Lantern

Appearance

API Reference โ€” Lantern โ€‹

Lantern is composed of independent Cloud Run services, each exposing a versioned HTTP API. Every service ships its own OpenAPI 3.0 spec at /openapi.json; the admin portal renders all of them in-house under API Reference.

This document is a map: where to find the live docs, how to use the renderer, what service to look at for which feature, and the cross-cutting conventions every service follows.

Looking for actual endpoint definitions, request/response schemas, or example payloads? Don't read this file โ€” open the admin portal and pick a service. The OpenAPI specs are the source of truth; this page exists only for orientation.

Where to view the live API docs โ€‹

WhereURLAudience
Admin portal (dev)https://admin.dev.ourlantern.app โ†’ API ReferenceInternal โ€” auto-fills your Firebase token
Admin portal (local)http://localhost:3001 โ†’ API ReferenceEngineers running the admin app locally
Raw spec per servicehttps://<service>-โ€ฆrun.app/openapi.jsonTooling: Postman, Insomnia, codegen
Source of specservices/api/<service>/openapi.jsonEditing โ€” checked into the repo

The renderer is the @lantern/api-docs-renderer workspace package. It is the only sanctioned way to render Lantern API docs โ€” there is no Scalar, Swagger UI, Redoc, or hosted alternative anywhere in the codebase.

How to use the API Reference page โ€‹

Every service page in the admin portal gives you the same controls:

  1. Server picker (top of the page) โ€” choose the environment you want examples to target. Auto-defaults to the running service URL when present, otherwise the dev Cloud Run URL.
  2. Sidebar โ€” endpoints grouped by tag, plus a Schemas section listing every component definition from the spec. Click any schema to jump to its full type breakdown (nested objects, enums, required fields, examples).
  3. Operation view โ€” for each endpoint:
    • Summary, description, security (which auth method), parameters, request body, every response shape
    • Code Samples tab โ€” copy-paste ready curl, fetch, and Node snippets generated from the spec
    • Try It tab โ€” fire the request directly from the browser. Auth tokens are pre-filled from your admin session; request bodies auto-fill from the schema's example values so you can edit and send in two clicks
  4. Schemas section (sidebar) โ€” the canonical place to see component definitions (#/components/schemas/...). Use this when you're building a client and want to know the exact shape of a Lantern, Wave, Offer, etc.

Bug or missing detail in a doc? โ€‹

Edit the spec in services/api/<service>/openapi.json, open a PR. The renderer picks up changes automatically โ€” no separate doc build.

Service inventory โ€‹

Source of truth: packages/shared/services/index.js (API_SERVICES).

ServiceSlugPurposeLocal port
Analytics APIanalytics-apiServer-side analytics, merchant dashboards, platform metrics8082
Assistant APIassistant-apiAI chat assistant for the admin portal8086
Auth APIauth-apiPhone+PIN tokens, admin auth, roles, moderation8084
Docs APIdocs-apiMarkdown document management + GitHub integration8081
Lanterns APIlanterns-apiLantern presence lifecycle (light, extinguish, schedule, bonfire)8083
Merchants APImerchants-apiMerchant offer CRUD, campaigns, merchant-scoped resources8085
Venue APIvenue-apiOSM import, enrichment, venue management8080

Adding a new service? See CLAUDE.md rule #8 โ€” register it here, ship openapi.json, no doc UI.

Cross-cutting conventions โ€‹

These rules apply to every service. Per-endpoint detail lives in the OpenAPI specs.

Authentication โ€‹

  • User & merchant requests: Authorization: Bearer <Firebase ID token> โ€” verified by verifyFirebaseToken middleware
  • Admin endpoints: Firebase ID token + admin custom claim (or stronger via requireAdmin)
  • Public endpoints: marked security: [] in the spec (e.g. /health, /openapi.json)

Errors โ€‹

All services emit a uniform shape via the shared errorHandler middleware:

json
{ "error": { "code": "VALIDATION_FAILED", "message": "โ€ฆ", "details": { โ€ฆ } } }

Standard HTTP status meanings: 400 invalid payload ยท 401 missing/expired token ยท 403 insufficient role ยท 404 not found ยท 409 conflict ยท 429 rate-limited ยท 5xx server error.

Rate limits โ€‹

Defaults are defined per service via userRateLimit middleware. Sensitive endpoints (writes, costly aggregations, AI calls) are individually tightened. The OpenAPI description of each endpoint notes any non-default limit.

CORS โ€‹

All services share ALLOWED_ORIGINS from packages/shared/services/index.js. Admin-only services use the ADMIN_ORIGINS subset.

Built with VitePress

Copyright ยฉ 2026 Lantern