Last Updated: 2026-04-09
Status: Stable
Target Audience: Developers and AI agents (GitHub Copilot, Cursor, general AI assistants) Comprehensive guide for API development in the Encore OS Platform, covering API patterns, endpoint creation, authentication, authorization, error handling, response formatting, and API testing.
AI Agent Context
Key Patterns for AI:- Always use Supabase auto-generated APIs for standard CRUD (RLS enforced automatically)
- Always use Edge Functions for complex business logic or cross-core operations
- Always include
organization_idin API requests for multi-tenant isolation - Always return consistent error formats with proper HTTP status codes
- Always document API contracts in
docs/architecture/integrations/API_CONTRACTS.md
- Bypassing RLS by using service role keys in application code
- Creating custom API endpoints when Supabase auto-generated APIs suffice
- Not including
organization_idin API requests (breaks multi-tenancy) - Returning inconsistent error formats
- Not documenting API contracts before implementation
Quick Reference
API Development Patterns
Pattern 1: Supabase Auto-generated APIs
Use for: Standard CRUD operations Access: Via Supabase client with RLS enforcement- Automatic RLS enforcement
- No custom code needed
- Type-safe with generated types
Pattern 2: Edge Functions
Use for: Complex business logic, third-party integrations, elevated privileges Location:supabase/functions/{function-name}/index.ts
Example Structure:
Pattern 3: API Contracts
Use for: Cross-core synchronous integration Standard:/api/v1/{core}/{resource}
Documentation: See API Contracts
Creating API Endpoints
Edge Function Creation
1. Create Function:API Contract Endpoint
For cross-core APIs, follow API Contract standards: Endpoint Pattern:/api/v1/{core}/{resource}
Example: /api/v1/fa/episode-balance
Documentation: Document in docs/architecture/integrations/API_CONTRACTS.md
API Authentication and Authorization
Authentication
All APIs MUST verify authentication:Authorization
Verify organization access:Role-Based Authorization
Organization and machine API access (PF-97)
Interactive APIs use the patterns above: Supabase user JWT + verified membership in the targetorganization_id.
Machine / integration APIs (organization API keys, service accounts, OAuth client credentials) are not the same as passing a user session. They require explicit credential validation, org binding, and scope checks per PF-97. Do not use the service role key in browser or client apps; server-side exchange flows must mint short-lived tokens or use validated headers. See API Contracts (section Machine / organization API access) and the PF-97 integration doc.
API Error Handling
Standard Error Response Format
HTTP Status Codes
Error Handling Pattern
API Response Formatting
Success Response
Error Response
Pagination Response
API Testing
Unit Testing
Test business logic:Integration Testing
Test with real Supabase:E2E Testing
Test complete flow:Rate Limiting
Implementation
For API contracts, implement rate limiting:Rate Limit Headers
Include in all responses:CORS Configuration
Standard CORS Headers
CORS Preflight
Handle OPTIONS requests:Related Documentation
Architecture
- API Contracts - API contract standards and examples
- Integration Patterns - Integration pattern overview
Development Guides
- Database Development Guide - Database queries and RLS
- Testing Setup and Run Guide - API testing patterns
- Troubleshooting Guide - API debugging
Standards
- Constitution §1.3 - Integration patterns (Pattern 3: API Contracts)
Maintained By: Platform Foundation Team