Application API
Clear API and contract surface for TopoloMDM, grouped under the application instead of split across generic reference sections.
App IDs:
app_topolo_mdm app_topolo_mdm_api Repos: apps/TopoloMDM
Hosts:
https://mdm.topolo.app https://mdm-api.topolo.app https://mdm.stg.topolo.us https://mdm-api.stg.topolo.us Dependencies: topolo-auth, applications-packages, topolo-developers
Depends on Topolo Auth: yes
Type: curated
Source: system-apps/TopoloDocs/src/content/public/applications/mdm.mdx
Source exists: no
Canonical MDM coverage now lives in the docs application, and the console authenticated workspace renders through `TopoloAppShell`, inheriting shared Improve Topolo and TopoloNotify chrome while keeping fleet workflows MDM-owned. The console now routes launcher catalog reads plus tenant bootstrap through same-origin /api/auth/* on the app host. The console browser callback delegates one-time `sso_code` exchange to the shared Auth client instead of carrying MDM-local `/sso/exchange` protocol logic. The API worker validates browser console JWTs by resolving the `topolo-mdm` service slug and keeps API-key validation under the separate `topolo-mdm-api` slug. Device registration and first-poll recovery consume authenticated enrollment-session tokens, then issue device credentials required for subsequent poll, command-status, device realtime, and device FCM-token registration calls. The API worker owns a tenant-scoped `TENANT_EVENTS` Durable Object for operator WebSocket fleet events and device command wakeups, and uses Firebase Cloud Messaging HTTP v1 as a data-only wake channel for enrolled Android devices that have posted an FCM token. TopoloProvision QR/R2 APK builds remain the device-owner enrollment path, while Google Play internal-testing builds are a sales/demo distribution lane that runs without kiosk/device-owner assumptions until Android Enterprise enrollment. Current Android DPC builds call `https://mdm-api.topolo.app`; the Topolo-owned staging mirror uses `https://mdm-api.stg.topolo.us`. The Android package id is `com.topolo.provision` for Firebase, Google Play, and Android Enterprise device-admin payloads. Install-package catalog reads now point at the Developers-owned `https://developers.topolo.app/api/apps` route, where Topolo Feed, Topolo Provision, and the 22 retained Topolo Mobile Android APKs are R2-backed installable rows served from apk.topolo.app, while Topolo MDM Mobile remains Android/iOS metadata until its own mobile release. The mobile scaffold reads only the SDK-managed topolo_access_token key for bearer API requests, subscribes to `/events` for fleet freshness, and resolves `topolo_auth_flutter` from the canonical Auth repo git package path.
API key scopes in Auth catalog: 17
No global OpenAPI security scheme is declared.
apps.read apps.write commands.invoke dashboard.read devices.admin devices.control devices.read devices.write mdm.admin policies.manage policies.read policies.write reports.read api_keys.write mdm.admin mdm.read mdm.write Wrangler surfaces: none detected
Environment variables: none derived
Routes: workers.dev fallback or no explicit route declared
Observability enabled: no explicit signal found
Wrangler surfaces: No wrangler file detected in scanned surface
This application does not yet have a source-controlled OpenAPI spec in the docs platform. The current API page is derived from the registered contract source and repository surface.