OH

Versioned REST APIs & Secure Access

Registry of API clients, scopes and credentials for integration developers and external systems. REST/JSON with OpenAPI contracts is the default; every write validates idempotency, permissions and business invariants (INT-01, §10.3).

INT-01
Active API clients
14
2 suspended · 1 pending review
Requests (24h)
128,440
▲ 3.1% vs. prior day
4xx / 5xx rate
0.42%
Top code: RATE_LIMITED (61%)
Traffic on deprecated v1
3.1%
Sunset 31 Oct 2026 · 2 clients remain
Credentials expiring ≤ 30d
2
Rotation requires Security approval

API clients & credentials

Client / ownerAuth typeScopes (least privilege)CredentialContractRate limitLast usedStatus
website-cms-leadform
Marketing · Integration Owner
OAuth2 client credentials leads:write listings:read cli_web01·●●●●●●●●
vault: kv/prod/api/web-cms · rotated 02 Jul 2026
erp-core v2.4 60 rpm 17 Jul 2026 09:41 Active
portal-bayut-sync
Listing Operations
Signed credential (approved) listings:publish leadstatus:read cli_byt02·●●●●●●●●
vault: kv/prod/api/bayut · rotated 20 Jun 2026
erp-core v2.4 120 rpm 17 Jul 2026 09:56 Active
portal-pf-sync
Listing Operations
OAuth2 client credentials listings:publish leadstatus:read cli_pfd03·●●●●●●●●
vault: kv/prod/api/pf · rotated 20 Jun 2026
erp-core v2.4 120 rpm 17 Jul 2026 08:12 Active
bank-enbd-statements
Finance / Treasury — Fatima Rashid
OAuth2 + mTLS statements:read cli_enbd04·●●●●●●●●
vault: kv/prod/api/enbd · cert expires 12 Aug 2026
erp-fin v1.2 12 rph 17 Jul 2026 06:00 Cert expiring 26d
asp-einvoice-prod
Tax + Integration Owner
OAuth2 client credentials einvoice:submit einvoice:status cli_asp05·●●●●●●●●
vault: kv/prod/api/asp · rotated 05 Jul 2026
pint-ae v1.0 30 rpm 16 Jul 2026 23:58 Active
wps-sif-agent
Payroll + Finance
Signed credential (approved) sif:submit sif:status cli_wps06·●●●●●●●●
vault: kv/prod/api/wps · rotated 28 May 2026
erp-core v1.9 v1 — migrate 6 rph 15 Jul 2026 21:03 Active
screening-feed-djx
MLRO — Ahmed Al Blooshi
OAuth2 client credentials screening:query cli_djx07·●●●●●●●●
vault: kv/prod/api/djx · rotated 30 Jun 2026
erp-cmp v2.0 300 rpm 17 Jul 2026 09:22 Active
partner-primelink
External broker — Prime Link Realty
OAuth2 client credentials leads:write cli_plk08·●●●●●●●●
vault: kv/prod/api/plk · expired 30 Jun 2026
erp-core v1.9 v1 — migrate 30 rpm 30 Jun 2026 17:44 Suspended — credential expired
graphql-analytics-poc
BI team request 11 Jul 2026
— (not issued) requested: reports:read not issued GraphQL (proposed) Pending review — GraphQL requires named consumer case, query-cost controls and independent approval
9 of 17 clients · secrets never displayed — vault references only

Contract version usage (7 days)

Contract · versionStatusRequests (7d)ClientsMigration window endsSunset
erp-core v2.4GA761,2049
erp-fin v1.2GA71,0903
erp-cmp v2.0GA39,5882
erp-core v1.9Deprecated27,894230 Sep 202631 Oct 2026
erp-core v1.4Retired00closed31 Jan 2026

Scope rate limits & throttling behavior

ScopeLimitBurstWindowOn breach
leads:write60 rpm90per client429 + RATE_LIMITED, Retry-After
listings:publish120 rpm150per client429 + RATE_LIMITED, Retry-After
statements:read12 rph15per clientQueued to next window
einvoice:submit30 rpm40per client429 + RATE_LIMITED, Retry-After
screening:query300 rpm360per client429 + RATE_LIMITED, Retry-After
reports:read30 rpm30per clientCursor page size clamped to 100

Collection endpoints use cursor pagination with deterministic ordering, bounded page size and allowlisted filters/sorts; total counts only where affordable (§10.3). Shared credentials are prohibited — each consumer holds its own scoped identity.

Idempotency & concurrency guarantees

POST /v2/leads            Idempotency-Key: 7c9e-4411-a2   → 201 Created  lead LEAD-10236
POST /v2/leads  (retry)   Idempotency-Key: 7c9e-4411-a2   → 200 OK       same body
                                                            Idempotency-Replayed: true

PUT /v2/listings/LST-2041  If-Match: "v17"                 → 409 Conflict (no silent overwrite)
                           errorCode: VERSION_CONFLICT      currentVersion: "v19"

Concurrent updates require ETag / If-Match (or equivalent version token) and return an explicit conflict. Write APIs additionally enforce permissions and business invariants server-side — a valid token alone never bypasses RBAC.

Structured error envelope (Problem Details)

{
  "type": "https://api.almanara.ae/problems/duplicate-lead",
  "title": "Duplicate lead",
  "status": 409,
  "errorCode": "LEAD_DUPLICATE",
  "detail": "A lead for this contact already exists in the last 30 days.",
  "violations": [
    { "field": "phone", "code": "DUPLICATE_MATCH", "ref": "LEAD-10188" }
  ],
  "correlationId": "c0a8-17ju-2026-8842",
  "retryable": false,
  "supportRef": "SUP-4471"
}

One envelope for every API error: stable error code, human-safe message, field violations, correlation ID, retryability flag and support reference. No stack traces or sensitive payloads are ever exposed (§10.3). Correlation IDs join the Audit Explorer trail.

OpenAPI contract references

ContractVersionSpec artifactSHA-256Compatibility suiteConsumers
erp-corev2.4.1openapi/erp-core.v2.yamlsha256:9f31…c2ae214/214 green · 17 Jul 03:109 clients
erp-finv1.2.0openapi/erp-fin.v1.yamlsha256:44d0…9b1796/96 green · 17 Jul 03:123 clients
erp-cmpv2.0.3openapi/erp-cmp.v2.yamlsha256:b7a2…551061/61 green · 17 Jul 03:142 clients
pint-aev1.0.2openapi/pint-ae.v1.yamlsha256:0dc9…e8842 pending fixtures (ASP sandbox)1 client
erp-corev1.9.8 (deprecated)openapi/erp-core.v1.yamlsha256:71fe…03b9Frozen — security fixes only2 clients

Risky action — rotate / revoke credential

Related: Provider health · Events & webhooks · Identity & RBAC · Provider Hub activation gates

Static render mockup — no live data. Source: ERP Modern Development Specification v2.0 · Covers: INT-01 (with §10.3 API and event standards).