Versioned REST APIs & Secure Access
Registry of API clients, scopes and credentials for integration developers and external systems. REST/JSON with OpenAPI contracts is the default; every write validates idempotency, permissions and business invariants (INT-01, §10.3).
API clients & credentials
| Client / owner | Auth type | Scopes (least privilege) | Credential | Contract | Rate limit | Last used | Status |
|---|---|---|---|---|---|---|---|
| website-cms-leadform Marketing · Integration Owner |
OAuth2 client credentials | leads:write listings:read |
cli_web01·●●●●●●●● vault: kv/prod/api/web-cms · rotated 02 Jul 2026 |
erp-core v2.4 | 60 rpm | 17 Jul 2026 09:41 | Active |
| portal-bayut-sync Listing Operations |
Signed credential (approved) | listings:publish leadstatus:read |
cli_byt02·●●●●●●●● vault: kv/prod/api/bayut · rotated 20 Jun 2026 |
erp-core v2.4 | 120 rpm | 17 Jul 2026 09:56 | Active |
| portal-pf-sync Listing Operations |
OAuth2 client credentials | listings:publish leadstatus:read |
cli_pfd03·●●●●●●●● vault: kv/prod/api/pf · rotated 20 Jun 2026 |
erp-core v2.4 | 120 rpm | 17 Jul 2026 08:12 | Active |
| bank-enbd-statements Finance / Treasury — Fatima Rashid |
OAuth2 + mTLS | statements:read |
cli_enbd04·●●●●●●●● vault: kv/prod/api/enbd · cert expires 12 Aug 2026 |
erp-fin v1.2 | 12 rph | 17 Jul 2026 06:00 | Cert expiring 26d |
| asp-einvoice-prod Tax + Integration Owner |
OAuth2 client credentials | einvoice:submit einvoice:status |
cli_asp05·●●●●●●●● vault: kv/prod/api/asp · rotated 05 Jul 2026 |
pint-ae v1.0 | 30 rpm | 16 Jul 2026 23:58 | Active |
| wps-sif-agent Payroll + Finance |
Signed credential (approved) | sif:submit sif:status |
cli_wps06·●●●●●●●● vault: kv/prod/api/wps · rotated 28 May 2026 |
erp-core v1.9 v1 — migrate | 6 rph | 15 Jul 2026 21:03 | Active |
| screening-feed-djx MLRO — Ahmed Al Blooshi |
OAuth2 client credentials | screening:query |
cli_djx07·●●●●●●●● vault: kv/prod/api/djx · rotated 30 Jun 2026 |
erp-cmp v2.0 | 300 rpm | 17 Jul 2026 09:22 | Active |
| partner-primelink External broker — Prime Link Realty |
OAuth2 client credentials | leads:write |
cli_plk08·●●●●●●●● vault: kv/prod/api/plk · expired 30 Jun 2026 |
erp-core v1.9 v1 — migrate | 30 rpm | 30 Jun 2026 17:44 | Suspended — credential expired |
| graphql-analytics-poc BI team request 11 Jul 2026 |
— (not issued) | requested: reports:read |
not issued | GraphQL (proposed) | — | — | Pending review — GraphQL requires named consumer case, query-cost controls and independent approval |
Contract version usage (7 days)
| Contract · version | Status | Requests (7d) | Clients | Migration window ends | Sunset |
|---|---|---|---|---|---|
| erp-core v2.4 | GA | 761,204 | 9 | — | — |
| erp-fin v1.2 | GA | 71,090 | 3 | — | — |
| erp-cmp v2.0 | GA | 39,588 | 2 | — | — |
| erp-core v1.9 | Deprecated | 27,894 | 2 | 30 Sep 2026 | 31 Oct 2026 |
| erp-core v1.4 | Retired | 0 | 0 | closed | 31 Jan 2026 |
Scope rate limits & throttling behavior
| Scope | Limit | Burst | Window | On breach |
|---|---|---|---|---|
leads:write | 60 rpm | 90 | per client | 429 + RATE_LIMITED, Retry-After |
listings:publish | 120 rpm | 150 | per client | 429 + RATE_LIMITED, Retry-After |
statements:read | 12 rph | 15 | per client | Queued to next window |
einvoice:submit | 30 rpm | 40 | per client | 429 + RATE_LIMITED, Retry-After |
screening:query | 300 rpm | 360 | per client | 429 + RATE_LIMITED, Retry-After |
reports:read | 30 rpm | 30 | per client | Cursor page size clamped to 100 |
Collection endpoints use cursor pagination with deterministic ordering, bounded page size and allowlisted filters/sorts; total counts only where affordable (§10.3). Shared credentials are prohibited — each consumer holds its own scoped identity.
