The Timeful backend exposes a REST API rooted atDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ptshen/timeful-plus/llms.txt
Use this file to discover all available pages before exploring further.
/api. The server is built with Go and the Gin web framework, and it runs on port 3002 by default (overridable via the PORT environment variable). Interactive documentation is available at /swagger/index.html whenever the backend is running.
Base URL
All API endpoints live under the/api prefix:
| Resource | Example path |
|---|---|
| Events | /api/events |
| Auth | /api/auth/sign-in |
| User | /api/user/profile |
| Folders | /api/user/folders |
Authentication
Timeful uses session-based authentication via cookies. Signing in through/api/auth/sign-in sets an encrypted session cookie; subsequent requests from the same browser or HTTP client automatically include that cookie. Routes that require authentication are protected by the middleware.AuthRequired() middleware, which responds with 401 when no valid session is present.
See the Authentication page for a full walkthrough.
Content-Type
All request bodies must be sent as JSON:HTTP Methods
The API uses standard HTTP methods:| Method | Typical use |
|---|---|
GET | Retrieve a resource |
POST | Create a resource or trigger action |
PUT | Replace a resource entirely |
PATCH | Partially update a resource |
DELETE | Remove a resource |
Health Check
A lightweight health endpoint requires no authentication and is suitable for container health checks (Railway, Docker, etc.):200 OK:
Response Format
Successful responses return JSON objects or arrays:Error Format
All errors follow a consistent shape:errs/errors.go):
| String | Meaning |
|---|---|
not-signed-in | Request requires authentication |
user-does-not-exist | Session references a deleted account |
event-not-found | Event ID does not match any record |
user-not-event-owner | Caller does not own the event |
invalid-credentials | Apple calendar credentials rejected |
Swagger UI
When the backend is running locally, the full OpenAPI specification is browsable at:CORS
CORS is configured inmain.go. The following origins are always allowed:
http://localhost:3002http://localhost:8080
CORS_ALLOWED_ORIGINS environment variable (comma-separated). When that variable is not set, the default Timeful production domains (timeful.app, schej.it) are also permitted.
Allowed methods: GET, POST, PATCH, PUT, DELETEAllowed headers:
Content-TypeExposed headers:
Content-LengthCredentials:
true (required for cookie-based sessions)
Endpoint Groups
Events
Create, fetch, edit, respond to, and delete availability polls.
User
Profile management, calendar accounts, and event listings.
Folders
Organize events into named folders with optional color labels.
Auth Endpoints
Sign in (web & mobile), sign out, and session status.