API Reference
This section documents every HTTP endpoint exposed by the Create Lab Studio backend.
Base URL​
All endpoints are relative to the API base URL configured in your deployment. In local development this is typically http://localhost:3000.
Authentication​
Every endpoint (except media file downloads) requires a valid JWT access token sent as a Bearer header:
Authorization: Bearer <access_token>
Tokens are obtained from POST /auth/login and refreshed via POST /auth/refresh.
Common response codes​
| Code | Meaning |
|---|---|
200 | OK — request succeeded |
201 | Created — resource was created |
204 | No Content — successful with no body |
400 | Bad Request — validation failed |
401 | Unauthorized — missing or invalid token |
403 | Forbidden — valid token but missing permission |
404 | Not Found — resource does not exist |
409 | Conflict — duplicate or constraint violation |
429 | Too Many Requests — rate limit exceeded |
500 | Internal Server Error |
Permissions​
Endpoints that require a specific permission scope are noted in a Permission column. If a user's role (or their individual overrides) does not include that scope, the server returns 403.
See the Permissions reference for the full list of scopes.