Access Scope Service - API Contract

GET /api/v1/access-scope/api/v1/access-scope/units

List all unit IDs accessible to the authenticated user

Public

Response Example

{
  "data": [
    {
      "unit_id": "unit-002",
      "unit_name": "Oslo Chapter",
      "access_reason": "direct_assignment"
    },
    {
      "unit_id": "unit-001",
      "unit_name": "Northern Region",
      "access_reason": "ancestor_scope"
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 2
  }
}

GET /api/v1/access-scope/api/v1/access-scope/units/{unitId}

Check whether a specific unit is accessible to the authenticated user

Public

Response Example

{
  "unit_id": "unit-002",
  "accessible": true,
  "access_reason": "direct_assignment",
  "checked_at": "2026-03-26T10:30:00Z"
}

POST /api/v1/access-scope/api/v1/access-scope/rls-claims

Build the RLS JWT claims payload for a user (used during token issuance)

Public

Request Example

{
  "user_id": "usr-77"
}

Response Example

{
  "user_id": "usr-77",
  "accessible_unit_ids": [
    "unit-001",
    "unit-002",
    "unit-005"
  ],
  "primary_unit_id": "unit-002",
  "organization_id": "org-42",
  "claims_version": "1",
  "generated_at": "2026-03-26T10:31:00Z"
}

POST /api/v1/access-scope/api/v1/access-scope/scoped-query

Apply access scope filter to a base query (internal service-to-service)

Public

Request Example

{
  "user_id": "usr-77",
  "base_query": {
    "table": "activities",
    "filters": {
      "status": "completed"
    }
  }
}

Response Example

{
  "scoped_query": {
    "table": "activities",
    "filters": {
      "status": "completed"
    },
    "scope_filter": {
      "unit_id": {
        "in": [
          "unit-002",
          "unit-005"
        ]
      }
    }
  }
}

Additional Metadata

{
  "contract_summary": {
    "total_contracts": 410,
    "total_endpoints": 2416,
    "api_styles_used": [
      "rest"
    ]
  },
  "generated_at": "2026-03-26T06:55:53.316Z"
}