Endpoint Registry — All API Routes

Complete inventory of all HTTP endpoints exposed by Granit framework modules.

Tip

Use this page to verify that your frontend API client matches the backend routes. The OpenAPI schema (available at /openapi/v1.json) is the authoritative source for request/response types — this page focuses on routes, methods, and permissions.

Conventions

• Route prefixes are relative — each module defines a short prefix (e.g., "templating", "blob-storage", "identity/users") via its *EndpointsOptions class. The application composes the full path by mounting modules under a versioned group:

// Application startup (e.g., Program.cs)
RouteGroupBuilder api = app.MapGroup("api/v{version:apiVersion}");

api.MapGranitBlobStorage();      // → /api/v1/blob-storage/blobs/...
api.MapGranitTemplating();       // → /api/v1/templating/templates/...
api.MapGranitIdentityUserCache();// → /api/v1/identity/users/...

• Permissions: follow [Group].[Resource].[Action] (three segments)
• Error responses: all endpoints return RFC 7807 Problem Details on errors
• Query endpoints (MapGranitQuery<T>) mount directly on their parent route group — no extra /query suffix
• Routes below show only the module-relative path (without the app prefix)

---

Authentication & API Keys

Module: Granit.Authentication.ApiKeys.Endpoints Prefix: authentication

Method	Route	Operation	Permission
GET	/api-keys	ListApiKeys	ApiKeys.Keys.Read
GET	/api-keys/{id:guid}	GetApiKeyById	ApiKeys.Keys.Read
POST	/api-keys	CreateApiKey	ApiKeys.Keys.Create
POST	/api-keys/{id:guid}/revoke	RevokeApiKey	ApiKeys.Keys.Revoke
POST	/api-keys/{id:guid}/rotate	RotateApiKey	ApiKeys.Keys.Rotate
PUT	/api-keys/{id:guid}/scopes	UpdateApiKeyScopes	ApiKeys.Keys.UpdateScopes

Idempotency

RevokeApiKey returns 404 if the key is already revoked instead of 204. A client retry after a timeout will get a spurious error. The domain should short-circuit when RevokedAt != null.

---

Authorization

Module: Granit.Authorization.Endpoints Prefix: authorization

Method	Route	Operation	Permission
GET	/permissions	GetMyPermissions	Authenticated
GET	/permissions/definitions	GetPermissionDefinitions	Admin
GET	/roles/{roleName}	GetRolePermissions	Admin
PUT	/roles/{roleName}/{permissionName}	GrantPermission	Admin
DELETE	/roles/{roleName}/{permissionName}	RevokePermission	Admin

---

Background Jobs

Module: Granit.BackgroundJobs.Endpoints Prefix: background-jobs

Method	Route	Operation	Permission
GET	/jobs/	GetAllBackgroundJobs	BackgroundJobs.Jobs.Manage
GET	/jobs/{name}	GetBackgroundJobByName	BackgroundJobs.Jobs.Manage
POST	/jobs/{name}/pause	PauseBackgroundJob	BackgroundJobs.Jobs.Manage
POST	/jobs/{name}/resume	ResumeBackgroundJob	BackgroundJobs.Jobs.Manage
POST	/jobs/{name}/trigger	TriggerBackgroundJob	BackgroundJobs.Jobs.Manage

Idempotency

• PauseBackgroundJob fires a BackgroundJobPausedEvent unconditionally — no if (IsEnabled) guard. Calling pause twice emits the event twice.
• ResumeBackgroundJob schedules a duplicate cron message on every call, even if the job is already running.

---

Blob Storage

Module: Granit.BlobStorage.Endpoints Prefix: blob-storage

Method	Route	Operation	Permission
GET	/blobs	QueryBlobDescriptor	BlobStorage.Blobs.Manage
GET	/blobs/meta	GetBlobDescriptorMeta	BlobStorage.Blobs.Manage
GET	/blobs/{id:guid}	GetBlobDescriptor	BlobStorage.Blobs.Manage
POST	/blobs/upload	InitiateBlobUpload	BlobStorage.Blobs.Manage
POST	/blobs/{id:guid}/confirm	ConfirmBlobUpload	BlobStorage.Blobs.Manage
POST	/blobs/{id:guid}/download-url	GenerateBlobDownloadUrl	BlobStorage.Blobs.Manage
DELETE	/blobs/{id:guid}	DeleteBlob	BlobStorage.Blobs.Manage
POST	/blobs/cleanup-orphans	CleanupOrphanedBlobs	BlobStorage.Blobs.Manage

Note

The GET /blobs and GET /blobs/meta endpoints are registered via MapGranitQuery<BlobDescriptor>() on the blobs sub-group.

Idempotency

ConfirmBlobUpload throws BlobNotValidException if the blob is already confirmed (Status != Pending). A client retry after a timeout will get an error even though the blob is in the desired state. The handler should short-circuit when Status == BlobStatus.Valid.

Blob Proxy (Token-based)

Module: Granit.BlobStorage.Proxy Prefix: /api/blobs (standalone, not under the blob-storage group)

Method	Route	Operation	Auth
PUT	/upload/{token}	BlobProxyUpload	Token-based
GET	/download/{token}	BlobProxyDownload	Token-based

---

BFF (Backend for Frontend)

Module: Granit.Bff.Endpoints Prefix: {pathPrefix}/bff (per-frontend, dynamic)

Tip

BFF endpoints are registered per frontend via MapGranitBff(). Each frontend gets its own route group with a unique path prefix. Operation IDs are suffixed with the frontend name (e.g., BffLogin_Admin).

