Permissions are the transactional records at the heart of PermisosQR. Every time a QR code is activated for an exit, a permission row is created with anDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/edgar2420/QrPermision/llms.txt
Use this file to discover all available pages before exploring further.
exit_time and an allowed_minutes budget. When the bearer returns, the same record is updated with return_time, time_used_minutes, delay_minutes, and the boolean is_compliant flag. All four endpoints below require a valid Bearer token; operators using the admin_operator role can only see permissions they personally enabled.
POST /api/permissions/enable
Creates a new permission record and atomically sets the associated QR code toactive. The authenticated user is recorded as enabled_by. The QR must be in available status; any other status returns a 400.
Auth required: Bearer
Numeric ID of the QR code to activate. Must currently have
available status.Full name of the person receiving the exit pass (e.g. employee or visitor).
Time budget in minutes. Defaults to
15 if omitted.Optional free-text note attached to this permission (reason for exit, destination, etc.).
| Status | Condition |
|---|---|
400 | qrId or receivedBy missing; or QR is not in available status |
401 | Bearer token missing or invalid |
404 | No QR code found with the given qrId |
POST /api/permissions/return
Closes an open permission by recording the return time and computing compliance metrics. The authenticated user is stored asreturned_by. After the update, the associated QR code is atomically set back to available.
Compliance formula:
Numeric ID of the QR code to mark as returned. Must currently be
active.Optional note appended to the permission record on return (e.g. reason for delay). If a note was set at enable time, this value is merged via
COALESCE.POST /api/permissions/enable response, now with all computed fields populated).
Error responses
| Status | Condition |
|---|---|
400 | qrId missing; or QR is not currently active |
404 | QR not found, or no open permission record found for that QR |
GET /api/permissions/history
Returns a paginated, filterable audit log of all permission records. Operators with theadmin_operator role automatically receive only records they personally enabled (enabled_by = req.user.id). Super Admins see all records.
Auth required: Bearer
Page number. Defaults to
1.Records per page. Defaults to
20.Filter to permissions belonging to a specific QR code.
ISO 8601 date-time. Filters
created_at >= startDate.ISO 8601 date-time. Filters
created_at <= endDate 23:59:59.Pass
true or false to filter by compliance status. Omit to return both.The history response includes a
qr_status field (from the joined qr_codes table) that is not present on the enable/return response objects. It reflects the QR’s current status, not the status at the time the permission was created.DELETE /api/permissions/:id
Permanently removes a permission record from the database. If the deleted permission was still open (noreturn_time), the associated QR code is automatically reset to available. Restricted to Super Admins.
Auth required: Bearer — Super Admin only
Path parameter: id — integer permission record ID
Response 200
| Status | Condition |
|---|---|
403 | Authenticated user is not a Super Admin |
404 | No permission record with the given ID exists |