API Reference

Pax Anima exposes a REST API that the portals themselves consume. Customers on the Enterprise tier can use the same endpoints to integrate the platform with their own systems — for example, to push intake from a clinic PIMS or to pull invoice events into accounting software.

Specification

The API is described by an OpenAPI 3.0 document generated from the source. In self-hosted and dev environments it’s served at /swagger; in production it’s available to authenticated enterprise customers on request.

We do not currently publish the spec at a public URL — endpoints and authentication are scoped per tenant, and a stable contract is only offered inside an Enterprise agreement.

Authentication

  • JWT bearer tokens. Obtain one via POST /api/auth/login with a service account email + password. Tokens include sub, email, role, and tenant_id claims.
  • Refresh tokens. Set as an HTTP-only refreshToken cookie at login. Send POST /api/auth/refresh with the cookie to rotate; the old token is invalidated on use.
  • Two-factor. If the user has TOTP enrolled, include totpCode in the login payload. Backup codes are accepted as a fallback once each.

Rate limits

The API is rate-limited per identity. Limits are returned on every response via X-RateLimit-Remaining and X-RateLimit-Reset headers. A 429 Too Many Requests indicates you have exceeded the bucket for the current window; back off and retry after Retry-After.

Idempotency

Mutating endpoints (POST / PUT / PATCH) accept an Idempotency-Key header. Resubmitting with the same key within 24 hours returns the cached response — safe to retry on network errors without double-creating a case or charging twice.

Webhooks

Webhook delivery is planned but not yet generally available. Customers who need server-to-server event push today receive events via Azure Service Bus subscriptions provisioned inside their tenant — contact support to discuss.

Stability and versioning

The portal-internal API surface is considered stable but not versioned with a public guarantee. Enterprise integration contracts pin a specific schema version and we give 90 days’ notice on breaking changes.

Request access

To request an OpenAPI spec or discuss an integration, write to support or contact your account manager. Include the integration target (vendor name + product) and the flow you want to automate.