YeboMart Routes — Complete API Map

All API endpoints with methods, authentication requirements, and middleware.

Base URL

Production: https://api.yebomart.com/api/v1

Route Index

typescript

// src/routes/index.ts
router.use('/auth', authRoutes);
router.use('/shops', shopRoutes);
router.use('/products', productRoutes);
router.use('/sales', saleRoutes);
router.use('/stock', stockRoutes);
router.use('/users', userRoutes);
router.use('/staff', userRoutes);       // Alias
router.use('/reports', reportRoutes);
router.use('/ai', aiRoutes);
router.use('/license', licenseRoutes);
router.use('/expenses', expenseRoutes);
router.use('/customers', customerRoutes);
router.use('/audit', auditRoutes);
router.use('/admin', adminRoutes);
router.use('/upload', uploadRoutes);
router.use('/returns', returnRoutes);
router.use('/suppliers', supplierRoutes);
router.use('/pricing', pricingRoutes);
router.use('/billing', billingRoutes);

Authentication Routes

Base: /api/v1/auth

Method	Endpoint	Auth	Middleware	Description
POST	`/register`	—	`authLimiter`, `validateRequest`	Register new shop
POST	`/login`	—	`authLimiter`, `validateRequest`	Owner login
POST	`/login/user`	—	`authLimiter`, `validateRequest`	Staff PIN login
POST	`/refresh`	—	`authLimiter`, `validateRequest`	Refresh tokens
GET	`/me`	✓	`authMiddleware`	Get current user

Request/Response Examples

typescript

// POST /auth/register
{
  "name": "Best Tuckshop",
  "ownerName": "John Dlamini",
  "phone": "+26876123456",
  "password": "securepin",
  "businessType": "tuckshop",
  "assistantName": "Sibo"
}

// Response
{
  "success": true,
  "data": {
    "shop": { "id": "...", "name": "Best Tuckshop", "tier": "LITE" },
    "accessToken": "eyJ...",
    "refreshToken": "eyJ..."
  }
}

Shop Routes

Base: /api/v1/shops

Method	Endpoint	Auth	Middleware	Description
GET	`/types`	—	—	List business types
GET	`/config`	✓	`authMiddleware`	Get shop config
GET	`/:id`	✓	`authMiddleware`	Get shop details
PATCH	`/:id`	Owner	`ownerAuth`, `validateRequest`	Update shop
GET	`/:id/stats`	✓	`authMiddleware`	Get shop stats

Product Routes

Base: /api/v1/products

Method	Endpoint	Auth	Middleware	Description
GET	`/`	✓	`authMiddleware`, `validateQuery`	List products
POST	`/`	Manager	`managerAuth`, `checkProductLimit`, `validateRequest`	Create product
GET	`/categories`	✓	`authMiddleware`	List categories
GET	`/export`	Manager	`managerAuth`	Export CSV
POST	`/bulk/import`	Manager	`managerAuth`, `validateRequest`	Bulk import
POST	`/bulk/update`	Manager	`managerAuth`, `validateRequest`	Bulk update
GET	`/barcode/:barcode`	✓	`authMiddleware`	Lookup by barcode
GET	`/:id`	✓	`authMiddleware`	Get product
PATCH	`/:id`	Manager	`managerAuth`, `validateRequest`	Update product
DELETE	`/:id`	Manager	`managerAuth`	Soft delete

Query Parameters

typescript

// GET /products
{
  page: number;       // Default: 1
  limit: number;      // Default: 20, max: 100
  search: string;     // Search name, barcode, SKU
  category: string;   // Filter by category
  lowStock: boolean;  // Only low stock items
  isActive: boolean;  // Default: true
}

Sales Routes

Base: /api/v1/sales

Method	Endpoint	Auth	Middleware	Description
GET	`/`	✓	`authMiddleware`, `validateQuery`	List sales
POST	`/`	✓	`authMiddleware`, `posLimiter`, `trackUsage`, `validateRequest`	Create sale
GET	`/daily-summary`	✓	`authMiddleware`	Today's summary
GET	`/search/receipt`	✓	`authMiddleware`	Find by receipt
POST	`/email-receipt`	✓	`authMiddleware`	Email receipt
GET	`/:id`	✓	`authMiddleware`	Get sale
POST	`/:id/void`	Manager	`managerAuth`, `validateRequest`	Void sale

Create Sale Request

typescript

// POST /sales
{
  "items": [
    { "productId": "clx...", "quantity": 2, "discount": 0 },
    { "productId": "clx...", "quantity": 1 }
  ],
  "paymentMethod": "CASH",
  "amountPaid": 100,
  "discount": 5
}

Stock Routes

Base: /api/v1/stock

Method	Endpoint	Auth	Middleware	Description
GET	`/`	✓	`authMiddleware`	Get stock levels
GET	`/alerts`	✓	`authMiddleware`	Low stock alerts
GET	`/movements`	✓	`authMiddleware`, `validateQuery`	Movement history
POST	`/adjust`	Manager	`managerAuth`, `trackUsage`, `validateRequest`	Adjust stock
POST	`/receive`	Manager	`managerAuth`, `trackUsage`, `validateRequest`	Bulk restock