OIDC Flow

Method	Route	Operation	Auth
GET	/login	BffLogin_{Name}	Anonymous
GET	/callback	BffCallback_{Name}	Anonymous
GET	/logout	BffLogout_{Name}	Anonymous
POST	/backchannel-logout	BffBackChannelLogout_{Name}	Anonymous

Session & User

Method	Route	Operation	Auth
GET	/user	BffGetUser_{Name}	Anonymous
POST	/csrf-token	BffGenerateCsrfToken_{Name}	Anonymous
GET	/sessions	BffListSessions_{Name}	Anonymous
DELETE	/sessions/{targetSessionId}	BffRevokeSession_{Name}	Anonymous
DELETE	/sessions	BffRevokeAllSessions_{Name}	Anonymous

Static Files (conditional)

Method	Route	Operation	Auth
GET	/{**path}	BffStaticFiles_{Name}	Anonymous

Note

The static files / SPA fallback endpoint is only registered when frontend.StaticFilesPath is configured.

---

Cookie Consent

Module: Granit.Http.Cookies.Endpoints Prefix: cookies

Method	Route	Operation	Auth
GET	/config	GetCookieConsentConfig	Anonymous

---

Customer Balance

Module: Granit.CustomerBalance.Endpoints Prefix: customer-balance

Method	Route	Operation	Permission
GET	/balance	GetCustomerBalance	CustomerBalance.Accounts.Read
GET	/transactions	ListBalanceTransactions	CustomerBalance.Transactions.Read
POST	/balance/credit	AddAdminCredit	CustomerBalance.Credits.Manage

---

Data Exchange

Module: Granit.DataExchange.Endpoints Prefix: data-exchange

Import

Method	Route	Operation	Permission
GET	/import/jobs	ListImportJobs	DataExchange.Import.*
POST	/import/jobs	UploadImportFile	DataExchange.Import.*
POST	/import/{jobId:guid}/preview	PreviewImportJob	DataExchange.Import.*
PUT	/import/{jobId:guid}/mappings	ConfirmImportMappings	DataExchange.Import.*
POST	/import/{jobId:guid}/execute	ExecuteImportJob	DataExchange.Import.*
POST	/import/{jobId:guid}/dry-run	DryRunImportJob	DataExchange.Import.*
GET	/import/{jobId:guid}	GetImportJobStatus	DataExchange.Import.*
DELETE	/import/{jobId:guid}	CancelImportJob	DataExchange.Import.*
GET	/import/{jobId:guid}/report	GetImportReport	DataExchange.Import.*
GET	/import/{jobId:guid}/correction-file	GetImportCorrectionFile	DataExchange.Import.*

Export

Method	Route	Operation	Permission
GET	/export/jobs	ListExportJobs	DataExchange.Export.*
POST	/export/jobs	CreateExportJob	DataExchange.Export.*
GET	/export/jobs/{jobId:guid}	GetExportJobStatus	DataExchange.Export.*
GET	/export/jobs/{jobId:guid}/download	DownloadExportFile	DataExchange.Export.*

Metadata

Method	Route	Operation	Permission
GET	/metadata/definitions	ListExportDefinitions	DataExchange.Export.*
GET	/metadata/definitions/{name}/fields	GetExportDefinitionFields	DataExchange.Export.*
GET	/metadata/presets/{definitionName}	ListExportPresets	DataExchange.Export.*
POST	/metadata/presets	SaveExportPreset	DataExchange.Export.*
DELETE	/metadata/presets/{definitionName}/{presetName}	DeleteExportPreset	DataExchange.Export.*

---

Features

Module: Granit.Features.Endpoints Prefix: features

Method	Route	Operation	Permission
GET	/definitions	GetFeatureDefinitions	Features.Flags.Read
GET	/values	GetAllFeatureValues	Authenticated
GET	/values/{name}	GetFeatureValue	Authenticated
PUT	/overrides/{name}	SetFeatureOverride	Features.Flags.Manage
DELETE	/overrides/{name}	DeleteFeatureOverride	Features.Flags.Manage

---

Identity

Identity uses three separate endpoint groups with distinct prefixes and separate registration methods.

User Cache (identity/users)

Module: Granit.Identity.Endpoints — MapGranitIdentityUserCache() Prefix: identity/users

Method	Route	Operation	Permission
GET	/	SearchIdentityUserCache	Identity.UserCache.Read
GET	/{userId}	GetIdentityUserById	Identity.UserCache.Read
POST	/batch	BatchResolveIdentityUsers	Identity.UserCache.Read
GET	/stats	GetIdentityUserCacheStats	Identity.UserCache.Read
GET	/capabilities	GetIdentityProviderCapabilities	Identity.UserCache.Read
POST	/sync	SyncIdentityUsers	Identity.UserCache.Sync
POST	/sync-all	SyncAllIdentityUsers	Identity.UserCache.Sync
POST	/sync-stale	SyncStaleIdentityUsers	Identity.UserCache.Sync
PATCH	/{userId}/pseudonymize	PseudonymizeIdentityUserCache	Identity.UserCache.Delete
DELETE	/{userId}	EraseIdentityUserCache	Identity.UserCache.Delete

