{"openapi":"3.1.0","info":{"title":"PayQuality API","version":"0.1.0","description":"BYO Azure Functions API boundary linked from Azure Static Web Apps."},"paths":{"/api/health":{"get":{"operationId":"getHealth","summary":"Read API health","description":"Returns a no-store health response with environment context.","tags":["system"],"responses":{"200":{"description":"The API is healthy.","headers":{"Cache-Control":{"schema":{"type":"string","const":"no-store"}}},"content":{"application/json":{"schema":{"$ref":"#/components/schemas/HealthResponse"}}}}}}},"/api/openapi.json":{"get":{"operationId":"getOpenApiDocument","summary":"Read OpenAPI document","description":"Returns the source-owned OpenAPI contract for this API.","tags":["system"],"responses":{"200":{"description":"The OpenAPI document.","content":{"application/json":{"schema":{"type":"object"}}}}}}},"/api/docs":{"get":{"operationId":"getOpenApiDocs","summary":"Read API reference","description":"Returns a human-readable HTML reference generated from the source-owned OpenAPI contract.","tags":["system"],"responses":{"200":{"description":"The rendered API reference.","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/api/resources":{"get":{"operationId":"listAzureResources","summary":"List Azure resources","description":"Returns status-only Azure resource readiness metadata without raw resource names, tenant identifiers, endpoints, connection strings, or secrets.","tags":["system"],"responses":{"200":{"description":"The resources used by the app.","headers":{"Cache-Control":{"schema":{"type":"string","const":"no-store"}}},"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AzureResourcesResponse"}}}}}}},"/api/me":{"get":{"operationId":"getCurrentUser","summary":"Read current authenticated user","description":"Resolves the SWA/CIAM principal into an active PayLens user account and active tenant memberships.","tags":["auth"],"security":[{"staticWebAppPrincipal":[]}],"responses":{"200":{"description":"The active PayLens user and tenant memberships.","headers":{"Cache-Control":{"schema":{"type":"string","const":"no-store"}}},"content":{"application/json":{"schema":{"$ref":"#/components/schemas/MeResponse"}}}},"401":{"description":"The SWA authenticated principal is missing or malformed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"403":{"description":"The authenticated principal is not linked to an active PayLens account.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}},"/api/invitations":{"post":{"operationId":"createInvitation","summary":"Create tenant invitation","description":"Allows an authorized tenant Owner, Admin, or PlatformAdmin to create a hashed-token invitation.","tags":["auth"],"security":[{"staticWebAppPrincipal":[]}],"responses":{"200":{"description":"The created invitation and one-time token for delivery.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GenericObjectResponse"}}}},"403":{"description":"The authenticated user cannot invite members for the tenant.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}},"/api/invitations/{id}":{"get":{"operationId":"previewInvitation","summary":"Preview invitation","description":"Returns non-sensitive invitation details before sign-in.","tags":["auth"],"responses":{"200":{"description":"A non-sensitive invitation preview.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GenericObjectResponse"}}}},"404":{"description":"Invitation token was not found.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}},"patch":{"operationId":"revokeInvitation","summary":"Revoke invitation","description":"Revokes a pending invitation by invitation id.","tags":["auth"],"security":[{"staticWebAppPrincipal":[]}],"responses":{"200":{"description":"The revoked invitation status.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GenericObjectResponse"}}}},"403":{"description":"The authenticated user cannot revoke invitations for the tenant.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}},"/api/invitations/{token}/accept":{"post":{"operationId":"acceptInvitation","summary":"Accept invitation","description":"Links the authenticated identity to a PayLens user and activates tenant membership.","tags":["auth"],"security":[{"staticWebAppPrincipal":[]}],"responses":{"200":{"description":"The activated user membership.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GenericObjectResponse"}}}},"403":{"description":"The authenticated email does not match the invitation.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}},"/api/tenants/{tenantId}/memberships":{"get":{"operationId":"listTenantMemberships","summary":"List tenant memberships","description":"Lists tenant memberships for an authorized tenant administrator or auditor.","tags":["auth"],"security":[{"staticWebAppPrincipal":[]}],"responses":{"200":{"description":"Tenant membership list.