sentryagent-idp/openspec/changes/bedroom-developer-docs/specs/api-reference/spec.md

ADDED Requirements

Requirement: API reference exists at docs/developers/api-reference.md

The system SHALL provide a human-readable API reference at docs/developers/api-reference.md covering all 14 endpoints across the four services: Agent Registry, OAuth 2.0 Token, Credential Management, and Audit Log.

Scenario: Developer finds any endpoint within 10 seconds

• WHEN the developer opens the API reference
• THEN they SHALL find a table of contents at the top linking to each of the four service sections

Requirement: Every endpoint is documented with method, path, description, and auth requirements

For each of the 14 endpoints, the reference SHALL document: HTTP method, path, one-sentence description, and whether Bearer token auth is required.

Scenario: Developer knows which endpoints require authentication

• WHEN the developer scans the reference
• THEN they SHALL clearly see which endpoints require a Bearer token (all except POST /token) and which do not

Requirement: Every endpoint includes a complete curl example

For each endpoint, the reference SHALL include at least one complete, runnable curl example with real placeholder values.

Scenario: Developer copies a curl example and runs it

• WHEN the developer copies a curl example from the reference
• THEN the command SHALL be complete — no ellipses, no ..., no missing flags — requiring only substitution of their own agentId, token, and base URL

Requirement: Every endpoint documents all request parameters and body fields

For each endpoint that accepts a request body or query parameters, the reference SHALL list every field with: name, type, required/optional, description, and validation constraints.

Scenario: Developer knows what fields are required for POST /agents

• WHEN the developer reads the POST /agents section
• THEN they SHALL see a table listing every field, its type, whether it is required, and any constraints (e.g. email format, max length)

Requirement: Every endpoint documents all response codes and response body schemas

For each endpoint, the reference SHALL document every possible HTTP response code (2xx and 4xx/5xx) with a description and example response body.

Scenario: Developer understands a 429 response

• WHEN the developer reads the rate limit error documentation
• THEN they SHALL understand what triggered it, what the X-RateLimit-* headers mean, and when they can retry

Requirement: API reference includes a base URL and versioning section

The reference SHALL include a section at the top explaining the base URL convention, port configuration, and that all endpoints are unversioned in Phase 1.

Scenario: Developer knows where to send requests

• WHEN the developer reads the base URL section
• THEN they SHALL see the default base URL (http://localhost:3000), how to change the port via environment variable, and a note that versioning will be introduced in Phase 2

Requirement: API reference includes an errors section

The reference SHALL include a dedicated errors section listing all standard error response shapes, all custom error codes, and their HTTP status code mappings.

Scenario: Developer handles an AgentNotFoundError

• WHEN the developer reads the errors section
• THEN they SHALL see the exact JSON shape of the error response, the error code string, and the HTTP status (404)