WorkHub API

REST API reference for the WorkHub portal. Base URL: https://portal.smmheadshot.ru

Authentication
Most endpoints require a JWT token set as an httpOnly cookie by POST /api/auth/login. Include credentials (credentials: "include") in fetch requests. Endpoints marked Public require no authentication. Admin-only endpoints return 403 for non-admin roles.
Rate Limiting
Login: 5 requests per 15 minutes per IP. API endpoints: 30 req/s per IP (nginx). Exceeding limits returns 429 Too Many Requests with a Retry-After header.

Auth

POST/api/auth/loginPublic

Authenticate user by login + password. Returns JWT in httpOnly cookie. May return needsMfa: true for MFA-enabled accounts.

Request body
{
  "username": "ivanov",
  "password": "secret123"
}
Response
{
  "role": "admin",
  "empId": 1,
  "orgId": 1
}
// or MFA step:
{
  "needsMfa": true,
  "tempToken": "eyJ..."
}
POST/api/auth/forgot-passwordPublic

Send password reset link to the email associated with the account.

Request body
{
  "email": "user@company.com"
}
Response
{ "ok": true }
POST/api/auth/reset-passwordPublic

Reset password using the token from the email link.

Request body
{
  "token": "abc123...",
  "password": "newPass456"
}
Response
{ "ok": true }
POST/api/signupPublic

Register a new organization. Creates org, admin employee, user, trial subscription, default game config.

Request body
{
  "orgName": "My Company",
  "name": "Admin Name",
  "email": "admin@company.com",
  "password": "secret123"
}
Response
{
  "ok": true,
  "slug": "my-company"
}

Profile

GET/api/auth/meCookie (JWT)

Return current session data: employee ID, role, name, feature flags, subscription status, platform announcements.

Response
{
  "empId": 1,
  "orgId": 1,
  "name": "Ivanov Ivan",
  "role": "admin",
  "adminSections": [],
  "featureFlags": { "arena": true },
  "subscriptionStatus": "active",
  "trialEndsAt": null
}
GET/api/employees/[id]Cookie (JWT)

Get employee profile by ID. Non-admin users receive limited fields (no salary/sensitive data).

Response
{
  "id": 1,
  "name": "Ivanov Ivan",
  "role": "developer",
  "department": "Engineering",
  "level": 5,
  "xp": 12400,
  "hc": 3500
}

Billing

GET/api/billing/subscriptionCookie (admin)

Get current subscription. Auto-creates trial if missing.

Response
{
  "id": 1,
  "plan": "standard",
  "status": "trial",
  "billingCycle": "monthly",
  "monthlyPricePerEmployee": 199000,
  "employeeCount": 12,
  "trialEndsAt": "2026-04-22T00:00:00.000Z"
}
GET/api/billing/invoiceCookie (admin)

List all invoices for the current organization, ordered by creation date desc.

Response
[
  {
    "id": 1,
    "number": "INV-2026-001",
    "amount": 2388000,
    "status": "paid",
    "issuedAt": "2026-04-01T00:00:00.000Z",
    "paidAt": "2026-04-02T10:00:00.000Z"
  }
]
POST/api/billing/invoiceCookie (admin)

Create a new invoice manually (for ad-hoc billing or plan changes).

Request body
{
  "subscriptionId": 1,
  "periodStart": "2026-04-01",
  "periodEnd": "2026-04-30"
}
Response
{
  "id": 2,
  "number": "INV-2026-002",
  "amount": 2388000,
  "status": "pending"
}
GET/api/billing/invoice/[id]/pdfCookie (admin)

Download invoice as PDF. Returns Content-Type: application/pdf.

Response
Binary PDF file
GET/api/billing/invoice/[id]/actCookie (admin)

Download act of completed services as PDF.

Response
Binary PDF file
POST/api/billing/create-paymentCookie (admin)

Initiate payment for an invoice. Returns a payment URL for the payment gateway.

Request body
{
  "invoiceId": 2
}
Response
{
  "paymentUrl": "https://pay.example.com/...",
  "paymentId": "pay_abc123"
}

Tasks

GET/api/tasks/spaces-with-boardsCookie (JWT)

List task spaces the current user has access to, including boards and columns. Admins see all spaces.

Response
[
  {
    "id": 1,
    "name": "Development",
    "boards": [
      {
        "id": 1,
        "name": "Sprint 12",
        "columns": [
          { "id": 1, "name": "To Do", "order": 0 },
          { "id": 2, "name": "In Progress", "order": 1 },
          { "id": 3, "name": "Done", "order": 2 }
        ]
      }
    ]
  }
]

This documents the primary public and tenant API endpoints. The full portal includes 273+ routes for admin, gamification, HR, and more.

WorkHub Portal © 2026