raw OpenAPI schema |
Error Response Format
All error responses return a JSON object with adetail field:
detail is an array of objects rather than a plain string:
HTTP Status Codes
| Code | Meaning |
|---|---|
| 200 | Success |
| 400 | Bad request / business-logic validation error |
| 401 | Not authenticated (missing or expired session) |
| 403 | Forbidden — wrong role or CSRF token failure |
| 404 | Resource not found |
| 413 | Request body too large (default limit: 1 MB) |
| 422 | Unprocessable entity — Pydantic input validation failure |
| 429 | Rate limit exceeded or brute-force lockout |
| 500 | Internal server error |
Rate Limits
The API uses SlowAPI to enforce per-IP rate limits. Limits are applied globally via middleware and can be overridden with environment variables.| Scope | Default | Environment variable |
|---|---|---|
| All routes | 120 requests / minute | RATE_LIMIT_GENERAL |
POST /login | 10 requests / minute | RATE_LIMIT_LOGIN |
Security Headers
Every response includes a standard set of security headers regardless of environment:X-Content-Type-Options: nosniffX-Frame-Options: DENYReferrer-Policy: no-referrerPermissions-Policy: camera=(), microphone=(), geolocation=()Cross-Origin-Opener-Policy: same-originCross-Origin-Resource-Policy: same-origin
ENTORNO=produccion), two additional headers are added:
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; base-uri 'none'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
CORS
Cross-Origin Resource Sharing is configured to allow requests from the frontend origins. The default allowed origins arehttp://localhost:5173 and http://127.0.0.1:5173. In production, set the ORIGENES_PERMITIDOS environment variable to a comma-separated list of allowed origins. Credentials (cookies) are always included in the CORS policy (allow_credentials=True).
| CORS setting | Value |
|---|---|
| Allowed origins (default) | http://localhost:5173, http://127.0.0.1:5173 |
| Env variable to override | ORIGENES_PERMITIDOS (comma-separated) |
| Allowed methods | GET, POST, PUT, DELETE, OPTIONS |
| Allowed headers | Authorization, Content-Type, X-CSRF-Token |
| Credentials | true |
Preflight cache (max_age) | 600 seconds |
Endpoint Groups
Authentication
Login, logout, session management, CSRF tokens, and brute-force protection.
Projects
Create, read, update, and manage the full lifecycle of financial projects.
Finances
Record and manage incoming payments (entradas) and outgoing expenses (salidas) per project.
Budgets
Build itemized budget quotes, convert them to active projects, and export PDF cotizaciones.
Users
Admin-only user management: create, edit, reset passwords, and delete user accounts.
Analysis
Aggregate financial indicators for closed projects, filterable by year, month, or quarter.