Idempotency & concurrency guarantees
POST /v2/leads Idempotency-Key: 7c9e-4411-a2 → 201 Created lead LEAD-10236
POST /v2/leads (retry) Idempotency-Key: 7c9e-4411-a2 → 200 OK same body
Idempotency-Replayed: true
PUT /v2/listings/LST-2041 If-Match: "v17" → 409 Conflict (no silent overwrite)
errorCode: VERSION_CONFLICT currentVersion: "v19"
Concurrent updates require ETag / If-Match (or equivalent version token) and return an explicit conflict. Write APIs additionally enforce permissions and business invariants server-side — a valid token alone never bypasses RBAC.
Structured error envelope (Problem Details)
{
"type": "https://api.almanara.ae/problems/duplicate-lead",
"title": "Duplicate lead",
"status": 409,
"errorCode": "LEAD_DUPLICATE",
"detail": "A lead for this contact already exists in the last 30 days.",
"violations": [
{ "field": "phone", "code": "DUPLICATE_MATCH", "ref": "LEAD-10188" }
],
"correlationId": "c0a8-17ju-2026-8842",
"retryable": false,
"supportRef": "SUP-4471"
}
One envelope for every API error: stable error code, human-safe message, field violations, correlation ID, retryability flag and support reference. No stack traces or sensitive payloads are ever exposed (§10.3). Correlation IDs join the Audit Explorer trail.
OpenAPI contract references
| Contract | Version | Spec artifact | SHA-256 | Compatibility suite | Consumers |
|---|---|---|---|---|---|
| erp-core | v2.4.1 | openapi/erp-core.v2.yaml | sha256:9f31…c2ae | 214/214 green · 17 Jul 03:10 | 9 clients |
| erp-fin | v1.2.0 | openapi/erp-fin.v1.yaml | sha256:44d0…9b17 | 96/96 green · 17 Jul 03:12 | 3 clients |
| erp-cmp | v2.0.3 | openapi/erp-cmp.v2.yaml | sha256:b7a2…5510 | 61/61 green · 17 Jul 03:14 | 2 clients |
| pint-ae | v1.0.2 | openapi/pint-ae.v1.yaml | sha256:0dc9…e884 | 2 pending fixtures (ASP sandbox) | 1 client |
| erp-core | v1.9.8 (deprecated) | openapi/erp-core.v1.yaml | sha256:71fe…03b9 | Frozen — security fixes only | 2 clients |
Risky action — rotate / revoke credential
Consequence: the current secret is invalidated after a 24-hour grace window. Prime Link Realty lead submissions signed with the old secret will fail with 401 CREDENTIAL_REVOKED. Affected record: client cli_plk08, scope leads:write.
Requires approval: Integration Owner + Security Admin (SoD — requester cannot self-approve). New secret is written to vault only; it is never displayed in the UI. Recovery path: previous secret can be re-enabled within the grace window.
Related: Provider health · Events & webhooks · Identity & RBAC · Provider Hub activation gates
Static render mockup — no live data. Source: ERP Modern Development Specification v2.0 · Covers: INT-01 (with §10.3 API and event standards).