Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/PDNMX/s1_backend/llms.txt

Use this file to discover all available pages before exploring further.

The endpoints.json file at the project root is the provider registry for S1 Backend. It must be a JSON array of endpoint configuration objects, where each object represents one government data supplier and contains all connection details, OAuth 2.0 credentials, and metadata needed to query that provider. At startup the file is loaded once and its contents drive every call to /v1/providers, /v1/summary, and /v1/search.

Example Configuration Object

[
  {
    "supplier_id": "EDOMEX",
    "supplier_name": "Secretaría Ejecutiva del Sistema Estatal Anticorrupción del Estado México",
    "system_id": 1,
    "type": "REST",
    "levels": ["estatal"],
    "url": "https://api.example.gob.mx/s1/search",
    "entities_url": "https://api.example.gob.mx/s1/entities",
    "token_url": "https://auth.example.gob.mx/oauth/token",
    "username": "pdn_user",
    "password": "s3cr3t",
    "client_id": "pdn-client",
    "client_secret": "client-s3cr3t"
  }
]

Fields

supplier_id
string
required
Unique string identifier for this provider. Used as the lookup key when a client sends supplier_id in a POST /v1/search request body, and returned as-is in every API response that includes provider metadata. Should be a concise, human-readable slug (e.g. "EDOMEX", "CJF").
supplier_name
string
required
Full official name of the government institution. Included verbatim in every response enriched by fetchData so that consumers can display a human-readable label without a separate lookup.
system_id
number
required
PDN system identifier. For S1 Backend this value is always 1 (Sistema 1 — declaraciones patrimoniales y de intereses). Reserved for future use if the gateway is extended to proxy other PDN systems.
type
string
required
API protocol type of the provider endpoint. Currently only "REST" is supported. The value is surfaced as endpoint_type in search responses so clients can adapt their parsing logic if additional types are added later.
levels
array of strings
required
One or more government-level tags that describe the jurisdictional scope of this provider. Accepted values are "federal", "estatal", and "municipal". The POST /v1/summary endpoint filters the provider list by this field when nivel_gobierno is supplied in the request body.
"levels": ["estatal"]
url
string
required
The provider’s data-search API URL. S1 Backend sends POST requests to this URL with a Bearer token in the Authorization header and the paginated query options in the request body.
entities_url
string
URL for fetching the list of entities/institutions from this provider. Used by fetchEntities in rest_data.js. If the provider does not expose an entities endpoint, this field can be omitted or left as an empty string.
token_url
string
required
OAuth 2.0 token endpoint that issues access tokens via the password grant type. S1 Backend posts the encoded credentials here before every data fetch and uses the returned access_token as a Bearer token on the subsequent request to url.
username
string
required
OAuth 2.0 resource owner username, sent as username in the token request body (password grant).
password
string
required
OAuth 2.0 resource owner password, sent as password in the token request body (password grant).
client_id
string
required
OAuth 2.0 client identifier. Sent both as the HTTP Basic Auth username in the token request and as client_id in the request body.
client_secret
string
required
OAuth 2.0 client secret. Sent both as the HTTP Basic Auth password in the token request and as client_secret in the request body.

Security Note

endpoints.json contains plaintext OAuth credentials (username, password, client_id, client_secret). This file must be listed in .gitignore and must never be committed to version control. In production environments, use a secrets manager (e.g. HashiCorp Vault, AWS Secrets Manager) or environment variable injection to populate the file at deploy time, and ensure filesystem permissions restrict read access to the process user only.

Loading Behaviour

The file is loaded synchronously at server startup via require('../endpoints') in routes/v1.js. Node.js caches the require result, so any changes made to endpoints.json after the process starts will not be picked up until the server is restarted.
When rotating credentials for a provider, update endpoints.json and perform a zero-downtime rolling restart so that in-flight requests complete before the old token expires.

Build docs developers (and LLMs) love

Get started for freeTalk to us