Identity Provider (identity/provider)

Module: Granit.Identity.Endpoints — MapGranitIdentityProvider() Prefix: identity/provider

Users

Method	Route	Operation	Permission
GET	/users	GetIdentityProviderUsers	Identity.Users.Read
GET	/users/{userId}	GetIdentityProviderUser	Identity.Users.Read
POST	/users	CreateIdentityProviderUser	Identity.Users.Manage
PUT	/users/{userId}	UpdateIdentityProviderUser	Identity.Users.Manage
PATCH	/users/{userId}/enabled	SetIdentityProviderUserEnabled	Identity.Users.Manage

Roles

Method	Route	Operation	Permission
GET	/roles	GetIdentityProviderRoles	Identity.Roles.Read
GET	/roles/{roleName}/members	GetIdentityProviderRoleMembers	Identity.Roles.Read
GET	/users/{userId}/roles	GetIdentityProviderUserRoles	Identity.Roles.Read
PUT	/users/{userId}/roles/{roleName}	AssignIdentityProviderRole	Identity.Roles.Manage
DELETE	/users/{userId}/roles/{roleName}	RemoveIdentityProviderRole	Identity.Roles.Manage

Groups

Method	Route	Operation	Permission
GET	/groups	GetIdentityProviderGroups	Identity.Groups.Read
GET	/users/{userId}/groups	GetIdentityProviderUserGroups	Identity.Groups.Read
PUT	/users/{userId}/groups/{groupId}	AddIdentityProviderUserToGroup	Identity.Groups.Manage
DELETE	/users/{userId}/groups/{groupId}	RemoveIdentityProviderUserFromGroup	Identity.Groups.Manage

Sessions & Devices

Method	Route	Operation	Permission
GET	/users/{userId}/sessions	GetIdentityProviderUserSessions	Identity.Sessions.Read
DELETE	/users/{userId}/sessions/{sessionId}	TerminateIdentityProviderSession	Identity.Sessions.Manage
DELETE	/users/{userId}/sessions	TerminateAllIdentityProviderSessions	Identity.Sessions.Manage
GET	/users/{userId}/devices	GetIdentityProviderUserDevices	Identity.Sessions.Read

Passwords

Method	Route	Operation	Permission
GET	/users/{userId}/password/changed-at	GetIdentityProviderPasswordChangedAt	Identity.Passwords.Read
POST	/users/{userId}/password/reset-email	SendIdentityProviderPasswordResetEmail	Identity.Passwords.Manage
POST	/users/{userId}/password/temporary	SetIdentityProviderTemporaryPassword	Identity.Passwords.Manage

Webhook

Module: Granit.Identity.Endpoints — registered at identity/webhook (outside the identity/provider group, via MapGranitIdentityUserCache())

Method	Route	Operation	Auth
POST	/identity/webhook	IdentityWebhook	Signature-validated

---

Invoicing

Module: Granit.Invoicing.Endpoints Prefix: invoicing

Method	Route	Operation	Permission
GET	/invoices	QueryInvoice	Invoicing.Invoices.Read
GET	/invoices/meta	GetInvoiceMeta	Invoicing.Invoices.Read
GET	/invoices/{id:guid}	GetInvoiceById	Invoicing.Invoices.Read
GET	/invoices/{id:guid}/pdf	DownloadInvoicePdf	Invoicing.Invoices.Download
POST	/invoices	CreateInvoice	Invoicing.Invoices.Manage

Note

The GET /invoices list and GET /invoices/meta endpoints are registered via MapGranitQuery<Invoice>() on the invoices sub-group.

---

Localization

Module: Granit.Localization.Endpoints Prefix: localization

Method	Route	Operation	Permission
GET	/	GetGranitLocalization	Anonymous
GET	/overrides	GetLocalizationOverrides	Localization.Overrides.Manage
PUT	/overrides/{resourceName}/{cultureName}/{key}	PutLocalizationOverride	Localization.Overrides.Manage
DELETE	/overrides/{resourceName}/{cultureName}/{key}	DeleteLocalizationOverride	Localization.Overrides.Manage

---

Metering

Module: Granit.Metering.Endpoints Prefix: metering

Meter Definitions

Method	Route	Operation	Permission
GET	/meters	ListActiveMeters	Metering.Meters.Read
GET	/meters/{id:guid}	GetMeterDefinition	Metering.Meters.Read
POST	/meters	CreateMeterDefinition	Metering.Meters.Manage
PUT	/meters/{id:guid}	UpdateMeterDefinition	Metering.Meters.Manage
POST	/meters/{id:guid}/deactivate	DeactivateMeterDefinition	Metering.Meters.Manage

Usage & Quota

Method	Route	Operation	Permission
GET	/usage	GetUsageForPeriod	Metering.Usage.Read
GET	/quota/{meterId:guid}	CheckMeteringQuota	Metering.Usage.Read
POST	/events	RecordUsageEvents	Metering.Usage.Record

---

Multi-Tenancy

Module: Granit.MultiTenancy.Endpoints Prefix: multi-tenancy

Method	Route	Operation	Permission
GET	/tenants/	ListTenants	MultiTenancy.Tenants.Read
GET	/tenants/{id:guid}	GetTenant	MultiTenancy.Tenants.Read
POST	/tenants/	CreateTenant	MultiTenancy.Tenants.Create
PUT	/tenants/{id:guid}	UpdateTenant	MultiTenancy.Tenants.Update
POST	/tenants/{id:guid}/activate	ActivateTenant	MultiTenancy.Tenants.Update
POST	/tenants/{id:guid}/deactivate	DeactivateTenant	MultiTenancy.Tenants.Update