Stock Adjustment Request

typescript

// POST /stock/adjust
{
  "productId": "clx...",
  "type": "DAMAGED",
  "quantity": -3,
  "note": "Broken during delivery"
}

AI Routes

Base: /api/v1/ai

Method	Endpoint	Auth	Middleware	Description
POST	`/chat`	✓	`authMiddleware`, `requireFeature('ai_assistant')`, `checkAiUsage`, `aiLimiter`, `validateRequest`	Chat with AI
POST	`/voice`	✓	`authMiddleware`, `requireFeature('ai_assistant')`, `checkAiUsage`, `aiLimiter`, `validateRequest`	Voice query
GET	`/insights`	✓	`authMiddleware`, `checkAiUsage`, `aiLimiter`	Get insights
GET	`/slow-movers`	✓	`authMiddleware`, `checkAiUsage`, `aiLimiter`	Slow products
GET	`/summary`	✓	`authMiddleware`, `checkAiUsage`, `aiLimiter`	Business summary

AI Chat Request

typescript

// POST /ai/chat
{
  "message": "What products aren't selling?"
}

// Response
{
  "success": true,
  "data": {
    "message": "3 products are barely moving:\n• Old Chips - 2 sold...",
    "assistantName": "Yebo"
  }
}

Report Routes

Base: /api/v1/reports

Method	Endpoint	Auth	Middleware	Description
GET	`/summary`	Manager	`authMiddleware`, `managerAuth`	Overview stats
GET	`/daily`	Manager	`authMiddleware`, `managerAuth`	Daily report
GET	`/weekly`	Manager	`authMiddleware`, `managerAuth`	Weekly report
GET	`/products`	Manager	`authMiddleware`, `managerAuth`	Product performance
GET	`/staff`	Manager	`authMiddleware`, `managerAuth`	Staff performance

User/Staff Routes

Base: /api/v1/users (aliased as /api/v1/staff)

Method	Endpoint	Auth	Middleware	Description
GET	`/`	✓	`authMiddleware`	List staff
POST	`/`	Owner	`ownerAuth`, `checkUserLimit`, `validateRequest`	Create staff
GET	`/:id`	✓	`authMiddleware`	Get staff
GET	`/:id/stats`	✓	`authMiddleware`	Staff stats
GET	`/:id/detail`	✓	`authMiddleware`	Staff details
PATCH	`/:id`	✓	`authMiddleware`, `validateRequest`	Update staff
DELETE	`/:id`	Owner	`ownerAuth`	Delete staff

Customer Routes

Base: /api/v1/customers

Method	Endpoint	Auth	Middleware	Description
GET	`/`	✓	`authMiddleware`	List customers
POST	`/`	✓	`authMiddleware`, `validateRequest`	Create customer
GET	`/:id`	✓	`authMiddleware`	Get customer
PATCH	`/:id`	Manager	`managerAuth`	Update customer
POST	`/:id/credit`	✓	`authMiddleware`, `validateRequest`	Add credit

Return Routes

Base: /api/v1/returns

Method	Endpoint	Auth	Middleware	Description
GET	`/`	✓	`authMiddleware`, `validateQuery`	List returns
POST	`/`	✓	`authMiddleware`, `validateRequest`	Create return
GET	`/:id`	✓	`authMiddleware`	Get return
POST	`/:id/process`	Manager	`managerAuth`, `validateRequest`	Process return

Supplier Routes

Base: /api/v1/suppliers

Method	Endpoint	Auth	Middleware	Description
GET	`/`	✓	`authMiddleware`	List suppliers
POST	`/`	Manager	`managerAuth`, `validateRequest`	Create supplier
GET	`/:id`	✓	`authMiddleware`	Get supplier
PATCH	`/:id`	Manager	`managerAuth`	Update supplier
DELETE	`/:id`	Manager	`managerAuth`	Delete supplier
POST	`/:id/products`	Manager	`managerAuth`	Link product
GET	`/:id/orders`	✓	`authMiddleware`	Supplier's POs

Billing Routes

Base: /api/v1/billing

Method	Endpoint	Auth	Middleware	Description
GET	`/plans`	Optional	`optionalAuth`	Get pricing plans
POST	`/checkout`	✓	`authMiddleware`	Create checkout
POST	`/webhook`	—	`express.raw`	Stripe webhook

Checkout Request

typescript

// POST /billing/checkout
{
  "tier": "BUSINESS",
  "successUrl": "https://app.yebomart.com/billing/success",
  "cancelUrl": "https://app.yebomart.com/billing"
}

// Response
{
  "success": true,
  "data": {
    "sessionId": "cs_test_...",
    "url": "https://checkout.stripe.com/..."
  }
}

