Every module and schema automatically gets versioned REST endpoints. No boilerplate controllers, no manual route registration — define a schema and the API is ready.
Each endpoint is defined through routesMeta — a declarative structure that holds the path, HTTP method, required abilities, rate-limit tier, policy references, and human-readable documentation. There is no separate OpenAPI file to maintain; the metadata is the documentation.
1'routesMeta' => [2 'index' => [3 'method' => 'GET',4 'path' => '/enravo/v1/products',5 'ability' => 'product:read',6 'policy' => 'tenant-isolation',7 'rate_limit' => 'standard',8 'description' => 'List all products for the current tenant.',9 ],10 'store' => [11 'method' => 'POST',12 'path' => '/enravo/v1/products',13 'ability' => 'product:write',14 'policy' => 'tenant-isolation',15 'rate_limit' => 'strict',16 'description' => 'Create a new product record.',17 ],18]Standardized response envelope returned by every API endpoint.
/enravo/v1/products200{
"success": true,
"data": [
{
"id": 12,
"name": "Enterprise License",
"sku": "ENR-ENT-001",
"status": "active"
}
],
"pagination": {
"page": 1,
"per_page": 25,
"total": 87
},
"timestamp": "2025-11-02T14:22:08Z",
"request_id": "req_a4f8c2e1"
}Every inbound request passes through a deterministic sequence of guards before it reaches any controller logic. JWT validation, Proof-of-Possession verification, rate limiting, and policy evaluation happen in a fixed order — if any guard rejects, the request is denied immediately with a clear error response.
1// Guard pipeline — executed in order for every request2$guards = [3 JwtAuthGuard::class, // 1. Validate token signature & expiry4 PoPVerificationGuard::class, // 2. Proof-of-Possession check5 RateLimitGuard::class, // 3. Enforce rate-limit tier6 PolicyGuard::class, // 4. Evaluate ability & policy rules7];8
9// If any guard returns false → 401/403 immediately10// All guards pass → request reaches the controllerFrom the client to the standardized response — every API call follows the same deterministic path.
Client
Web, mobile, or server-side consumer sends a signed request
Guard Pipeline
JWT, PoP, rate limit, and policy checks in sequence
Router
Resolves versioned route and binds parameters from routesMeta
Controller
Auto-generated or custom logic executes the operation
Standardized Response
Consistent envelope with success, data, pagination, and request_id
Client
Web, mobile, or server-side consumer sends a signed request
Guard Pipeline
JWT, PoP, rate limit, and policy checks in sequence
Router
Resolves versioned route and binds parameters from routesMeta
Controller
Auto-generated or custom logic executes the operation
Standardized Response
Consistent envelope with success, data, pagination, and request_id
Built-in features that every auto-generated endpoint inherits without additional configuration.
Every endpoint returns the same envelope — success flag, typed data payload, pagination metadata, timestamp, and request ID. Clients never guess the shape of a response.
Route metadata is automatically compiled into OpenAPI-compatible documentation. New modules appear in the API reference the moment they are registered.
Store endpoints and commerce REST API routes are protected by the same guard pipeline, ensuring consistent authentication and policy enforcement across all operations.
When a module boots, its routesMeta entries are auto-registered as versioned REST endpoints. No manual route files, no controller wiring — just declare and serve.