---

Notifications

Module: Granit.Notifications.Endpoints Prefix: notifications

Inbox

Method	Route	Operation	Auth
GET	/	GetNotifications	Authenticated
GET	/unread/count	GetUnreadCount	Authenticated
POST	/{id:guid}/read	MarkAsRead	Authenticated
POST	/read-all	MarkAllAsRead	Authenticated

Activity Feed

Method	Route	Operation	Auth
GET	/entity/{entityType}/{entityId}	GetEntityActivityFeed	Authenticated

Preferences & Subscriptions

Method	Route	Operation	Auth
GET	/preferences	GetPreferences	Authenticated
PUT	/preferences	UpdatePreference	Authenticated
GET	/types	GetNotificationTypes	Authenticated
GET	/subscriptions	GetSubscriptions	Authenticated
POST	/subscriptions/{typeName}	Subscribe	Authenticated
DELETE	/subscriptions/{typeName}	Unsubscribe	Authenticated

Entity Followers

Method	Route	Operation	Auth
POST	/entity/{entityType}/{entityId}/follow	FollowEntity	Authenticated
DELETE	/entity/{entityType}/{entityId}/follow	UnfollowEntity	Authenticated
GET	/entity/{entityType}/{entityId}/followers	GetEntityFollowers	Authenticated

---

Account Self-Service

Module: Granit.Identity.Local.Endpoints — MapGranitAccount() Prefix: account

Login

Method	Route	Operation	Auth
POST	/login	AccountLogin	Anonymous
POST	/login/two-factor	AccountTwoFactorLogin	Anonymous

Configuration

Method	Route	Operation	Auth
GET	/config	GetAccountConfig	Anonymous

Registration & Email

Method	Route	Operation	Auth
POST	/register	RegisterAccount	Anonymous
GET	/confirm-email	ConfirmEmail	Anonymous
POST	/resend-confirmation-email	ResendConfirmationEmail	Authenticated

Profile

Method	Route	Operation	Auth
GET	/profile	GetAccountProfile	Authenticated
PUT	/profile	UpdateAccountProfile	Authenticated

Password

Method	Route	Operation	Auth
POST	/change-password	ChangePassword	Authenticated
POST	/forgot-password	ForgotPassword	Anonymous
POST	/reset-password	ResetPassword	Anonymous

Two-Factor Authentication

Method	Route	Operation	Auth
GET	/two-factor	GetTwoFactorStatus	Authenticated
GET	/two-factor/authenticator-key	GetAuthenticatorKey	Authenticated
POST	/two-factor/enable	EnableTwoFactor	Authenticated
POST	/two-factor/disable	DisableTwoFactor	Authenticated
POST	/two-factor/recovery-codes	GenerateRecoveryCodes	Authenticated

Idempotency

• EnableTwoFactor regenerates recovery codes on every call — a client retry silently invalidates the codes from the first call.
• DisableTwoFactor rotates the security stamp on every call — a client retry kills all active sessions a second time.

External Logins

Method	Route	Operation	Auth
GET	/external-logins	ListExternalLogins	Authenticated
POST	/external-logins/challenge/{provider}	ChallengeExternalLogin	Anonymous
GET	/external-logins/callback	ExternalLoginCallback	Anonymous
DELETE	/external-logins/{provider}	UnlinkExternalLogin	Authenticated

Passkeys (WebAuthn)

Method	Route	Operation	Auth
GET	/passkeys	ListPasskeys	Authenticated
POST	/passkeys/register/begin	BeginPasskeyRegistration	Authenticated
POST	/passkeys/register/complete	CompletePasskeyRegistration	Authenticated
POST	/passkeys/assertion/begin	BeginPasskeyAssertion	Anonymous
POST	/passkeys/assertion/complete	CompletePasskeyAssertion	Anonymous
PATCH	/passkeys/{id}	RenamePasskey	Authenticated
DELETE	/passkeys/{id}	DeletePasskey	Authenticated

Account & Session

Method	Route	Operation	Auth
POST	/delete	DeleteAccount	Authenticated
POST	/session/heartbeat	SessionHeartbeat	Authenticated
POST	/session/back-to-impersonator	BackToImpersonator	Authenticated

---

OpenIddict Admin

OpenIddict admin endpoints manage OIDC applications, scopes, and authorizations. User/role/group admin is handled by Identity Provider.

Module: Granit.OpenIddict.Endpoints — MapGranitOpenIddict() Prefix: admin

Users (Local Identity)

Note

These endpoints are registered by Granit.Identity.Local.Endpoints within the OpenIddict admin route group via MapGranitOpenIddict().

