Documentation
Complete guide to using Winvest Core API services
Getting Started
Winvest Core API exposes health probes, authentication flows, and account endpoints over REST. Use it to wire upstream customer portals or internal tools against a consistent contract.
http://localhost:8080API Version:
/api/v1Swagger UI:
http://localhost:8080/api-docs/index.html
Health & Diagnostics
Use these probes for readiness, liveness, and infrastructure checks. They are also duplicated under /api/v1 for ingress controllers that route everything through the API prefix.
Health Check Endpoints
Check service health status with version information.
curl http://localhost:8080/healthzReadiness probe for Kubernetes/container orchestration.
curl http://localhost:8080/readyzLiveness probe for Kubernetes/container orchestration.
curl http://localhost:8080/livenessAuthentication
All account APIs require a bearer token generated via the JWE-based login flow. Tokens are short lived, so refresh often or wrap calls with a background job.
Login
Send domain-qualified credentials to receive an access token.
Request body:
{
"username": "john.doe",
"password": "password123",
"domain": "example.com"
}Curl example:
curl -X POST http://localhost:8080/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"john.doe","password":"password123","domain":"example.com"}'Sample response:
{
"data": {
"token": "token",
"type": "Bearer",
"expires_in": 0
},
"message": "Created"
}Logout & Reset Password
POST /api/v1/auth/logout— invalidates the current session. RequiresAuthorization: Bearer <token>.POST /api/v1/auth/reset-password— placeholder endpoint for resetting portal credentials (same authentication requirements).
Account Management
Account endpoints surface internal customer metadata. Both routes require a bearer token from the login call.
Returns the available accounts for the authenticated domain. Pagination and filters are planned; for now the endpoint streams the entire dataset.
curl http://localhost:8080/api/v1/accounts \
-H "Authorization: Bearer <token>"Fetches details for a specific account identifier.
curl http://localhost:8080/api/v1/accounts/USER-123 \
-H "Authorization: Bearer <token>"Authorization header through your reverse proxy (Traefik/Nginx) when possible so downstream services never see raw credentials.
Examples
Login via curl
TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"username":"john.doe","password":"password123","domain":"example.com"}' \
| jq -r '.data.token')Go client: list accounts
package main
import (
"fmt"
"io"
"net/http"
"os"
)
func main() {
token := os.Getenv("WINVEST_TOKEN")
req, _ := http.NewRequest("GET", "http://localhost:8080/api/v1/accounts", nil)
req.Header.Set("Authorization", "Bearer "+token)
resp, err := http.DefaultClient.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
body, _ := io.ReadAll(resp.Body)
fmt.Println(string(body))
}Error Handling
The API uses standard HTTP status codes:
| Status Code | Description |
|---|---|
200 |
Success |
400 |
Bad Request - Invalid parameters |
404 |
Not Found - Symbol or resource not found |
500 |
Internal Server Error |
error field.
Rate Limiting
The API implements rate limiting to ensure fair usage:
- REST API: 10 requests per second with a burst capacity of 20 (enforced by the Gin middleware).
Best Practices
- Call
/api/v1/auth/loginwith service credentials from a secure backend service, never from public clients. - Cache tokens in memory and renew them proactively before
expires_in. - Centralize outbound traffic through the provided Nginx/Traefik jobs to reuse mutual TLS and rate limiting.
- Monitor
/healthz,/readyz, and Nomad job status for proactive alerting.