System
GET /health
packages/api/src/routes/health.ts
GET /version
packages/api/src/routes/version.ts
Execution
POST /execute
packages/api/src/routes/execute.ts. Validates businessTransactionId is a UUID (400 if
not), maps the body via BusinessTransactionMapper.fromRequest (forces
status: RECEIVED, createdAt: now, regardless of what the client sends), then executes.
Returns the full Execution Trust Record (see that page for a
real example).
GET/POST /transactions
packages/api/src/routes/transactions.ts.
GET /transactions?page=1&pageSize=25— list.GET /transactions/:id— one Business Transaction, 404 if not found.POST /transactions— also executes, duplicatingPOST /execute, but with weaker validation: no UUID check, and the body is spread directly rather than passed throughBusinessTransactionMapper(transactions.ts:91-101). Returns 201 with anExecutionTrustRecord. This duplication is flagged as a core-API finding, not fixed here — see Roadmap.
Verification
POST /verify
packages/api/src/routes/verify.ts. Fresh verification — see
Verification.
GET /verification/:id
packages/api/src/routes/verify-get.ts, mounted at /verification. Reads the latest
verification without re-running one — 404 if the Trust Record or its verification history
is missing. Distinct route from POST /verify above.
Receipts
POST /receipt
packages/api/src/routes/receipt.ts. Same request/response pattern as /verify —
{"businessTransactionId": "..."} in, a Receipt out (see
Trust Record for a Receipt’s shape).
GET /receipt/latest/:id
packages/api/src/routes/receipt-get.ts, mounted at /receipt/latest. Reads the latest
receipt without generating a new one.
Replay
POST /replay
packages/api/src/routes/replay.ts. Re-verifies the Trust Record’s signature — it does
not reconstruct or re-execute anything. See Replay for why this name
is narrower than it sounds.
Trust Records
GET /trust-records/:id
packages/api/src/routes/trust-records.ts. Returns the full
Execution Trust Record, 404 if not found.
Policies
POST /policies/validate
packages/api/src/routes/policies.ts. Does not validate a policy document. It checks
only that a policy with the given policyId + policyVersion is loadable from disk —
policyRepository.load(policyId, policyVersion). This is a naming/semantics gap flagged
in Roadmap, not fixed at the route level.
Full route list
| Method | Path | Source |
|---|---|---|
| GET | /health | routes/health.ts |
| GET | /version | routes/version.ts |
| POST | /execute | routes/execute.ts |
| POST | /verify | routes/verify.ts |
| GET | /verification/:id | routes/verify-get.ts |
| POST | /receipt | routes/receipt.ts |
| GET | /receipt/latest/:id | routes/receipt-get.ts |
| GET | /transactions | routes/transactions.ts |
| GET | /transactions/:id | routes/transactions.ts |
| POST | /transactions | routes/transactions.ts |
| POST | /policies/validate | routes/policies.ts |
| GET | /trust-records/:id | routes/trust-records.ts |
| POST | /replay | routes/replay.ts |
packages/api/src/app.ts.