Backend Base Specification

Version: 4.0.0
📘 API Documentation for the Kisum Base Backend System

External integration quickstart: For a short auth → companies → events flow against staging (no /api prefix in examples), see DOC_API_CONNECT.md.

Maintenance: Regenerate swagger-output.json with node swagger.js when routes change. This file is hand-maintained for full request/response detail—do not overwrite it with a thin auto-generated export.

---

Overview

This API contains the Base / Core business backend for Kisum.

This service is responsible for core business features only, such as artists, events, vendors, venues, offers, tickets, tasks, dashboard, and related business workflows.

This service is not the source of truth for:

• who the user is
• authentication
• JWT issuance
• effective access
• module access decisions
• company memberships
• permissions
• permission access decisions
• packages
• package access decisions
• subscriptions
• subscription-based access decisions
• commercial entitlements
• active company resolution as an authority for access decisions
• actual event financial data (final accounting and settlements handled by Financial Backend)

Those responsibilities belong to:

• Auth Backend → identity, JWT validation, memberships, effective access
• Platform Core Backend → packages, add-ons, subscriptions, company entitlements
• Platform Financial Backend → financial reports, income, expense, settlements, and other finance-domain records

---

Access Enforcement Model (MANDATORY)

This backend enforces access using a centralized model:

effective_access = company_entitlements ∩ membership_grants

Enforcement responsibility

• Auth Backend → computes effective access
• Platform Core → provides company entitlements
• This backend → enforces access

Critical rule

This backend must NEVER:

• compute access
• read Platform Core for user access decisions
• trust frontend access state
• infer permissions from JWT

All access decisions MUST come from:

Auth → /auth/me/access

---

Authentication Migration Notice

Authentication in this backend is being deprecated and moved to the external Auth Backend.

This Base backend must transition to the following model:

• receive JWT from frontend
• validate JWT only
• trust external Auth service as issuer
• never issue or refresh tokens locally

Any old /auth/* implementation in this backend is considered legacy and must be removed.

---

Company Context Enforcement

This backend is tenant-scoped and must require explicit company context.

Required header

x-org: <COMPANY_ID>

Enforcement rules

• tenant-scoped routes must reject requests without x-org
• tenant-scoped routes must reject malformed x-org
• tenant-scoped routes must treat x-org as the active company context for the request
• access to that company must be validated through the external Auth system

Deprecation notice

Any legacy logic in this backend that previously determined company context internally is deprecated and must be removed.

---

Access Enforcement Model

This backend must enforce only the effective access returned by Auth.

Required request inputs

Authorization: Bearer <JWT_FROM_AUTH_SERVICE>
x-org: <COMPANY_ID>

Required runtime flow

For every protected route:

1. parse and validate JWT
2. read x-org
3. resolve effective access from Auth
4. confirm basic exists in effective modules
5. confirm required basic.* permission exists
6. execute request or deny

Minimum access requirements

A request must be denied unless all are true:

• JWT is valid
• x-org is present and valid
• user belongs to the company in x-org
• company has Basic active (indirectly through Auth effective access)
• user has basic in effective modules
• user has the required basic.* permission

Permission model

This backend should use permission naming such as:

• basic.dashboard.view
• basic.artist.view
• basic.artist.create
• basic.artist.edit
• basic.artist.delete
• basic.event.view
• basic.event.create
• basic.event.edit
• basic.event.delete
• basic.calendar.view
• basic.calendar.edit
• basic.vendor.view
• basic.vendor.create
• basic.vendor.edit
• basic.vendor.delete
• basic.venue.view
• basic.ticketing.view
• basic.ticketing.create
• basic.workspace.view
• basic.workspace.create
• basic.workspace.edit
• basic.workspace.delete

This backend must NOT do

This backend must not:

• map package → permission locally as source of truth
• keep local permission tables as source of truth
• keep local subscription tables as source of truth
• use old package/subscription logic to allow routes

---

Access Layers (REFERENCE)

This backend participates in a 3-layer access system.

Level 1 — Company entitlements (Core)

Defines what the company owns.

Level 2 — Membership module grants (Auth)

Defines which modules the user can access.

Level 3 — Permissions (Auth)

Defines what the user can do inside modules.