Admin Routes

Base: /api/v1/admin

Method	Endpoint	Auth	Middleware	Description
POST	`/login`	—	`validateRequest`	Admin login
GET	`/dashboard`	Admin	`authenticateAdmin`	Dashboard stats
GET	`/shops`	Admin	`authenticateAdmin`	List all shops
GET	`/shops/:id`	Admin	`authenticateAdmin`	Get shop
PATCH	`/shops/:id/status`	Admin	`authenticateAdmin`	Update status
DELETE	`/shops/:id`	Admin	`authenticateAdmin`	Delete shop
PUT	`/subscriptions/:id`	Admin	`authenticateAdmin`	Update subscription
GET	`/users`	Admin	`authenticateAdmin`	List all users
GET	`/users/:id`	Admin	`authenticateAdmin`	Get user
GET	`/subscriptions`	Admin	`authenticateAdmin`	List subscriptions

License Routes

Base: /api/v1/license

Method	Endpoint	Auth	Middleware	Description
GET	`/status`	✓	`authMiddleware`	License status
POST	`/activate`	✓	`authMiddleware`	Activate license
POST	`/trial`	✓	`authMiddleware`	Start trial

Pricing Routes (Public)

Base: /api/v1/pricing

Method	Endpoint	Auth	Middleware	Description
GET	`/countries`	—	—	List supported countries
GET	`/plans`	—	—	All pricing plans
GET	`/plans/:country`	—	—	Country-specific plans

Upload Routes

Base: /api/v1/upload

Method	Endpoint	Auth	Middleware	Description
POST	`/image`	✓	`authMiddleware`, `multer`	Upload image
DELETE	`/image/:key`	✓	`authMiddleware`	Delete image

Expense Routes

Base: /api/v1/expenses

Method	Endpoint	Auth	Middleware	Description
GET	`/`	✓	`authMiddleware`	List expenses
POST	`/`	Manager	`managerAuth`, `validateRequest`	Create expense
GET	`/:id`	✓	`authMiddleware`	Get expense
PATCH	`/:id`	Manager	`managerAuth`	Update expense
DELETE	`/:id`	Manager	`managerAuth`	Delete expense

Audit Routes

Base: /api/v1/audit

Method	Endpoint	Auth	Middleware	Description
GET	`/`	Manager	`authMiddleware`, `managerAuth`	List audit logs
GET	`/:id`	Manager	`authMiddleware`, `managerAuth`	Get log entry

Rate Limits

typescript

// Different limits for different route types
const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,  // 15 minutes
  max: 10,                    // 10 requests per window
  message: 'Too many auth attempts'
});

const posLimiter = rateLimit({
  windowMs: 60 * 1000,       // 1 minute
  max: 60,                    // 60 sales per minute
  message: 'POS rate limit exceeded'
});

const aiLimiter = rateLimit({
  windowMs: 60 * 1000,       // 1 minute
  max: 10,                    // 10 AI queries per minute
  message: 'AI rate limit exceeded'
});

Error Responses

All errors follow the standard format:

typescript

{
  "success": false,
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Validation failed",
    "details": [
      { "field": "phone", "message": "Phone is required" }
    ]
  }
}

Common Error Codes

Code	HTTP Status	Description
`VALIDATION_ERROR`	400	Request validation failed
`UNAUTHORIZED`	401	Missing or invalid token
`FORBIDDEN`	403	Insufficient permissions
`NOT_FOUND`	404	Resource not found
`CONFLICT`	409	Resource conflict (duplicate)
`RATE_LIMITED`	429	Too many requests
`SERVER_ERROR`	500	Internal server error

API

Backend API

Okia AI Service

Frontend

Student Dashboard

Teacher Dashboard

Parent Dashboard

School Admin Dashboard

YeboMart Routes — Complete API Map ​

Base URL ​

Route Index ​

Authentication Routes ​

Request/Response Examples ​

Shop Routes ​

Product Routes ​

Query Parameters ​

Sales Routes ​

Create Sale Request ​

Stock Routes ​

Stock Adjustment Request ​

AI Routes ​

AI Chat Request ​

Report Routes ​

User/Staff Routes ​

Customer Routes ​

Return Routes ​

Supplier Routes ​

Billing Routes ​

Checkout Request ​

Admin Routes ​

License Routes ​

Pricing Routes (Public) ​

Upload Routes ​

Expense Routes ​

Audit Routes ​

Rate Limits ​

Error Responses ​

Common Error Codes ​

YeboMart Routes — Complete API Map

Base URL

Route Index

Authentication Routes

Request/Response Examples

Shop Routes

Product Routes

Query Parameters

Sales Routes

Create Sale Request

Stock Routes

Stock Adjustment Request

AI Routes

AI Chat Request

Report Routes

User/Staff Routes

Customer Routes

Return Routes

Supplier Routes

Billing Routes

Checkout Request

Admin Routes

License Routes

Pricing Routes (Public)

Upload Routes

Expense Routes

Audit Routes

Rate Limits

Error Responses

Common Error Codes