Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/wtyler2505/ProtoPulse/llms.txt

Use this file to discover all available pages before exploring further.

ProtoPulse’s backend is an Express 5 server that exposes a REST API with 50+ endpoints across 21 domain routers and 13 circuit routers. Every endpoint accepts and returns JSON, enforces Zod schema validation on request bodies, and uses session-based authentication via an X-Session-Id header. This page covers the global conventions that apply to all endpoints — base URL, authentication flow, request and response formats, error codes, and rate limiting — followed by a complete endpoint index grouped by domain.

Base URL

http://localhost:5000/api
In production, replace localhost:5000 with your deployed domain. All paths below are relative to this base. The server also sets an X-API-Version: 1 header on every response.

Authentication

ProtoPulse uses session-based authentication. You obtain a session ID by registering or logging in, then pass it as a header on every subsequent request. Getting a session:
1

Register a new account

Send POST /api/auth/register with { username, password }. The response contains a sessionId UUID.
2

Or log in to an existing account

Send POST /api/auth/login with { username, password }. The response also returns a sessionId.
3

Include the session on every request

Add the header X-Session-Id: <sessionId> to all subsequent API calls. The middleware validates the UUID against the sessions table, checks expiresAt, and populates req.userId for the route handler.
Sessions expire after 7 days. Once expired, re-authenticate to get a new session ID. Endpoints that do not require authentication:
  • /api/auth/register and /api/auth/login
  • GET /api/health
  • POST /api/seed (development only — 404 in production)
Admin endpoints use a separate X-Admin-Key header matching the ADMIN_API_KEY environment variable instead of a session. Example — register and retrieve your session: 
curl -s -X POST http://localhost:5000/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{"username": "alice", "password": "securepassword"}' \
  | jq .sessionId

"a3f8c2d1-7e14-4b5a-9f30-1d2e8b6c0a4f"
Example — use the session on a subsequent request: 
SESSION="a3f8c2d1-7e14-4b5a-9f30-1d2e8b6c0a4f"

curl http://localhost:5000/api/projects \
  -H "X-Session-Id: $SESSION"

Request format

All mutating endpoints (POST, PATCH, PUT) expect a JSON body: 
Content-Type: application/json
The maximum body size is 1 MB by default. Some routes enforce smaller limits (for example, auth endpoints allow 4 KB; bulk node/edge replacement allows 512 KB). Exceeding the limit returns 413 Payload Too Large. Request bodies are validated with Zod. Unknown fields are stripped. A 400 response is returned for any validation failure with a human-readable message describing the offending field.

Response format

Successful responses return JSON. List endpoints use a paginated envelope: 
{
  "data": [...],
  "total": 42
}
All list endpoints accept the following query parameters:
ParameterTypeDefaultRangeDescription
limitinteger501–100Maximum number of items to return
offsetinteger00+Number of items to skip
sortstringdescasc | descSort order by creation time
Create endpoints return 201 Created with the full created object. Update endpoints return 200 OK with the updated object. Delete endpoints return 204 No Content. Resources that support optimistic concurrency expose an ETag response header containing the current version number. Supply an If-Match: "<version>" header on PATCH requests to opt in to conflict detection — the server returns 409 Conflict if the version has changed since you last fetched.

Error format

All error responses share a consistent shape: 
{
  "message": "Human-readable description of what went wrong"
}
StatusMeaning
200Success
201Resource created
204Success, no content (deletes)
400Validation error (Zod) or malformed request
401Missing or invalid X-Session-Id
403CSRF origin mismatch, or admin key required
404Resource not found
408Request timed out (30-second server timeout)
409Conflict — optimistic concurrency version mismatch, or username already taken
413Payload too large
422Unprocessable entity — DRC gate failed before export
429Rate limited
500Internal server error (message is sanitized in production)

Rate limiting

Rate limits are applied with express-rate-limit:
ScopeLimitWindow
Global (all routes)300 requests15 minutes
Auth endpoints (/api/auth/*)10 requests15 minutes
SSE streaming (POST /api/chat/ai/stream)20 requests1 minute (sliding)
Concurrent SSE streams1 per session
When you exceed a rate limit the server responds with 429 Too Many Requests and standard RateLimit-* headers.

Complete endpoint index

Auth

MethodPathAuthDescription
POST/api/auth/registerNoRegister a new user. Returns { sessionId, user } (201).
POST/api/auth/loginNoAuthenticate and get a session. Returns { sessionId, user }.
POST/api/auth/logoutOptionalInvalidate the current session. Returns 204.
GET/api/auth/meYesReturn the authenticated user { id, username }.

Projects

MethodPathAuthDescription
GET/api/projectsYesList all non-deleted projects. Paginated.
POST/api/projectsYesCreate a project. Body: { name, description? }. Returns 201.
GET/api/projects/:idYesGet a single project.
PATCH/api/projects/:idYesUpdate project name or description.
DELETE/api/projects/:idYesSoft-delete a project. Returns 204.