Important

This backend ONLY enforces the result.

It does not compute or store these layers.

---

Mandatory Enforcement Policy

All endpoints in this backend must follow this rule:

REQUIRED FLOW

For every request:

1. validate JWT
2. read x-org
3. resolve effective access from Auth
4. verify module access (must include basic)
5. verify permission (basic.*)
6. execute or deny

HARD REQUIREMENTS

A request MUST be rejected if:

• JWT is missing or invalid → 401

• x-org is missing → 400

• user does not belong to company → 403

• basic module not present → 403

• permission missing → 403

• effective access cannot be resolved from Auth → 503. This typically occurs when:

  • Auth service is unavailable
  • network failure between services
  • timeout when resolving /auth/me/access

  In this case, requests must fail closed (deny access).

STRICT RULES

This backend must NEVER:

• allow access based on old package logic
• allow access based on old subscription logic
• allow access based on local roles
• allow access based on local permissions
• assume access from JWT alone
• trust frontend UI decisions

FINAL AUTHORITY

Access decisions must come ONLY from:

• Auth Backend (/auth/me/access)

ZERO TOLERANCE

Any endpoint bypassing this logic is considered:

❌ invalid implementation
❌ security risk
❌ architecture violation

and must be fixed immediately.

---

Base URLs

• https://api-v2.kisum.dev/api — Staging Server
• http://localhost:3099/api — Localhost

---

Security Principle — Fail Closed

This backend must operate under a strict fail-closed model.

If any of the following cannot be verified:

• JWT validity
• company context (x-org)
• membership
• effective access
• permissions

Then the request MUST be denied.

Then:

REQUEST MUST BE DENIED

No fallback is allowed.

Under no circumstance should the system “guess”, “fallback”, or “allow temporarily”.

---

Security

This API consumes JWTs issued by the Auth Backend and requires an active company context.

⚠️ Any local authentication, package-access, or permission-access logic inside this backend is deprecated and must be removed.

This backend must only accept:

• bearerAuth: Authorization: Bearer <token>
• x-org: header x-org

Access model

This backend must trust:

• Auth Backend → identity, membership, effective access, permissions
• Platform Core Backend → company commercial entitlements (indirectly through Auth)

This backend must not:

• log users in
• issue JWTs
• refresh JWTs
• validate credentials
• decide whether the company owns Basic
• decide whether the user has Basic/module access
• decide permission access from local package/role tables
• act as a source of truth for subscriptions or commercial entitlement

Those responsibilities belong to:

• Auth Backend → membership and effective access - 2.1.-Backend-Auth.md
• Platform Core Backend → commercial entitlements

This backend is only responsible for JWT consumption and request enforcement based on the effective access returned by Auth.

Meaning of x-org

x-org identifies the active company context for the request.

This backend must treat x-org as the tenant/company selector for all tenant-scoped business routes.

Example headers

Authorization: Bearer <JWT_FROM_AUTH_SERVICE>
x-org: <COMPANY_ID>
Content-Type: application/json

Notes:

• Authorization must come from the external Auth service
• x-org must identify the active company for the request
• tenant-scoped routes must reject missing or invalid x-org

---

Common request formats

• application/json for most CRUD operations
• multipart/form-data for uploads, images, invoices, receipts, profile pictures, ticket imports, and task attachments
• application/xml is declared for some endpoints, but JSON looks like the main format

---

Common response codes

• 200 / 201 / default: success
• 400: invalid request / validation failure / missing or malformed x-org
• 401: unauthorized (missing, invalid, expired, or rejected JWT)
• 403: forbidden (valid JWT, but company access not allowed)
• 500: internal server error

---

Identity and Authentication Boundary

This backend does not own identity.

For this service, the source of truth for who the user is is the Auth Backend.

The Base backend must trust Auth for:

• who the user is
• whether the JWT is valid
• what company is active
• what effective access the user has

This service must not:

• implement login
• issue JWTs
• refresh JWTs
• reset passwords
• register users
• decide identity locally

Identity-related flows are defined in:

• 2.1.-Backend-Auth.md

Required request headers for Base backend routes:

Authorization: Bearer <JWT>
x-org: <COMPANY_ID>

---

JWT Validation Boundary

This backend must validate JWTs issued by the external Auth Backend.