Method	Route	Operation	Permission
GET	/users	ListUsers	OpenIddict.Users.Read
GET	/users/{userId}	GetUser	OpenIddict.Users.Read
POST	/users	CreateUser	OpenIddict.Users.Create
POST	/users/{userId}/impersonate	ImpersonateUser	OpenIddict.Users.Impersonate

OIDC Applications

Method	Route	Operation	Permission	Response
GET	/oidc/applications	ListOidcApplications	OpenIddict.Applications.Read	OidcApplicationResponse[]
POST	/oidc/applications	CreateOidcApplication	OpenIddict.Applications.Manage	201 / 409
DELETE	/oidc/applications/{clientId}	DeleteOidcApplication	OpenIddict.Applications.Manage	204 / 404
POST	/oidc/applications/{clientId}/rotate-secret	RotateOidcApplicationSecret	OpenIddict.Applications.Rotate	OidcSecretRotationResponse / 404

Response types:

interface OidcApplicationResponse {
  id: string;
  clientId: string;
  displayName: string;
  type: string; // "public" | "confidential"
}

interface OidcSecretRotationResponse {
  clientId: string;
  newSecret: string; // ⚠ Shown ONCE — display in a copyable modal
}

OIDC Scopes

Method	Route	Operation	Permission	Response
GET	/oidc/scopes	ListOidcScopes	OpenIddict.Scopes.Read	OidcScopeResponse[]
POST	/oidc/scopes	CreateOidcScope	OpenIddict.Scopes.Manage	201 / 409
DELETE	/oidc/scopes/{scopeName}	DeleteOidcScope	OpenIddict.Scopes.Manage	204 / 404

interface OidcScopeResponse {
  id: string;
  name: string;
  displayName: string;
}

OIDC Authorizations

Method	Route	Operation	Permission	Response
GET	/oidc/authorizations	ListOidcAuthorizations	OpenIddict.Authorizations.Read	OidcAuthorizationResponse[]
DELETE	/oidc/authorizations/{authorizationId:guid}	RevokeOidcAuthorization	OpenIddict.Authorizations.Revoke	204 / 404
DELETE	/oidc/authorizations/user/{userId}	RevokeUserOidcAuthorizations	OpenIddict.Authorizations.Revoke	204

interface OidcAuthorizationResponse {
  id: string;
  subject: string; // userId
  status: string;  // "valid" | "revoked"
  type: string;    // "permanent" | "ad-hoc"
}

---

Payments

Module: Granit.Payments.Endpoints Prefix: payments

Payment Methods

Method	Route	Operation	Permission
GET	/methods	ListPaymentMethods	Payments.Methods.Read
GET	/methods/available	GetAvailablePaymentMethods	Payments.Methods.Read
POST	/methods	AttachPaymentMethod	Payments.Methods.Manage
DELETE	/methods/{id:guid}	DetachPaymentMethod	Payments.Methods.Manage

Transactions & Charges

Method	Route	Operation	Permission
GET	/transactions	ListPaymentTransactions	Payments.Transactions.Read
GET	/transactions/{id:guid}	GetPaymentTransaction	Payments.Transactions.Read
POST	/charge	InitiatePaymentCharge	Payments.Charges.Execute
POST	/refund	RequestPaymentRefund	Payments.Refunds.Execute

Checkout & Webhooks

Method	Route	Operation	Auth
POST	/checkout	CreateCheckoutSession	Payments.Charges.Execute
POST	/webhooks/{provider}	HandlePaymentWebhook	Anonymous

---

Privacy (GDPR)

Module: Granit.Privacy.Endpoints Prefix: privacy

Regulation & Purposes

Method	Route	Operation	Permission
GET	/regulation	GetApplicableRegulation	Authenticated
GET	/purposes	ListProcessingPurposes	Privacy.Purposes.Read

Opt-Out (CCPA)

Method	Route	Operation	Auth
POST	/opt-out	RequestOptOut	Anonymous
GET	/opt-out/status	GetOptOutStatus	Anonymous

Data Export (Art. 15/20)

Method	Route	Operation	Permission
POST	/exports	RequestPrivacyExport	Privacy.Export.Execute
GET	/exports/{requestId:guid}	GetPrivacyExportStatus	Privacy.Export.Execute
GET	/exports	ListPrivacyExports	Privacy.Export.Execute

Data Deletion (Art. 17)

Method	Route	Operation	Permission
POST	/deletions	RequestPrivacyDeletion	Privacy.Deletion.Execute
POST	/deletions/{requestId:guid}/cancel	CancelPrivacyDeletion	Privacy.Deletion.Execute
GET	/deletions/{requestId:guid}	GetPrivacyDeletionStatus	Privacy.Deletion.Execute
GET	/deletions	ListPrivacyDeletions	Privacy.Deletion.Execute

Idempotency

CancelPrivacyDeletion returns 409 Conflict if the deletion is already cancelled (target state reached). A client retry after timeout will get a spurious error.

Legal Agreements (Art. 7)

Method	Route	Operation	Permission
GET	/agreements/documents	ListPrivacyLegalDocuments	Privacy.Agreements.Read
GET	/agreements/status	GetPrivacyConsentStatus	Privacy.Agreements.Read
GET	/agreements/history	ListPrivacyAgreementHistory	Privacy.Agreements.Read
POST	/agreements/accept	AcceptPrivacyAgreement	Privacy.Agreements.Create

Legal Documents (Admin)

Method	Route	Operation	Permission
GET	/legal-documents/	ListLegalDocumentVersions	Privacy.LegalDocuments.Read
GET	/legal-documents/{id:guid}	GetLegalDocument	Privacy.LegalDocuments.Read
POST	/legal-documents/	CreateLegalDocument	Privacy.LegalDocuments.Create
PUT	/legal-documents/{id:guid}	UpdateLegalDocument	Privacy.LegalDocuments.Manage
POST	/legal-documents/{id:guid}/publish	PublishLegalDocument	Privacy.LegalDocuments.Manage

---

QueryEngine

Module: Granit.QueryEngine.AspNetCore Prefix: mounts on the calling group — no extra prefix by default

Tip

MapGranitQuery<T>() registers query, metadata, and saved-view endpoints directly on the current route group. The module’s existing group structure defines the route — there is no separate pattern parameter.