Architecture

MethodPathAuthDescription
GET/api/projects/:id/nodesYesList architecture nodes. Paginated.
POST/api/projects/:id/nodesYesCreate a node. Body: { nodeId, nodeType, label, positionX, positionY, data? }.
PATCH/api/projects/:id/nodes/:nodeIdYesUpdate a node. Partial update.
PUT/api/projects/:id/nodesYesReplace all nodes atomically (512 KB limit).
GET/api/projects/:id/edgesYesList architecture edges. Paginated.
POST/api/projects/:id/edgesYesCreate an edge.
PATCH/api/projects/:id/edges/:edgeIdYesUpdate an edge.
PUT/api/projects/:id/edgesYesReplace all edges atomically (512 KB limit).

Circuit designs, instances, nets, and wires

See the Circuit API page for full details.
MethodPathAuthDescription
GET/POST/PATCH/DELETE/api/projects/:projectId/circuitsYesCircuit design CRUD.
GET/POST/PATCH/DELETE/api/circuits/:circuitId/instancesYesComponent instance CRUD.
GET/POST/PATCH/DELETE/api/circuits/:circuitId/netsYesNet CRUD.
GET/POST/PATCH/DELETE/api/circuits/:circuitId/wiresYesWire CRUD.
GET/api/circuits/:circuitId/netlistYesGenerate an inline netlist.
POST/api/projects/:projectId/circuits/:id/autorouteYesAuto-route PCB traces.

BOM

See the BOM API page for full details.
MethodPathAuthDescription
GET/POST/PATCH/DELETE/api/projects/:id/bomYesBOM item CRUD.
POST/GET/DELETE/api/projects/:id/bom-snapshotsYesBOM snapshot management.
POST/api/projects/:id/bom-diffYesDiff a snapshot against the current BOM.
GET/POST/PATCH/DELETE/api/projects/:id/lifecycleYesComponent lifecycle tracking.

Validation

MethodPathAuthDescription
GET/api/projects/:id/validationYesList validation issues. Paginated.
POST/api/projects/:id/validationYesCreate an issue. Body: { severity, message, componentId?, suggestion? }.
PUT/api/projects/:id/validationYesReplace all issues atomically.
DELETE/api/projects/:id/validation/:issueIdYesDelete a single issue. Returns 204.

Chat and AI

POST /api/chat/ai/stream uses Server-Sent Events (SSE), not standard JSON responses. The connection remains open and the server pushes data: events until the AI response is complete. You must handle the SSE protocol on the client — do not treat this endpoint like a normal fetch call.
MethodPathAuthDescription
POST/api/chat/aiYesSend a message to the AI (non-streaming JSON response).
POST/api/chat/ai/streamYesSend a message to the AI (SSE streaming).
GET/api/projects/:id/chatYesList saved chat messages.
POST/api/projects/:id/chatYesSave a chat message.
DELETE/api/projects/:id/chatYesDelete all messages for a project.
GET/api/projects/:id/ai-actionsYesList AI action history.

Export

See the Export API page for full details.
MethodPathAuthDescription
POST/api/projects/:projectId/export/bomYesBOM CSV export.
POST/api/projects/:projectId/export/netlistYesNetlist export (SPICE, KiCad, CSV).
POST/api/projects/:projectId/export/gerberYesGerber + drill files (runs DRC gate).
POST/api/projects/:projectId/export/kicadYesKiCad project (.kicad_sch, .kicad_pcb).
POST/api/projects/:projectId/export/eagleYesEagle project (.sch, .brd).
POST/api/projects/:projectId/export/pdfYesPDF schematic export.
POST/api/projects/:projectId/export/report-pdfYesFull design report PDF.
POST/api/projects/:projectId/export/fmeaYesFMEA analysis CSV.
POST/api/projects/:projectId/export/fzzYesFritzing .fzz project.
POST/api/projects/:projectId/export/firmwareYesFirmware scaffold ZIP.
POST/api/projects/:projectId/export/pick-placeYesPick-and-place centroid CSV.

Simulations

MethodPathAuthDescription
POST/api/projects/:projectId/circuits/:circuitId/simulateYesRun a simulation (OP, TRAN, AC, DC).
GET/api/projects/:projectId/circuits/:circuitId/simulationsYesList simulation result summaries.
GET/api/projects/:projectId/circuits/:circuitId/simulations/:simIdYesGet a full simulation result.
DELETE/api/projects/:projectId/circuits/:circuitId/simulations/:simIdYesDelete a simulation result.
POST/api/projects/:projectId/circuits/:circuitId/analyze/powerYesDC operating point + power estimate per component.
POST/api/projects/:projectId/circuits/:circuitId/analyze/signal-integrityYesSignal integrity analysis.

Miscellaneous

MethodPathAuthDescription
GET/api/healthNoHealth check.
GET/api/projects/:id/exportYesExport full project as JSON.
POST/api/projects/importYesImport a project from JSON (10 MB limit).
GET/api/admin/metricsAdmin keyServer request metrics.
DELETE/api/admin/purgeAdmin keyHard-purge soft-deleted records older than 30 days.
Use GET /api/health in your deployment health checks. It returns 200 OK with no authentication required and has no rate limit.

Build docs developers (and LLMs) love

Get started for freeTalk to us