1. Home
  2. Integrations
  3. REST API

JSON in. JSON out. Every endpoint documented.

The NovexERP API follows REST conventions consistently. Resources are nouns, HTTP methods are verbs, and status codes mean what they're supposed to mean.

API

REST API

Every feature exposed through documented REST endpoints. JSON in, JSON out. Standard HTTP methods, status codes, and a full OpenAPI specification.

NovexERP ships with a full OpenAPI 3.0.3 specification served at /docs/openapi.json. This machine-readable contract describes every available endpoint, request parameter, response schema, and authentication requirement. Interactive documentation is available through Swagger UI at /docs/ and ReDoc at /docs/redoc.html, allowing developers to explore endpoints, inspect schemas, and test API calls directly from the browser without writing any code.

Three authentication methods are supported, each designed for different use cases. JWT bearer tokens passed via the Authorization: Bearer header handle user sessions with short-lived credentials. Scoped API keys passed via the X-API-Key header serve integrations and automation scripts that need long-lived access. Admin tokens passed via the X-NOVEX-ADMIN-TOKEN header authenticate cron jobs and internal system operations. This layered approach ensures the right level of access control for every type of consumer.

API keys support granular scope arrays that limit access to specific modules and operations. For example, a key might be scoped to panel:orders and panel:orders.create, granting read and create access to orders while blocking access to everything else. Keys inherit the generating user's role for permission enforcement, support configurable expiration dates, and track last-used timestamps for security auditing. The key format uses a prefixed hash pattern (nk_abc123...) for easy identification in logs and configuration files.

Rate limiting is enforced via a Redis backend with file and APCu fallback options for environments without Redis. Limits are configured per-endpoint to match expected usage patterns — the login endpoint is restricted to 5 requests per 15 minutes to prevent brute-force attacks, the health check allows 100 requests per 60 seconds, AI polling endpoints support 600 requests per 60 seconds for responsive interfaces, and the default limit is 100 requests per 60 seconds for general API usage. Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers so clients can self-throttle proactively. When limits are exceeded, a 429 response includes the Retry-After header indicating when the next request will be accepted.

Identifier priority for rate limiting follows a specific order: API key hash first, then authenticated user ID, then client IP address. This ensures that different API keys from the same IP are tracked independently, while unauthenticated requests fall back to IP-based tracking. All API responses follow a consistent JSON format. Errors return a structured object with error.code, error.message, and error.details fields, making client-side error handling predictable across every endpoint. Collection endpoints support pagination, filtering, and sorting parameters. For platform-level API architecture details, see API Architecture, and for event-driven integrations, see Webhooks.

  • Full OpenAPI 3.0 specification
  • Swagger UI interactive documentation
  • ReDoc reference documentation
  • JWT and scoped API key authentication
  • Rate limiting with Redis backend
  • Consistent JSON request/response format
  • Pagination, filtering, and sorting
  • Per-endpoint rate limits with clear headers

How It Works

Browse available endpoints in Swagger UI at /docs/ — you can view request schemas, required parameters, and example responses for every route. Test requests directly in the browser without writing any client code, using the built-in "Try it out" functionality.

Generate a scoped API key from the Users module with specific permission scopes. Each key is assigned an array of scopes that control which endpoints and operations it can access, and you can set an expiration date for automatic key rotation.

Authenticate requests with the X-API-Key header for integrations or a JWT bearer token for user sessions. Make requests using standard HTTP methods — GET for reading collections and individual resources, POST for creating new records, PUT for updating existing ones, and DELETE for removal.

Read the X-RateLimit-Remaining header on each response to stay within your quota. When the remaining count is low, back off before hitting the limit. Handle 429 responses by reading the Retry-After header and waiting the indicated number of seconds. Parse consistent JSON responses across every endpoint — errors always include code, message, and details for predictable error handling.

Modules Used

This feature is powered by these NovexERP modules.

Warehouses Storage Locations Products Raw Materials Raw Material Lots BOMs Customers Vendors Orders Purchase Orders Manufacturing Finished Products Movements Lots

Related Features

CORE

API-First Ecosystem

Platform-level API architecture with authentication, rate limiting, and module-level endpoint documentation.

Explore → EVENTS

Webhook Ingestion

Secure inbound webhooks with HMAC verification, idempotent storage, and retry-aware queue processing.

Explore → ECOMMERCE

Shopify Integration

OAuth authentication, product sync, webhook-driven order intake, and fulfillment status push.

Explore →

Ready to see NovexERP in action?

Get a personalized demo tailored to your food manufacturing operation.

Request a Demo