// Single-entity module — mounts directly on the module group
group.MapGranitQuery<BlobDescriptor>(
    sp => sp.GetRequiredService<IBlobQueryableProvider>().GetDescriptors());
// → GET /blobs, GET /blobs/meta, GET /blobs/saved-views, …

// Multi-entity module — create a sub-group first
group.MapGroup("deliveries").MapGranitQuery<WebhookDeliveryAttempt>(
    sp => sp.GetRequiredService<IWebhookQueryableProvider>().GetDeliveryAttempts());
// → GET /webhooks/deliveries, GET /webhooks/deliveries/meta, …

Note

Operation IDs are suffixed with the entity type name. For example, MapGranitQuery<BlobDescriptor>() produces QueryBlobDescriptor, GetBlobDescriptorMeta, GetBlobDescriptorSavedViews, etc.

Method	Route	Operation
GET	/	Query{EntityName}
GET	/meta	Get{EntityName}Meta
GET	/saved-views	Get{EntityName}SavedViews
POST	/saved-views	Create{EntityName}SavedView
PUT	/saved-views/{id}	Update{EntityName}SavedView
DELETE	/saved-views/{id}	Delete{EntityName}SavedView
POST	/saved-views/{id}/set-default	SetDefault{EntityName}SavedView

---

Scheduling

Module: Granit.Scheduling.Endpoints Prefix: scheduling

Method	Route	Operation	Permission
GET	/scheduled-actions/{id:guid}	GetScheduledActionById	Scheduling.Actions.Read
DELETE	/scheduled-actions/{id:guid}	CancelScheduledAction	Scheduling.Actions.Manage
PUT	/scheduled-actions/{id:guid}/reschedule	RescheduleScheduledAction	Scheduling.Actions.Manage

---

Settings

Module: Granit.Settings.Endpoints Prefix: settings (three independent sub-groups: settings/user, settings/tenant, settings/global)

Method	Route	Operation	Permission
GET	/user	GetAllUserSettings	Authenticated
GET	/user/{name}	GetUserSetting	Authenticated
PUT	/user/{name}	UpdateUserSetting	Authenticated
DELETE	/user/{name}	DeleteUserSetting	Authenticated
GET	/tenant	GetAllTenantSettings	Settings.Tenant.Read
PUT	/tenant/{name}	UpdateTenantSetting	Settings.Tenant.Manage
GET	/global	GetAllGlobalSettings	Settings.Global.Read
PUT	/global/{name}	UpdateGlobalSetting	Settings.Global.Manage

---

Templating

Module: Granit.Templating.Endpoints Prefix: templating

Templates (templates/)

Method	Route	Operation	Permission
GET	/templates/	ListTemplates	Templates.Templates.Manage
GET	/templates/{name}	GetTemplateDetail	Templates.Templates.Manage
POST	/templates/	CreateTemplateDraft	Templates.Templates.Manage
PUT	/templates/{name}	UpdateTemplateDraft	Templates.Templates.Manage
DELETE	/templates/{name}/draft	DeleteTemplateDraft	Templates.Templates.Manage
POST	/templates/{name}/publish	PublishTemplate	Templates.Templates.Manage
POST	/templates/{name}/unpublish	UnpublishTemplate	Templates.Templates.Manage
GET	/templates/{name}/lifecycle	GetTemplateLifecycle	Templates.Templates.Manage
POST	/templates/{name}/preview	PreviewTemplate	Templates.Templates.Manage
GET	/templates/{name}/variables	GetTemplateVariables	Templates.Templates.Manage
GET	/templates/{name}/history	GetTemplateHistory	Templates.Templates.Manage
GET	/templates/{name}/history/{revisionId:guid}	GetTemplateRevisionDetail	Templates.Templates.Manage

Layouts

Method	Route	Operation	Permission
GET	/layouts	ListAvailableLayouts	Templates.Templates.Manage

Categories

Method	Route	Operation	Permission
GET	/categories	ListTemplateCategories	Templates.Templates.Manage
POST	/categories	CreateTemplateCategory	Templates.Templates.Manage
PUT	/categories/{id:guid}	UpdateTemplateCategory	Templates.Templates.Manage
DELETE	/categories/{id:guid}	DeleteTemplateCategory	Templates.Templates.Manage

---

Subscriptions

Module: Granit.Subscriptions.Endpoints Prefix: subscriptions

Plans

Method	Route	Operation	Permission
GET	/plans	ListPlans	Subscriptions.Plans.Read
GET	/plans/{id:guid}	GetPlanById	Subscriptions.Plans.Read
POST	/plans	CreatePlan	Subscriptions.Plans.Manage
PUT	/plans/{id:guid}	UpdatePlan	Subscriptions.Plans.Manage
POST	/plans/{id:guid}/publish	PublishPlan	Subscriptions.Plans.Manage
POST	/plans/{id:guid}/archive	ArchivePlan	Subscriptions.Plans.Manage

Idempotency

PublishPlan and ArchivePlan return 409 Conflict if the plan is already in the target state, despite having IdempotentAttribute. The domain methods should short-circuit with a guard instead of throwing.