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GenericObjectResponse"}}}},"403":{"description":"The authenticated user cannot read tenant memberships.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}},"/api/tenants/{tenantId}/memberships/{membershipId}":{"patch":{"operationId":"updateTenantMembership","summary":"Update tenant membership","description":"Changes a membership role or lifecycle status with audit capture.","tags":["auth"],"security":[{"staticWebAppPrincipal":[]}],"responses":{"200":{"description":"Updated membership.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GenericObjectResponse"}}}},"403":{"description":"The authenticated user cannot update tenant memberships.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}},"/api/registration/organization-requests":{"post":{"operationId":"submitOrganizationRegistrationRequest","summary":"Submit organization registration request","description":"Creates a pending public organization registration request with Terms acceptance.","tags":["auth"],"responses":{"200":{"description":"Submitted registration request id and status.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GenericObjectResponse"}}}},"400":{"description":"Registration request validation failed.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}},"/api/registration/organization-requests/{requestId}":{"patch":{"operationId":"reviewOrganizationRegistrationRequest","summary":"Review organization registration request","description":"Approves or rejects a pending organization registration request and sends the requester Owner invitation email on approval.","tags":["auth"],"security":[{"staticWebAppPrincipal":[]}],"responses":{"200":{"description":"Reviewed registration request id and status.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/GenericObjectResponse"}}}},"403":{"description":"PlatformAdmin access is required.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}},"503":{"description":"The authorization store or transactional email sender is unavailable.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ErrorResponse"}}}}}}}},"components":{"securitySchemes":{"staticWebAppPrincipal":{"type":"apiKey","in":"header","name":"x-ms-client-principal","description":"Platform-injected Azure Static Web Apps authenticated principal header."}},"schemas":{"AzureResource":{"type":"object","additionalProperties":false,"required":["kind","name"],"properties":{"kind":{"type":"string"},"name":{"type":"string"},"settings":{"type":"object","additionalProperties":{"oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]}}}},"AzureResourcesResponse":{"type":"object","additionalProperties":false,"required":["environment","resources"],"properties":{"environment":{"type":"string"},"resources":{"type":"array","items":{"type":"object","additionalProperties":false,"required":["kind","name"],"properties":{"kind":{"type":"string"},"name":{"type":"string"},"settings":{"type":"object","additionalProperties":{"oneOf":[{"type":"string"},{"type":"array","items":{"type":"string"}}]}}}}}}},"ErrorResponse":{"type":"object","additionalProperties":false,"required":["error"],"properties":{"error":{"type":"object","additionalProperties":false,"required":["code","message"],"properties":{"code":{"type":"string"},"message":{"type":"string"},"correlationId":{"type":"string"},"details":{"type":"array","items":{"type":"string"}}}}}},"GenericObjectResponse":{"type":"object","additionalProperties":true},"HealthResponse":{"type":"object","additionalProperties":false,"required":["ok","service","environment","timestamp"],"properties":{"ok":{"type":"boolean","const":true},"service":{"type":"string"},"environment":{"type":"string"},"timestamp":{"type":"string","format":"date-time"}}},"MeResponse":{"type":"object","additionalProperties":false,"required":["user","memberships"],"properties":{"user":{"type":"object","additionalProperties":false,"required":["userId","email","displayName","status"],"properties":{"userId":{"type":"string"},"email":{"type":"string","format":"email"},"displayName":{"type":"string"},"status":{"type":"string","enum":["active","blocked","deleted"]}}},"memberships":{"type":"array","items":{"type":"object","additionalProperties":false,"required":["membershipId","tenantId","role","status"],"properties":{"membershipId":{"type":"string"},"tenantId":{"type":"string"},"role":{"type":"string"},"status":{"type":"string","enum":["active"]}}}}}}}},"tags":[{"name":"auth","description":"Authentication and tenant membership endpoints."},{"name":"system","description":"Operational endpoints."}]}