Spaces:
Sleeping
API Reference
Base URL is the deployed backend host.
Recommended production backend host:
- Railway service URL for this repository
Current public model-service host (used by backend when MODEL_INFERENCE_PROVIDER=remote):
https://pant0x-ealpr-ocr.hf.space
Authentication Model
Most business endpoints require:
Authorization: Bearer <supabase_access_token>- For device integrations, backend can also accept:
Authorization: Bearer <barrier_token>- Enabled when
BARRIER_API_TOKENorBARRIER_API_TOKENSis configured.
Auth behavior is controlled by backend env config.
Backend auth endpoints
POST /auth/register- JSON body:
first_name(recommended)last_name(recommended)username(required)phoneorphone_number(required)password(required)email(optional)nidornational_id(optional)- legacy fallback:
full_nameorname(optional) - optional vehicle payload fields:
plate_letters_ar,plate_numbers_arplate_letters_en,plate_numbers_encar_model,car_color- or nested under
vehicleobject
- Returns user object + session tokens.
user.full_nameis derived fromfirst_name + last_name.- Register contract is idempotent for OTP-created users: if OTP verify already created/authenticated a user for the same email, register finalizes profile/password instead of failing on duplicate email for the same account.
- JSON body:
POST /auth/login- JSON body:
identifier(username OR phone OR email OR nid)password
- Also accepts direct keys (
username,phone,email,nid) instead ofidentifier. - Returns user object + session tokens.
- JSON body:
POST /auth/otp/request- JSON body:
purpose(register,vehicle_verify,profile_update)channel(emailorphone)- contact value (
emailorphone) unless inferable from authenticated profile - optional
redirect_tofor email OTP link flows
- Sends OTP via Supabase auth.
- For
purpose=register|signup, backend forcescreate_user=trueto ensure new emails/phones can receive OTP for account creation. - For non-register purposes,
create_userfrom client is still honored. - If OTP signup is disabled in provider config for register flow, API returns a clear contract error:
OTP signup is disabled in backend auth configuration (otp_disabled). purpose=register cannot proceed with OTP until OTP signups are enabled.
- For
- JSON body:
POST /auth/otp/verify- JSON body:
channel(emailorphone)otp_token- contact value (
emailorphone) - optional
verify_type
- Verifies OTP and returns auth session payload.
- JSON body:
Endpoint Catalog
Authentication
POST /auth/registerPOST /auth/loginPOST /auth/otp/requestPOST /auth/otp/verifyPOST /auth/forgot-password- JSON body:
identifier(username OR phone OR email OR nid)- optional
redirect_toURL (HTTPS or app deep-link scheme)
- Backend always forwards a reset redirect URL to Supabase:
- payload
redirect_toif provided, otherwise PASSWORD_RESET_REDIRECT_URLenv, otherwise<backend-host>/auth/reset-password-page
- payload
- JSON body:
POST /auth/reset-password- JSON body:
access_tokennew_password
- JSON body:
POST /auth/reset-password/resolve-token- JSON body:
- one of:
access_token,token_hash,code - optional:
type(defaults torecovery),email
- one of:
- Resolves Supabase recovery links that provide
token_hash/codeinto a usable access token.
- JSON body:
GET /auth/reset-password-page- Hosted reset page that reads token from the recovery link, submits to
/auth/reset-password, then shows a success view and auto-opens the app deep link.
- Hosted reset page that reads token from the recovery link, submits to
GET /auth/reset-password-bridge- Bridge page that opens mobile deep link reset flow (
ainelaql://auth/reset) and provides browser fallback.
- Bridge page that opens mobile deep link reset flow (
User profile
PUT /profile/update- JSON body (any subset):
first_namelast_namefull_namephoneorphone_numberemail
- Updates profile metadata and mirrors auth metadata.
full_nameis always normalized fromfirst_name + last_name(legacyfull_nameinput is still accepted and split into parts).
- JSON body (any subset):
Vehicles (multi-vehicle CRUD)
POST /vehicles/addGET /vehicles/my- Optional query:
include_inactive=true|false
- Optional query:
PUT /vehicles/{id}DELETE /vehicles/{id}POST /vehicles/verify- OTP-backed ownership verification for a vehicle.
Notifications
POST /notifications/fcm-token- Stores or updates FCM token for the authenticated user.
GET /notifications/my- Returns latest notification events for the authenticated user.
- Notification events are server-generated (service role).
- Authenticated users can only update their own
read_atstate; they cannot create, delete, or edit notification content.
Health and diagnostics
GET /- Lightweight service entry endpoint.
- Returns links to docs and health endpoints.
GET /health- Service health, inference provider wiring, and pricing config snapshot.
GET /supabase/health- Supabase readiness checks (tables, buckets, auth wiring).
GET /models- Inference provider details and local model info when local loading is enabled.
Inference and session events
POST /predict- Input:
multipart/form-data - Required:
image - Optional:
event_type,parking_location,camera_source - Auth:
- Supabase user token (mobile/web/staff clients), or
- barrier token (camera/barrier devices)
- Returns AI output + pricing + gate decision + persistence metadata.
- Input:
POST /model/infer- Input:
multipart/form-data - Required:
image - Intended for backend-to-backend model inference calls.
- Requires
MODEL_SERVICE_ENABLE_LOCAL_ENDPOINT=truein the model runtime. - If
MODEL_SERVICE_SHARED_SECRETis configured, caller must send the configured header.
- Input:
Operations feeds
GET /events/entered-carsGET /events/leaving-cars-within-5-minutesGET /events/left-carsGET /events/inside-carsGET /parking/history
Common optional query params:
limitfor_user_id(global-scope roles:admin,security,barrier)
Location pricing and occupancy
GET /parking/locations- Returns pricing defaults + garage occupancy + per-location pricing/occupancy blocks.
- Occupancy includes breakdown fields:
inside_from_registered_sessionsinside_from_inferred_unmatched
GET /parking/occupancy- Returns occupancy-focused response for dashboards.
- Uses same occupancy breakdown fields under each location.
Payments and gate flow
POST /payments/paymob/createPOST /payments/paymob/webhookPOST /payments/manual/cash-confirmPOST /gate/decision
POST /gate/decision can be called by:
- session owner
- staff roles (
admin,security) barrierrole token
Maintenance
POST /admin/maintenance/weekly-refresh
Key Response Blocks (Flutter-critical)
From /predict and feed/history responses, consume:
plate_infoand normalizedplatesectionsapp_registrationpayment_statuspricinggate_decisionleft_within_5_minutes- image fields under
user_pageandadmin_page - Supabase persistence IDs/paths under
supabase inference_provider(localorremote)
For GET /events/inside-cars and GET /parking/history, some items can include:
inferred_unmatched=trueplateobject (key,arabic,english)event_count
These rows are inferred from unmatched OCR event streams (events that are not linked to a registered vehicle/session).
Status and Error Behavior
400: validation/input formatting issues401: missing/invalid auth token403: role/scope violations404: missing session/resource502/503: upstream or integration failures (Supabase/Paymob/service config)
Testing Minimum
GET /healthGET /supabase/healthPOST /predictfor entryPOST /predictfor exitGET /parking/locationsGET /parking/occupancy