Every module. Every endpoint. Documented.
NovexERP is API-first by design. The same endpoints that power the dashboard power your custom integrations, automation scripts, and third-party tools.
API-First Ecosystem
Every production module in NovexERP is exposed through documented REST endpoints, giving you programmatic access to the same capabilities available in the web interface.
A full OpenAPI 3.0 specification ships with every NovexERP deployment, providing a machine-readable contract for every available endpoint. Interactive documentation is available through both Swagger UI and ReDoc, allowing developers to explore endpoints, view request and response schemas, and test calls directly from their browser.
Authentication supports two methods: JWT bearer tokens for user sessions and scoped API keys passed via the X-API-Key header. API keys support scope arrays that limit access to specific modules, user role inheritance for permission enforcement, configurable expiration dates, and last-used tracking for security auditing. This dual approach lets you use short-lived JWTs for interactive sessions and long-lived API keys for integrations and automation scripts.
Rate limiting is enforced via Redis with file and APCu fallback options. Limits are configured per-endpoint â the login endpoint is restricted to 5 requests per 15 minutes to prevent brute-force attacks, while the default limit is 100 requests per 60 seconds for general API usage. Every response includes X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers so clients can self-throttle before hitting limits.
All API responses follow a consistent JSON format. Errors return a structured object with error.code, error.message, and error.details fields, making client-side error handling predictable across every endpoint. Webhook ingestion endpoints are available for Shopify and EasyPost, with HMAC signature verification ensuring that incoming payloads are authentic. For deeper integration documentation, see the REST API reference and the Webhooks event processing guide.
- Full OpenAPI 3.0 specification
- Swagger UI and ReDoc documentation
- JWT authentication with scoped API keys
- Rate limiting with Redis backend
- Consistent JSON request/response format
- Provider webhook ingestion endpoints (Shopify, EasyPost)
- Batch operations for bulk data processing
How It Works
Start by generating a scoped API key from the Users module. Each key is assigned specific permissions that control which endpoints and operations it can access. Authenticate your requests by including the key in the X-API-Key header, or use a JWT bearer token obtained through the login endpoint for session-based access.
Browse all available endpoints in Swagger UI at /docs/, where you can view request schemas, required parameters, and example responses for every route. Make requests using standard HTTP methods â GET for reading resources, POST for creating new records, PUT for updating existing ones, and DELETE for removing them.
Monitor your usage by reading X-RateLimit-Remaining headers on each response. When your remaining quota is low, back off before hitting the limit to avoid 429 responses. All responses use consistent JSON formatting with proper HTTP status codes, so your error handling logic works uniformly across every module in the system.
Modules Used
This feature is powered by these NovexERP modules.
Related Features
REST API
Full endpoint reference with request and response schemas for every module.
Explore → INTEGRATIONSWebhooks
Event-driven processing for inbound webhooks from Shopify, EasyPost, and other providers.
Explore → INVENTORYStock, Lots & Traceability
FIFO/FEFO inventory with lot tracking, expiry management, and complete audit trails.
Explore →