Pricing

Method	Route	Operation	Permission
GET	/plans/{planId:guid}/prices/history	GetPlanPriceHistory	Subscriptions.Prices.Read
POST	/plans/{planId:guid}/prices	CreatePriceVersion	Subscriptions.Prices.Manage
POST	/subscriptions/{id:guid}/migrate-price	MigrateSubscriptionPrice	Subscriptions.Prices.Manage
POST	/subscriptions/bulk-migrate-price	BulkMigrateSubscriptionPrice	Subscriptions.Prices.Manage

Subscriptions

Method	Route	Operation	Permission
GET	/subscriptions/active	GetActiveSubscription	Subscriptions.Subscriptions.Read
GET	/subscriptions/{id:guid}	GetSubscriptionById	Subscriptions.Subscriptions.Read
POST	/subscriptions	CreateSubscription	Subscriptions.Subscriptions.Manage
POST	/subscriptions/{id:guid}/cancel	CancelSubscription	Subscriptions.Subscriptions.Manage
POST	/subscriptions/{id:guid}/change-plan	ChangeSubscriptionPlan	Subscriptions.Subscriptions.Manage

Seats

Method	Route	Operation	Permission
GET	/subscriptions/{id:guid}/seats	ListSeats	Subscriptions.Seats.Read
POST	/subscriptions/{id:guid}/seats	AssignSeat	Subscriptions.Seats.Manage
DELETE	/subscriptions/{id:guid}/seats/{userId:guid}	RevokeSeat	Subscriptions.Seats.Manage

---

Tax

Module: Granit.Tax.Endpoints Prefix: tax

Method	Route	Operation	Permission
GET	/rates/	GetAllTaxRates	Tax.Rates.Read
GET	/rates/{countryCode}	GetTaxRateByCountry	Tax.Rates.Read
POST	/ids/validate	ValidateTaxId	Tax.Validations.Execute

---

Timeline

Module: Granit.Timeline.Endpoints Prefix: timeline

Method	Route	Operation	Permission
GET	/{entityType}/{entityId}	GetTimelineStream	Timeline.Entries.Read
POST	/{entityType}/{entityId}/entries	PostTimelineEntry	Timeline.Entries.Read
DELETE	/{entityType}/{entityId}/entries/{entryId:guid}	DeleteTimelineEntry	Timeline.Entries.Read

Entity Followers

Method	Route	Operation	Permission
POST	/{entityType}/{entityId}/follow	FollowTimelineEntity	Timeline.Entries.Read
DELETE	/{entityType}/{entityId}/follow	UnfollowTimelineEntity	Timeline.Entries.Read
GET	/{entityType}/{entityId}/followers	GetTimelineFollowers	Timeline.Entries.Read

---

Validation

Module: Granit.Validation.Endpoints Prefix: validation

Method	Route	Operation	Auth
POST	/validate	ValidateField	Anonymous
POST	/validate-batch	ValidateFieldBatch	Anonymous
GET	/validators	GetRegisteredValidators	Anonymous

---

Webhooks

Module: Granit.Webhooks.Endpoints Prefix: webhooks

Module Config

Note

Registered separately via MapGranitWebhooksConfig(), not part of MapGranitWebhooks().

Method	Route	Operation	Permission
GET	/config	GetWebhooksConfig	Webhooks.Subscriptions.Manage

Event Types

Method	Route	Operation	Permission
GET	/event-types	GetWebhookEventTypes	Webhooks.Subscriptions.Manage

Subscriptions — Query

Method	Route	Operation	Permission
GET	/subscriptions	QueryWebhookSubscription	Webhooks.Subscriptions.Manage
GET	/subscriptions/meta	GetWebhookSubscriptionMeta	Webhooks.Subscriptions.Manage

Note

The subscription list and metadata endpoints are registered via MapGranitQuery<WebhookSubscription>().

Subscriptions — CRUD

Method	Route	Operation	Permission
GET	/subscriptions/{id:guid}	GetWebhookSubscription	Webhooks.Subscriptions.Manage
POST	/subscriptions	CreateWebhookSubscription	Webhooks.Subscriptions.Manage
PUT	/subscriptions/{id:guid}	UpdateWebhookSubscription	Webhooks.Subscriptions.Manage
DELETE	/subscriptions/{id:guid}	DeleteWebhookSubscription	Webhooks.Subscriptions.Manage

Subscriptions — Lifecycle

Method	Route	Operation	Permission
POST	/subscriptions/{id:guid}/activate	ActivateWebhookSubscription	Webhooks.Subscriptions.Manage
POST	/subscriptions/{id:guid}/suspend	SuspendWebhookSubscription	Webhooks.Subscriptions.Manage
POST	/subscriptions/{id:guid}/deactivate	DeactivateWebhookSubscription	Webhooks.Subscriptions.Manage

Idempotency

All three lifecycle endpoints throw InvalidOperationException if the subscription is already in the target state (e.g., activating an Active subscription), despite having IdempotentAttribute. The domain FSM should short-circuit when already in the target state.

