API Reference
Curupira publishes two interactive OpenAPI/Swagger surfaces, gated by the role you hold. Both are served behind Curupira's own authentication — you sign in (or register a free account) with your Curupira account, and the role attached to your account decides which reference you can open. The interactive docs then attach your access token to every Try it out request automatically.
The two surfaces
1. Full internal reference → — requires api-docs.internal
- Audience: DW-Corp operators and internal engineers.
- Scope: every documented endpoint — the complete admin API, OAuth2/OIDC protocol endpoints, and GDPR data-subject-rights endpoints.
- Access: requires the
api-docs.internalrole (granted through Curupira's RBAC).
2. Public reference → — requires api-docs.public
- Audience: application developers integrating with Curupira.
- Scope: the OAuth2/OpenID Connect protocol endpoints, discovery, and self-service GDPR — the
surface a relying application needs. It never exposes any
/api/admin/endpoint. - Access: requires the
api-docs.publicrole, which you receive automatically when you self-register through the docs application.
How sign-in works
Each reference page is authorize-first: because the specs are themselves protected, the page shows
a Sign in with Curupira button first. Signing in runs the standard OAuth2 Authorization-Code +
PKCE flow against the docs application; on return, your access token is used to load the spec and to
authorize Try it out. Nothing is stored beyond your browser tab (the token lives in
sessionStorage and is cleared when you close the tab). Use Sign out on a reference page to drop
it sooner.