API Overview
Design Principles
- REST-inspired: Resources are nouns, HTTP methods are verbs
- JSON everywhere: All request/response bodies use JSON (except CSV exports)
- Auth first: Every protected endpoint checks authentication before processing
- Consistent errors: All errors return
{ "error": "message" }with appropriate status codes
Base URL
https://lydaro.app/apiAuthentication
All endpoints except webhooks require a valid Supabase session. The session cookie is set automatically when using the Lydaro web app.
Unauthenticated requests to protected endpoints return 401 Unauthorized.
Response Format
Success
json
{
"data": { ... }
}Error
json
{
"error": "Human-readable error message"
}HTTP Status Codes
| Code | Meaning |
|---|---|
| 200 | Success |
| 201 | Created |
| 400 | Bad request (missing/invalid parameters) |
| 401 | Unauthenticated |
| 403 | Forbidden (insufficient permissions) |
| 404 | Not found |
| 402 | Payment required (usage limit exceeded) |
| 500 | Server error |
Rate Limiting
AI endpoints are rate-limited per organisation using Upstash Redis. Other endpoints are not currently rate-limited.