Required behavior

For every protected request, this backend must validate:

• token signature
• token expiration
• token issuer
• token audience
• token format
• token session validity, if the chosen middleware supports Auth session validation

This backend must NOT do

This backend must not:

• generate JWTs
• issue refresh tokens
• validate email/password credentials
• manage login flows
• perform password reset flows
• treat itself as the authentication source of truth

Deprecated local auth behavior

Any legacy auth logic in this backend is deprecated and must be removed, including:

• local /auth/* route handlers
• local login services
• local token generation
• local refresh-token logic
• local password-reset flows
• any middleware that assumes this backend is the issuer of the JWT

New source of truth

JWTs must come from the external Auth service defined in:

• 2.1.-Backend-Auth.md

This backend must only validate and consume those tokens.

---

Active Company Context

This backend must treat the active company as an explicit request context.

Source of company context

The active company is provided by the client using:

x-org: <COMPANY_ID>

Required behavior

For all tenant-scoped routes, this backend must:

1. read x-org
2. treat it as the active company identifier
3. validate that it is present
4. validate that it is in the expected format
5. use it consistently for all tenant-scoped reads and writes

This backend must NOT do

This backend must not:

• invent a default company silently
• derive the active company from local session state
• treat a company selected in this backend as the source of truth
• decide company membership by itself
• decide commercial entitlement by itself

New source of truth

This backend must trust the external Auth system for:

• whether the user belongs to the company in x-org
• whether the user has effective access in that company

This backend must trust Platform Core only indirectly through Auth.

Legacy behavior

Any old company-selection logic inside this backend is deprecated and must be removed if it acts as an authority for tenant access.

---

Effective Access Boundary

This backend does not determine the user’s final access.

The source of truth for effective access is the Auth Backend.

Auth is responsible for

• resolving the authenticated user
• validating membership in the active company
• loading user grants
• calling Platform Core for company entitlements
• merging:

effectiveAccess = entitlements ∩ userGrants

• returning the final access model

Note:

User must already have a valid company membership.

Membership is created via:

• invitations (Auth)
• admin actions (Auth)

Without membership, effective access must not be computed.

This backend is responsible only for enforcement

For each request, this backend must:

1. validate JWT
2. read x-org
3. obtain effective access from Auth
4. check whether basic is enabled for the user in that company
5. check whether the required basic.* permission exists
6. allow or deny the request

This backend must NOT do

This backend must not:

• decide whether the company bought Basic
• decide whether the user has Basic access by itself
• read package/subscription state as access truth
• read Core directly for user runtime authorization
• store local permission truth
• store local module truth
• infer effective access from JWT alone

New source of truth

Use:

• 2.1.-Backend-Auth.md
• /auth/me/access

for effective access resolution.

---

Quick start examples

Auth and company context

This backend does not authenticate users directly. All authentication-related endpoints, handlers, services, queries, and supporting logic in this backend are deprecated and must be removed.

The client must first authenticate with the Auth Backend, obtain:

• Authorization: Bearer <access_token>
• active company context via x-org

Then call Base backend routes with:

Authorization: Bearer <JWT>
x-org: <COMPANY_ID>
Content-Type: application/json

Example Base request

curl -X GET 'http://localhost:3099/api/events?type=all&page=1&limit=20' \
  -H 'Authorization: Bearer <JWT>' \
  -H 'x-org: <COMPANY_ID>'

Identity source of truth

The Base backend must trust Auth Backend for:

• who the user is
• whether the JWT is valid
• what company is active
• what effective access the user has

See:

