API Overview¶
Prism's HTTP surface is an Express monolith (mounted in index.js) plus a small set of serverless (Lambda) endpoints in the prism-services repo. It is overwhelmingly POST-based, JSON-bodied, and token-authenticated via custom headers. Many endpoints enqueue work rather than completing it synchronously.
Validation legend:
verified against source ·
representative, verify
1. Base paths and their mounts¶
All mounts are in index.js (route-mounting block). Full per-route tables: Endpoint Reference.
| Base path | Router file | Purpose | Typical auth |
|---|---|---|---|
/crm_api |
routes/crm.js |
Legacy — 100+ staff/web endpoints (customers, campaigns, ingestion) | authMiddleware (many open) |
/crm_api/v2 |
routes/crmv2.js |
New v2 endpoints (dashboard data, Gupshup partner) | mixed / open |
| (root) | routes/injestion.js |
Order ingestion + POS loyalty (/injestion/*, /api/*, /sync/*) |
crm_offer_middleware, injestion_middleware, or open |
/integration/v1 |
routes/prismIntegration.js |
3rd-party POS integration (users, loyalty, rewards, wallet) | crm_offer_middleware (all) |
/posist/v1 |
routes/posistLoyaltyIntegration.js |
Posist loyalty/coupon integration | open |
/stats |
routes/stats.js |
Dashboard metrics (12 endpoints) | authMiddleware (all) |
(via crm.js) |
routes/prism_routes/* |
Sub-features: campaign_tag, digital_bill, fraud_rules, loyalty_rewards, order_360, qr_code, whatsapp_login | per-feature |
The prism-services Lambdas expose their own HTTP endpoints (/crm_api/injestion/{pos}, /whatsapp/send, /whatsapp/receipts) — see Endpoint Reference §Serverless.
2. Request & response conventions¶
- Method: almost everything is POST, even reads (e.g.
POST /get/customer/details,POST /stats/metrics/orders). Body carries all inputs. Rare GETs exist (GET /track/whatsapp/link/:token). - Body: JSON (or url-encoded form). Common tenant/identity fields:
userId,business_id/businessId,parent_business_id,parent_id,contactMappingId. - Auth headers (never
Bearerunless noted): token: <value>— staff/app auth (authMiddleware,adminMiddleware,injestion_middleware,thirdPartyMiddleware).Authorization: <raw-token>— POS integration (crm_offer_middleware, MongoDBauthorization_token).Authorization: Bearer <jwt>— internal JWT routes (jwtMiddleware,jwtWhatsappMiddleware).source: web|mobile— branchesauthMiddleware.x-trace-id— optional; correlates logs (else auto-generated).- Auth details: Authentication.
3. Common response / error shapes¶
There is no single global envelope; two families dominate.
Integration family (crm_offer_middleware, /integration/v1, /injestion/api/*) — the status/error_code shape :
status: 1 = success, status: 0 = failure. Error codes are uE_<n> (e.g. uE_101 = auth failure, emitted by crm_offer_middleware).
Staff family (authMiddleware, adminMiddleware) — plain message on auth failure :
{ "message": "invalid credentials" } // 403
{ "message": "authentication failed" } // 500 (fail-closed)
Ingestion / enqueue — a lightweight ack (representative ):
Success payloads vary per controller. Where this doc shows a success body it is marked representative — verify unless quoted from source.
4. Sync vs. enqueue¶
The single most important API behaviour in Prism: many POSTs return 200 after enqueuing, then a cron does the real work. (Full lifecycle: Request Lifecycle §2.)
flowchart LR
A[POST endpoint] --> B{Work type}
B -->|read| C[Query Mongo/MySQL/Redis] --> D[JSON result]
B -->|write needing async| E[Insert into queue<br/>e.g. crm_queue status:0] --> F[200 accepted]
F -.later.-> G[Cron / Lambda consumer<br/>processes the queue]
- Fire-and-forget:
POST /injestion/uengage(injestionController.crmQueue) inserts intocrm_queuewithstatus:0and returns — order processing happens in the ingestion cron. - Dual ingestion path
: the same order sources are also ingested by the
prism-servicesorders-consumerLambda writing to the samecrm_queue. See Order Ingestion and map-05. - Synchronous: loyalty checks/redemptions (
/api/redeemLoyalty,/integration/v1/redeem_points) and all/stats/*metrics respond with computed data inline.
When something "didn't happen", first decide whether the endpoint was sync or enqueue, then check the relevant queue (crm_queue, points queue, WhatsApp/SMS/push queues) — see Request Lifecycle §5.
5. Per-module API cross-links¶
| Area | Module doc |
|---|---|
Order ingestion (/injestion/*) |
Order Ingestion |
Loyalty & rewards (/integration/v1, /api/*Loyalty, loyalty_rewards) |
Loyalty |
Wallet (/get_wallet_ledger, /deduct_wallet_points) |
Wallet |
Campaigns (/create/bulk/campaign, add_config) |
Campaigns |
Dashboard metrics (/stats/*) |
Dashboard Analytics |
Digital bills (prism_routes/digital_bill) |
Digital Bills |
| WhatsApp (login + serverless send/receipts) |
Related¶
- Endpoint Reference — consolidated route tables + example payloads
- Authentication · Security Overview
- Request Lifecycle
- Deployment