Public API Endpoints
Public endpoints that bypass authentication, providing read-only access to shared resources like public invoices, employee profiles, organizations, and teams.
Security Noticeβ
β οΈ Important: Public endpoints use enum-based whitelists for relations to prevent unauthorized data exposure. Only explicitly allowed relations can be loaded. See Public Endpoint Data Exposure for details.
Endpointsβ
Public Invoiceβ
Retrieve an invoice by a shared token without authentication.
GET /api/public/invoice/:id/:token
Query Parameters:
| Parameter | Type | Description |
|---|---|---|
relations | array | Allowed: fromOrganization, toContact, invoiceItems, invoiceItems.product, invoiceItems.expense, invoiceItems.task, invoiceItems.employee |
Response 200 OK:
{
"id": "uuid",
"invoiceNumber": "INV-001",
"totalValue": 5000,
"currency": "USD",
"invoiceDate": "2024-01-15",
"dueDate": "2024-02-15",
"status": "SENT",
"fromOrganization": { "name": "My Company" },
"toContact": { "name": "Client Corp" },
"invoiceItems": [...]
}
Public Employeeβ
View a publicly shared employee profile.
GET /api/public/employee/:id
Public Organizationβ
View a publicly shared organization profile.
GET /api/public/organization/:profileLink
Public Teamβ
View a publicly shared team.
GET /api/public/team/:profileLink
Allowed Relations (Whitelisted)β
Each public endpoint has a strict whitelist of allowed relations to prevent information disclosure:
| Endpoint | Allowed Relations |
|---|---|
| Public Invoice | fromOrganization, toContact, invoiceItems, invoiceItems.* |
| Public Employee | skills, user (limited fields) |
| Public Organization | contact, skills, awards |
| Public Team | members, projects |
Related Pagesβ
- Public Endpoint Data Exposure β security analysis
- Invoice Endpoints β full invoice API
- API Security Best Practices β security patterns