API is the network surface for COIN. Every endpoint authenticated. Every response governed.
| Method | Path | Auth | Vault Command |
|---|---|---|---|
| GET | `/api/v1/wallet` | Bearer | `vault user-wallet --user {token.user}` |
| GET | `/api/v1/timeline` | Bearer | `vault user-timeline --user {token.user}` |
| POST | `/api/v1/transfer` | Bearer | `vault transfer --from {token.user} --to {body.to} --amount {body.amount}` |
| POST | `/api/v1/spend` | Bearer | `vault spend --user {token.user} --seller {body.seller} --amount {body.amount} --product {body.product}` |
| POST | `/api/v1/settle` | Bearer | `vault settle --user {token.user} --amount {body.amount}` |
| GET | `/api/v1/verify` | Bearer | `vault verify-wallet --user {token.user}` |
| GET | `/api/v1/shop` | None | Read VAULT/VIEWS/shop.json |
| GET | `/api/v1/shop/{user}` | None | Read USER SHOP products |
| POST | `/api/v1/checkout` | None | Create Stripe Checkout session |
| POST | `/api/v1/webhook/stripe` | Stripe sig | Handle Stripe webhook events |
USER runs: vault auth --user DEXTER
Returns: signed JWT-like token (1h expiry)
Client sends: Authorization: Bearer <token>
API verifies: Ed25519 signature + expiry + USER principal
~/.canonic/SERVICES/API/config.json
{
"host": "0.0.0.0",
"port": 8255,
"cors_origins": [
"https://canonic-canonic.github.io",
"https://hadleylab-canonic.github.io",
"https://hadleylab-dexter.github.io",
"https://api.canonic.org"
]
}
| Endpoint | Limit | Key |
|---|---|---|
| All endpoints | 60 req/min | IP |
~/.canonic/bin/api — HTTP server (Python)
~/.canonic/SERVICES/API/ — Service governance + config
| *API | SPEC | SERVICES* |