• 2.1.-Backend-Auth.md
• /auth/me
• /auth/me/access

---

Resource groups

• Agencies — 14 operations
• Agreements — 10 operations
• Ai — 6 operations
• Analytics — 1 operation
• Approval — 6 operations
• Artists — 27 operations
• Avails — 9 operations
• Cash Flow — 1 operations
• Countries — 9 operations
• Companies — 11 operations (business metadata only — NOT membership or access)
• Dashboard — 3 operations
• Events — 26 operations
• Event Expense — 17 operations (estimated only; actual expenses blocked)
• Event Expense - Approval — 7 operations (SOURCE OF TRUTH for actual expenses; /event/finance/expense/*)
• Event Group — 10 operations
• Event Income — 14 operations
• Event Tax — 6 operations
• Event Ticket — 18 operations
• Event Intelligence Copilot — 3 operations
• Kisum — 7 operations (legacy /kisum/* aliases)
• Integrations - Finance — 11 operations (Finance API proxies, income ingest, cron failover)
• Exchange — 2 operations
• Festivals — 6 operations
• Files — 1 operations
• Genres — 1 operations
• Integrations — 2 operations
• News — 1 operations
• Nextcloud — 3 operations
• Notifications — 6 operations
• Offer — 16 operations
• Rankings — 5 operations
• Reviews — 1 operations
• Roster — 6 operations
• Regions — 3 operations
• Setlistfm — 8 operations
• Tasks — 8 operations
• Transactions — 2 operations
• Trend — 1 operations
• Vendors — 11 operations
• Vendors System — 15 operations
• Venues — 19 operations
• Xero — 11 operations
• Untagged — 2 operations (BLOCKER — must be categorized before production release)

Decrated

• Auth — ❌ DEPRECATED (moved to Auth Backend — MUST NOT be used)
• Company Users — ❌ DEPRECATED (moved to Auth Backend — MUST NOT be used)
• Company User Invitations — ❌ DEPRECATED — (moved to Auth Backend — MUST NOT be used)
• Company Teams — ❌ DEPRECATED (moved to Auth Backend — MUST NOT be used)
• Packages — ❌ DEPRECATED (moved to Platform Core Backend — MUST NOT be used)
• Permissions — ❌ DEPRECATED (moved to Auth Backend — MUST NOT be used)
• Role — ❌ DEPRECATED (moved to Auth Backend — MUST NOT be used)
• Subscription — ❌ DEPRECATED (moved to Platform Core Backend — MUST NOT be used)
• Users — ❌ DEPRECATED (moved to Auth Backend — MUST NOT be used)

---

Table of contents

• Agencies
• Agreements
• Ai
• Analytics
• Approval
• Artists
• Avails
• Cash Flow
• Countries
• Companies
• Dashboard
• Events
• Event Expense (estimated only)
• Event Expense - Approval (actual expenses - source of truth)
• Event Group
• Event Income
• Event Tax
• Event Ticket
• Event Intelligence Copilot
• Kisum
• Integrations - Finance
• Exchange
• Festivals
• Files
• Genres
• Integrations
• News
• Nextcloud
• Notifications
• Offer
• Rankings
• Reviews
• Roster
• Regions
• Setlistfm
• Tasks
• Transactions
• Trend
• Vendors
• Vendors System
• Venues
• Xero
• Untagged

Deprecated legacy sections

• Auth (Deprecated)
• Company Users (Deprecated)
• Company User Invitations (Deprecated)
• Company Teams (Deprecated)
• Packages (Deprecated)
• Permissions (Deprecated)
• Role (Deprecated)
• Subscription (Deprecated)
• Users (Deprecated)

---

Agencies

Operations in this group: 14

GET /agencies

Purpose: Retrieve resource

Parameters

• page (query, number) — default: 1
• limit (query, number) — default: 20
• q (query, string)
• role (query, string; enum: agency, management)
• type (query, string)
• sort (query, string) — default: rosterSize
• sortType (query, string; enum: asc, desc) — default: desc
• countries (query, string)

Request body

None

Responses

• 400 — Bad Request
• 403 — Forbidden

Example request

curl -X GET 'http://localhost:3099/api/agencies' \
  -H 'Authorization: Bearer <JWT>' \
  -H 'x-org: <ORG>'

POST /agencies

Purpose: Create resource

Parameters

None

Request body

• Required: Yes
• Content-Type: application/json
  • $ref: CreateAgencyDtoSchema
    • object
      • key: string required
      • name: string required
      • role: string enum(agency, management) — default: agency
      • otherRoles: array
      • airtableId: string
      • type: string
      • parent_code: string
      • parent_label: string
      • leaf_code: string
      • logo: string
      • website: string
      • radar_enabled: boolean — default: False
      • radar_domain: string
      • claimed: boolean
      • hq_locations: array
      • other_locations: array
      • top_artists: array