Skip to main content

System

GET /health

packages/api/src/routes/health.ts
{"status":"UP"}

GET /version

packages/api/src/routes/version.ts
{"name":"Parmana","version":"0.4.0","api":"v1"}

Execution

POST /execute

packages/api/src/routes/execute.ts. Validates businessTransactionId is a UUID (400 if not), maps the body via BusinessTransactionMapper.fromRequest (forces status: RECEIVED, createdAt: now, regardless of what the client sends), then executes. Returns the full Execution Trust Record (see that page for a real example).
This route — like every route on this server — does not check content-binding. See Content Binding & TOCTOU.

GET/POST /transactions

packages/api/src/routes/transactions.ts.
  • GET /transactions?page=1&pageSize=25 — list.
  • GET /transactions/:id — one Business Transaction, 404 if not found.
  • POST /transactionsalso executes, duplicating POST /execute, but with weaker validation: no UUID check, and the body is spread directly rather than passed through BusinessTransactionMapper (transactions.ts:91-101). Returns 201 with an ExecutionTrustRecord. This duplication is flagged as a core-API finding, not fixed here — see Roadmap.

Verification

POST /verify

packages/api/src/routes/verify.ts. Fresh verification — see Verification.
// request
{"businessTransactionId": "111a9197-21b3-42fb-8b7b-a000f1278680"}
// response
{
  "verificationId": "3d611b90-fde3-4c5e-b4e4-9c8c3b3caf2f",
  "businessTransactionId": "111a9197-21b3-42fb-8b7b-a000f1278680",
  "status": "VERIFIED",
  "message": "Execution Trust Record verified successfully.",
  "verifiedAt": "2026-07-06T04:10:15.021Z",
  "trustRecordHash": "861fe01aaadf904a003d3e6118e74f967164a52d91eb18f97ca6cbce71292768"
}

GET /verification/:id

packages/api/src/routes/verify-get.ts, mounted at /verification. Reads the latest verification without re-running one — 404 if the Trust Record or its verification history is missing. Distinct route from POST /verify above.

Receipts

POST /receipt

packages/api/src/routes/receipt.ts. Same request/response pattern as /verify{"businessTransactionId": "..."} in, a Receipt out (see Trust Record for a Receipt’s shape).

GET /receipt/latest/:id

packages/api/src/routes/receipt-get.ts, mounted at /receipt/latest. Reads the latest receipt without generating a new one.

Replay

POST /replay

packages/api/src/routes/replay.ts. Re-verifies the Trust Record’s signature — it does not reconstruct or re-execute anything. See Replay for why this name is narrower than it sounds.
// request
{"businessTransactionId": "111a9197-21b3-42fb-8b7b-a000f1278680"}
// response
{
  "businessTransactionId": "111a9197-21b3-42fb-8b7b-a000f1278680",
  "trustRecordHash": "8d8fc49457038134776ac20fee289991596ab30dff5765e2d1007aed2f51ad69",
  "verified": true
}

Trust Records

GET /trust-records/:id

packages/api/src/routes/trust-records.ts. Returns the full Execution Trust Record, 404 if not found.

Policies

POST /policies/validate

packages/api/src/routes/policies.ts. Does not validate a policy document. It checks only that a policy with the given policyId + policyVersion is loadable from disk — policyRepository.load(policyId, policyVersion). This is a naming/semantics gap flagged in Roadmap, not fixed at the route level.
// request
{"policyId": "vendor-payment", "policyVersion": "2.0.0"}
// response (200)
{"valid": true, "errors": []}
// response (404, unknown policy/version)
{"valid": false, "errors": ["<error message>"]}

Full route list

MethodPathSource
GET/healthroutes/health.ts
GET/versionroutes/version.ts
POST/executeroutes/execute.ts
POST/verifyroutes/verify.ts
GET/verification/:idroutes/verify-get.ts
POST/receiptroutes/receipt.ts
GET/receipt/latest/:idroutes/receipt-get.ts
GET/transactionsroutes/transactions.ts
GET/transactions/:idroutes/transactions.ts
POST/transactionsroutes/transactions.ts
POST/policies/validateroutes/policies.ts
GET/trust-records/:idroutes/trust-records.ts
POST/replayroutes/replay.ts
No other routes exist in packages/api/src/app.ts.