Subscriptions — Operations

Method	Route	Operation	Permission
POST	/subscriptions/{id:guid}/rotate-secret	RotateWebhookSecret	Webhooks.Subscriptions.Manage
POST	/subscriptions/{id:guid}/test-ping	TestWebhookPing	Webhooks.Subscriptions.Manage

Statistics & Deliveries

Method	Route	Operation	Permission
GET	/stats	GetWebhookStats	Webhooks.Subscriptions.Manage
GET	/deliveries	QueryWebhookDeliveryAttempt	Webhooks.Subscriptions.Manage
GET	/deliveries/meta	GetWebhookDeliveryAttemptMeta	Webhooks.Subscriptions.Manage
POST	/deliveries/{deliveryId:guid}/retry	RetryWebhookDelivery	Webhooks.Subscriptions.Manage

Note

GET /deliveries and GET /deliveries/meta are registered via MapGranitQuery<WebhookDeliveryAttempt>(). The retry endpoint is registered separately via MapGranitWebhooksRedelivery().

---

Workflow

Module: Granit.Workflow.Endpoints Prefix: workflow

Note

Transition operation IDs are dynamic — suffixed with the state enum type name. For example, with an OrderState enum: GetAvailableOrderStateTransitions, ExecuteOrderStateTransition.

Method	Route	Operation	Permission
GET	/{entityType}/{entityId}/history	GetWorkflowTransitionHistory	Workflow.History
GET	/transitions	GetAvailable{TState}Transitions	Workflow.History
POST	/transitions	Execute{TState}Transition	Workflow.History

---

AI

Module: Granit.AI.Endpoints Prefix: ai

Workspaces (Admin)

Method	Route	Operation	Permission
GET	/workspaces	ListAIWorkspaces	AI.Workspaces.*
GET	/workspaces/{name}	GetAIWorkspace	AI.Workspaces.*
POST	/workspaces	CreateAIWorkspace	AI.Workspaces.*
PUT	/workspaces/{name}	UpdateAIWorkspace	AI.Workspaces.*
DELETE	/workspaces/{name}	DeleteAIWorkspace	AI.Workspaces.*

Chat & Embeddings

Method	Route	Operation	Permission
POST	/chat/{workspaceName}	AIChatComplete	AI.Chat.Execute
POST	/chat/{workspaceName}/stream	AIChatStream	AI.Chat.Execute
POST	/embeddings/{workspaceName}	AIGenerateEmbeddings	AI.Embedding.Generate

---

Audit Log

Module: Granit.Auditing.Endpoints Prefix: auditing

Method	Route	Operation	Permission
GET	/audit-entries/	GetAuditEntries	Auditing.AuditEntries.Read
GET	/audit-entries/{id:guid}	GetAuditEntryById	Auditing.AuditEntries.Read
GET	/audit-entries/entity/{entityType}/{entityId}	GetAuditEntriesByEntity	Auditing.AuditEntries.Read
GET	/audit-entries/correlation/{correlationId}	GetAuditEntriesByCorrelationId	Auditing.AuditEntries.Read
POST	/audit-entries/pseudonymize/{userId}	PseudonymizeAuditEntries	Auditing.AuditEntries.Manage

---

Diagnostics

Module: Granit.Diagnostics.Endpoints Prefix: diagnostics

Method	Route	Operation	Auth
GET	/health	GetMonitoringHealth	Authenticated

---

Reference Data

Module: Granit.ReferenceData.Endpoints Prefix: reference-data

Caution

Reference Data endpoints are registered per entity type by the application via MapGranitReferenceData<T>(). Each entity gets its own sub-group under the prefix. Operation IDs are suffixed with the entity type name (e.g., GetAllCountry, GetCountryByCode).

Method	Route	Operation	Permission
GET	/	GetAll{EntityType}	Read
GET	/{code}	Get{EntityType}ByCode	Read
GET	/{code}/children	Get{EntityType}Children	Read
POST	/	Create{EntityType}	Admin
PUT	/{code}	Update{EntityType}	Admin
DELETE	/{code}	Deactivate{EntityType}	Admin

---

Summary

Module	Endpoints	Auth model
AI	8	Permission-based
API Keys	6	Permission-based
Audit Log	5	Permission-based
Authorization	5	Admin + Authenticated
Background Jobs	5	Permission-based
BFF	10 per frontend	Anonymous (session-based)
Blob Storage	8 + 2 proxy	Permission + Token
Cookie Consent	1	Anonymous
Customer Balance	3	Permission-based
Data Exchange	19	Permission-based
Diagnostics	1	Authenticated
Features	5	Permission + Authenticated
Identity — Cache	10	Permission-based
Identity — Provider	19 + webhook	Permission-based
Invoicing	5	Permission-based
Localization	4	Anonymous + Permission
Metering	8	Permission-based
Multi-Tenancy	6	Permission-based
Notifications	14	Authenticated
Account Self-Service	28	Anonymous + Authenticated
OpenIddict — Admin	14	Permission-based
Payments	10	Permission + Anonymous
Privacy (GDPR)	20	Permission + Anonymous
QueryEngine	7 per entity	App-defined
Reference Data	6 per entity	App-defined
Scheduling	3	Permission-based
Settings	8	Authenticated + Permission
Subscriptions	18	Permission-based
Tax	3	Permission-based
Templating	17	Permission-based
Timeline	6	Permission-based
Validation	3	Anonymous
Webhooks	17	Permission-based
Workflow	3	Permission-based
Total	~290+