Skip to content

API Reference

The frontend calls a same-origin JSON API under /api. Mutating requests use the x-csrf-token header unless explicitly exempted. The CSRF token is fetched once from GET /api/auth/csrf-token on startup and cached in memory.

Public Routes

Prefix Purpose
/api/auth Login, mode discovery, session state, CSRF token, TOTP and WebAuthn challenges, and authenticated auth actions
/api/auth/oidc OIDC login and callback
/api/auth/webauthn WebAuthn status, credentials, setup, enable, disable, and challenge endpoints
/api/auth/totp TOTP challenge verification
/api/about Public app metadata
/api/privacy Public privacy content
/api/version Version and release history
/api/calendar/feed/:token Token-protected private calendar subscription feed (feed.ics)

User Routes

Prefix Purpose
/api/tracker Monthly tracker rows, sparklines, overdue count, sort, and upcoming bills
/api/bills Bills, templates, history ranges, balances, merchant rules, verify-autopay, and bill transaction views
/api/payments Payments, quick pay, bulk pay, restore, autopay suggestions, recent-auto, undo-auto, and attribute-to-month
/api/categories Category CRUD and restore
/api/calendar Calendar data
/api/summary Summary, bank tracking, and income planning
/api/monthly-starting-amounts Starting-cash planning
/api/analytics Analytics summaries
/api/snowball Debt settings, ordering, and projections
/api/spending Spending categories, budgets, and merchant rules
/api/settings Per-user settings (search panel state, etc.)
/api/profile Profile, password, export history, import history, login history
/api/user Demo-data seed and cleanup
/api/calendar-tokens Calendar subscription feed token CRUD

Data Routes

Prefix Purpose
/api/data-sources SimpleFIN connect, account controls, sync, backfill, status, and disconnect
/api/transactions Manual transactions, matching, ignore state, unmatch-bulk, and updates
/api/matches Match suggestions, rejection, confirm, learn-merchant, and unmatch
/api/subscriptions Catalog (/subscriptions/catalog), recommendations, and feedback
/api/import, /api/imports CSV, XLSX, and user-database staged import
/api/export User-owned SQLite and Excel exports

Admin Routes

Prefix Purpose
/api/admin Users, backups, cleanup, auth methods, bank-sync settings, privacy settings, and migration rollback
/api/status Admin-only system status
/api/about-admin Admin-only roadmap, development log, and forced update check
/api/notifications Admin SMTP settings and user reminder preferences

Selected Endpoints

Method Path Purpose
POST /api/bills/:id/verify-autopay Update bills.autopay_verified_at to the current time
GET /api/payments/recent-auto Auto-matched payments in the last 7 days for the review panel
POST /api/payments/:id/undo-auto Reverse a single auto-match: soft-delete the payment, restore balance, revert the transaction
POST /api/transactions/unmatch-bulk Unmatch multiple linked transactions in a single transaction
PATCH /api/payments/:id/attribute-to-month Reclassify a provider_sync payment's paid_date to the prior month end
GET /api/auth/webauthn/status WebAuthn enabled flag and credential count
GET /api/auth/webauthn/credentials Registered keys with name, AAGUID, backup flags, and timestamps
GET /api/auth/webauthn/setup Begin registration, returns options and challenge ID
POST /api/auth/webauthn/enable Complete registration, verifies attestation and stores the credential
DELETE /api/auth/webauthn/credentials/:credentialId Remove a single key, requires password confirmation
POST /api/auth/webauthn/disable Remove all keys, requires password confirmation
POST /api/auth/totp/challenge Verify the second-step TOTP code after password verification
GET /api/spending/budgets/copy Copy the prior month's spending budgets into the current month

Middleware

Most user routes apply CSRF validation, requireAuth, and requireUser. Admin routes apply CSRF validation, requireAuth, requireAdmin, and an admin action rate limit. The SimpleFIN sync and backfill routes additionally apply a syncLimiter (10 requests per 15 minutes per authenticated user).