Application API
Clear API and contract surface for Topolo Roadmapper, grouped under the application instead of split across generic reference sections.
App IDs:
app_topolo_roadmapper Repos:
Hosts:
https://roadmapper.topolo.app https://roadmapper-api.topolo.app https://roadmapper-api.stg.topolo.us https://roadmapper.stg.topolo.us Dependencies: topolo-auth, topolo-nexus, topolo-notify, applications-packages
Depends on Topolo Auth: yes
Type: curated
Source: PlatformApplications/TopoloRoadmapper/package.json
Source exists: no
Current contract coverage is curated rather than OpenAPI-backed, and the browser launcher lane now reads Auth-owned catalog data through same-origin /api/auth/* on the Roadmapper host using the current Auth organization and active context. Browser preboot, shared browser auth, API worker Auth validation, widget output, API-key management, TopoloNotify emission, and staging seed validation resolve concrete app ids from Auth service slugs such as `topolo-roadmapper` at runtime instead of carrying concrete app ids in source, Worker vars, build commands, or browser assets. The browser login handoff, embedded password-login surface, and Auth SSO one-time sso_code callback redemption delegate to the shared Topolo auth client, direct bearer-token callback URLs or /sso?token= bridge routes are not supported, Roadmapper keeps same-tab sessionStorage access-token restore enabled by default after login and refresh so normal reloads do not appear logged out before cookie refresh completes, Roadmapper's vendored @topolo/ui-kit snapshot must stay synchronized with the canonical platform package, the API worker now exposes authenticated `GET /api/widget` for TopoloOne live workspace, emits generic `application.notification.created` envelopes through TopoloNotify after successful creation writes, and protected API routes now require Topolo Auth validation plus a validated organization context with no Roadmapper-local JWT secret handoff or vendored local HS256 verifier.
API key scopes in Auth catalog: 9
No global OpenAPI security scheme is declared.
api_keys.write projects.read projects.write reports.read reports.write roadmaps.read roadmaps.write settings.read settings.write Wrangler surfaces: none detected
Environment variables: none derived
Routes: workers.dev fallback or no explicit route declared
Observability enabled: no explicit signal found
Wrangler surfaces: No wrangler file detected in scanned surface
This application does not yet have a source-controlled OpenAPI spec in the docs platform. The current API page is derived from the registered contract source and repository surface.