Skip to main content
Version: 1.0.1
Last Updated: 2026-04-09
Status: Stable
Target Audience: Developers and AI agents (GitHub Copilot, Cursor, general AI assistants)
Comprehensive guide for API development in the Encore OS Platform, covering API patterns, endpoint creation, authentication, authorization, error handling, response formatting, and API testing.

AI Agent Context

Key Patterns for AI:
  • Always use Supabase auto-generated APIs for standard CRUD (RLS enforced automatically)
  • Always use Edge Functions for complex business logic or cross-core operations
  • Always include organization_id in API requests for multi-tenant isolation
  • Always return consistent error formats with proper HTTP status codes
  • Always document API contracts in docs/architecture/integrations/API_CONTRACTS.md
Common Mistakes to Avoid:
  • Bypassing RLS by using service role keys in application code
  • Creating custom API endpoints when Supabase auto-generated APIs suffice
  • Not including organization_id in API requests (breaks multi-tenancy)
  • Returning inconsistent error formats
  • Not documenting API contracts before implementation

Quick Reference


API Development Patterns

Pattern 1: Supabase Auto-generated APIs

Use for: Standard CRUD operations Access: Via Supabase client with RLS enforcement
Benefits:
  • Automatic RLS enforcement
  • No custom code needed
  • Type-safe with generated types

Pattern 2: Edge Functions

Use for: Complex business logic, third-party integrations, elevated privileges Location: supabase/functions/{function-name}/index.ts Example Structure:

Pattern 3: API Contracts

Use for: Cross-core synchronous integration Standard: /api/v1/{core}/{resource} Documentation: See API Contracts

Creating API Endpoints

Edge Function Creation

1. Create Function:
2. Implement Function:
3. Deploy Function:

API Contract Endpoint

For cross-core APIs, follow API Contract standards: Endpoint Pattern: /api/v1/{core}/{resource} Example: /api/v1/fa/episode-balance Documentation: Document in docs/architecture/integrations/API_CONTRACTS.md

API Authentication and Authorization

Authentication

All APIs MUST verify authentication:

Authorization

Verify organization access:

Role-Based Authorization

Organization and machine API access (PF-97)

Interactive APIs use the patterns above: Supabase user JWT + verified membership in the target organization_id. Machine / integration APIs (organization API keys, service accounts, OAuth client credentials) are not the same as passing a user session. They require explicit credential validation, org binding, and scope checks per PF-97. Do not use the service role key in browser or client apps; server-side exchange flows must mint short-lived tokens or use validated headers. See API Contracts (section Machine / organization API access) and the PF-97 integration doc.

API Error Handling

Standard Error Response Format

HTTP Status Codes

Error Handling Pattern


API Response Formatting

Success Response

Error Response

Pagination Response


API Testing

Unit Testing

Test business logic:

Integration Testing

Test with real Supabase:

E2E Testing

Test complete flow:

Rate Limiting

Implementation

For API contracts, implement rate limiting:

Rate Limit Headers

Include in all responses:

CORS Configuration

Standard CORS Headers

CORS Preflight

Handle OPTIONS requests:

Architecture

  • API Contracts - API contract standards and examples
  • Integration Patterns - Integration pattern overview

Development Guides

Standards

  • Constitution §1.3 - Integration patterns (Pattern 3: API Contracts)

Maintained By: Platform Foundation Team