# SMR One API

The canonical OpenAPI 3.1 contract is [`openapi.yaml`](openapi.yaml). The default base URL is `/api/v1`; send `Accept: application/json` on every request.

Authenticate with `POST /auth/login`, then send `Authorization: Bearer <token>`. Tokens are role scoped by server middleware. Validation failures use HTTP 422, unauthenticated requests 401, forbidden ownership/role access 403, and missing resources 404. Error bodies contain `message` and may contain field-keyed `errors` arrays.

List endpoints use Laravel pagination (`data`, `current_page`, `last_page`, `per_page`, `total`). Money is server-calculated and represented in the relevant resource currency. Clients must never calculate authoritative totals or trust a locally supplied owner ID.

Run `php scripts/check-openapi.php` after changing API routes or the contract. The checker validates the OpenAPI header, unique operation IDs, and documented method/path pairs against Laravel's registered API routes.
