API Reference

The Ablebase API is a JSON REST API. All resource endpoints are versioned under /v1. Authentication endpoints are served at /api/auth/* by Better Auth.

Base URL

https://<your-domain>/v1

Authentication

All /v1 endpoints require an active session cookie obtained via the auth endpoints. See Authentication for details.

Conventions

IDs: Organization IDs and resource IDs are UUIDs. Products, areas, and standards are identified by a URL slug. Audits, issues, and risks are identified by a sequential number scoped to their product.
Request body: application/json.
Successful responses: 200 OK with a JSON body, or 201 Created with a Location header pointing to the new resource.
Empty responses: 204 No Content (e.g. deletes).
Error responses: JSON with an error object. See Errors below.
Dates: All timestamps are ISO 8601 strings in UTC.

Errors

Error responses have the following shape:

{
  "error": {
    "code": "NOT_FOUND",
    "message": "Product not found"
  }
}

Code	HTTP status	Meaning
`VALIDATION_ERROR`	400	Request body or query parameter failed validation.
`UNAUTHORIZED`	401	No valid session.
`FORBIDDEN`	403	Authenticated but lacking the required role.
`NOT_FOUND`	404	Resource does not exist.
`CONFLICT`	409	Operation not allowed in the current state (e.g. creating in an archived product).
`INTERNAL_ERROR`	500	Unexpected server error.

Rate limits

Scope	Limit
Global	100 requests / minute
Sign-in	5 attempts / 10 minutes
Sign-up	3 attempts / hour
Password reset	3 attempts / hour

Exceeding a limit returns 429 Too Many Requests.

Authentication

Session-based auth and GitHub OAuth.

Products

Create and manage products.

Areas

Subdivide products into areas.

Audits

Run and track accessibility audits.

Issues

Track and bulk-manage accessibility issues.

Risks

Identify and materialize accessibility risks.

Standards

Manage standards, groups, and requirements.

Saved Views

Persist filter and sort state as named views.