Skip to main content

API specs

Moveat APIs are currently internal product APIs. They are not designed as a public third-party integration surface. This page explains what APIs exist, who consumes them and how to think about their contracts.
The exact live request and response schemas live in Platform Swagger. This page explains API ownership and behavior at a higher level for product, operations and engineering readers.

API surfaces

SurfaceBaseConsumerAuthPurpose
Platform public APIhttps://api.mov-eat.app/v1Web clientHTTP-only session cookieUser-facing product actions.
Platform internal APIhttps://api.mov-eat.app/internal/v1AgentInternal service tokenService-to-service business operations.
Platform healthhttps://api.mov-eat.app/healthzInfraNoneContainer and uptime health checks.
Agent webhook/APIhttps://agent.mov-eat.appMeta/WhatsApp and infraMeta signature / verify tokenWebhook reception and health checks.
Swagger public docshttps://api.mov-eat.app/docsEngineeringDocs basic authPublic Platform API inspection.
Swagger Agent docshttps://api.mov-eat.app/agent-docsEngineeringDocs basic authInternal Agent API inspection.

Platform public API

Platform public APIs support the web app. They should be stable, user-oriented and safe to call from the browser. Main groups:
AreaAPI responsibility
AuthSignup, login, logout, Google login and session creation.
Me/sessionReturn current authenticated user/session state.
OnboardingCreate or update profile, goals and nutrition settings.
ChannelsLink WhatsApp or future communication channels to the user.
CoachingStore and read user coaching context.
MealsLog food, read entries and nutrition summaries.
WeightLog body weight, read latest weight and history.
WorkoutsLog workout sessions, exercises and sets.

Public API rules

  • The authenticated user ID must come from the session, not from request bodies.
  • Unit conversion should happen in Platform, not in the frontend.
  • Public APIs should avoid leaking internal implementation details.
  • Responses should be shaped for the consumer that renders them.
  • Errors should include enough context to debug with logs and correlation IDs.

Platform internal API for Agent

Internal APIs exist so Agent can delegate business actions to Platform without touching the database. Main groups:
OperationWhy Agent needs it
Resolve user by channelMap a WhatsApp number or Telegram chat ID to a Moveat user.
Get user contextFetch profile, goals, nutrition and coaching facts before generating a reply.
Log meal entryPersist structured food data interpreted from a user message.
Get nutrition todayAnswer questions like “how many calories do I have left today?”.
Log weightPersist body weight sent through chat.
Log workoutPersist workout progress sent through chat.

Internal API rules

  • Internal APIs require the platform internal service token.
  • Internal write APIs should be idempotent when triggered by webhooks.
  • Agent should use source message IDs as idempotency keys whenever possible.
  • Agent should not cache business facts as durable truth.
  • Platform must validate the final business payload even when Agent already interpreted it.

Agent API

Agent is mostly a receiver and orchestrator. It exposes endpoints for channel providers and infrastructure. Expected endpoints include:
AreaPurpose
WhatsApp webhook verificationHandles Meta’s webhook verification challenge.
WhatsApp webhook eventsReceives incoming user messages and delivery events.
HealthAllows infra to verify the service is alive.
Agent should keep channel-specific code inside channel adapters. Business logic should live in orchestration and should call Platform for durable actions.

OpenAPI and Swagger strategy

Platform already exposes Swagger docs for live inspection. The next documentation improvement is to export the OpenAPI JSON into this docs repository so Mintlify can generate an API reference section automatically. Recommended approach:
  1. Keep Swagger in Platform as the live contract source.
  2. Export public OpenAPI to openapi/platform-public.json.
  3. Export internal Agent OpenAPI to openapi/platform-agent.json.
  4. Reference both specs in docs.json under an API Reference section.
  5. Keep high-level explanations in MDX pages like this one.
This keeps exact API contracts generated from code while preserving human-readable business documentation.

What should not be exposed publicly

The following should stay internal:
  • Internal service token details.
  • Agent-only endpoints.
  • Raw infrastructure credentials.
  • Database connection strings.
  • Private operational dashboards.
  • Any endpoint that allows cross-user access without a user session boundary.