The SSA Health Platform API is designed to be RESTful, predictable, and immediately approachable for any developer joining the project. Every endpoint follows the same structural rules — consistent URL shapes, uniform error envelopes, and standardized pagination — so that learning one part of the API transfers directly to every other part. All endpoints are automatically documented via NestJS Swagger decorators and exposed through an interactive UI, meaning the contract between the backend and any consumer (the React admin panel, the public website, or third-party integrations) is always machine-readable and up to date.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/LMendoza70/SSA/llms.txt
Use this file to discover all available pages before exploring further.
Base URL
All API requests are made relative to the environment base URL:In production environments, the Swagger UI should be disabled or protected behind HTTP Basic Auth to prevent public exposure of your API surface.
Authentication
The SSA Platform uses JSON Web Tokens (JWT) for stateless authentication. Every protected endpoint requires a Bearer token in theAuthorization header:
15m) in the JSON body. A longer-lived refresh token (default 7d) is issued automatically as an HttpOnly cookie — it is never accessible to JavaScript and is sent back to the server automatically on refresh requests. To obtain a new access token without re-authenticating, call:
URL Conventions
URL design follows strict REST principles: routes identify resources, never actions. The HTTP verb alone communicates the operation. Rules:- Use nouns, never verbs:
/contentnot/getContent - Use plural resource names:
/content,/multimedia,/timeline - Use nested routes for child resources:
/content/:id/media - Use query parameters for filtering, sorting, and pagination
- No trailing slashes
Pagination
All list endpoints use offset-based pagination. Thepage and limit query parameters are supported universally:
HTTP Status Codes
The API uses standard HTTP status codes consistently. Never infer success from the response body alone — always check the status code first.| Code | Meaning |
|---|---|
200 | OK — successful GET or PUT |
201 | Created — successful POST |
204 | No Content — successful DELETE |
400 | Bad Request — DTO validation error |
401 | Unauthorized — missing or invalid token |
403 | Forbidden — authenticated but insufficient permissions |
404 | Not Found — resource does not exist |
409 | Conflict — duplicate slug or unique constraint violation |
422 | Unprocessable Entity — business rule violation |
500 | Internal Server Error — unexpected failure |
Error Response Format
All error responses return a consistent JSON envelope regardless of the error source. Clients should always parse this shape to surface meaningful messages to users:errors array is populated on 400 validation failures and contains one entry per failing field. For non-validation errors (401, 403, 404, 409, 500), the errors array is omitted and message contains a human-readable explanation.
DTO Validation
All incoming payloads are validated usingclass-validator decorators on Data Transfer Objects (DTOs) before execution reaches the service layer. Controllers never touch raw request data directly — they only receive typed, validated DTO instances.
src/modules/cms/dto/create-content.dto.ts
ValidationPipe with whitelist: true and forbidNonWhitelisted: true is registered at application bootstrap. This strips any properties not declared on the DTO and throws a 400 if unknown properties are present, protecting the service layer from unexpected input.
Swagger Documentation
Every controller and endpoint is annotated with NestJS Swagger decorators so that the/api/docs UI always reflects the live API contract with no manual maintenance required.
| Decorator | Purpose |
|---|---|
@ApiTags('Module') | Groups endpoints under a named section in the UI |
@ApiOperation({ summary }) | Short description visible in the endpoint list |
@ApiResponse({ status, type }) | Documents expected response shape per status code |
@ApiBearerAuth() | Marks the endpoint as requiring JWT auth |
@ApiQuery({ name, required, enum }) | Documents query parameters |
@ApiParam({ name, type }) | Documents path parameters |
@ApiProperty() are reflected automatically, giving consumers a full schema for every request and response object directly in the browser.
Related Pages
Tech Stack
Library choices, versions, and rationale for the full platform stack.
Coding Conventions
Naming rules, file structure, TypeScript standards, and Git commit format.
Testing Strategy
Unit and integration testing patterns for services, controllers, and DTOs.
Deployment
Environment configuration, database setup, and production checklist.