LogiLoop API

Complete REST API reference for the UK logistics backhauling platform.

API Version 1.0 All endpoints return JSON. Dates use ISO 8601 format. UUIDs are used for all resource identifiers.

Base URL

https://your-domain.com/api

All endpoints are prefixed with /api. Health check is available at /api/health.

Security Features

LogiLoop implements multiple layers of security to protect your data and operations.

🔐 JWT Authentication

HS256-signed tokens. 24-hour access tokens, 30-day refresh tokens. Stateless session management.

🛡️ Role-Based Access Control

Fine-grained RBAC with 10+ roles. Method-level security via Spring Security @PreAuthorize.

🔑 Multi-Factor Authentication

TOTP-based MFA enrolment available for all user accounts. Adds a second verification layer.

🔒 BCrypt Password Hashing

All passwords hashed with BCrypt (strength 10). Plaintext passwords are never stored.

⏱️ Rate Limiting

Bucket4j-based rate limiting on billing endpoints. Per-company limits prevent abuse.

🏢 Multi-Tenant Isolation

Company-segregated data at query level. Users can only access their own organisation's data.

🌐 CORS Protection

Configured for specific allowed origins. Preflight OPTIONS requests handled automatically.

📋 Full Audit Trail

Every action logged with user, timestamp, IP, and outcome. Tamper-evident audit logs.

Enterprise API Keys Dedicated API key authentication for WMS/TMS integration is on the roadmap. Currently, all API access uses JWT bearer tokens.

Authentication

All protected endpoints require a JWT bearer token in the Authorization header.

Auth Flow

1. POST /api/auth/login        → receive accessToken + refreshToken
2. Use accessToken in header:   Authorization: Bearer <accessToken>
3. When expired, call:           POST /api/auth/refresh
4. To end session:               POST /api/auth/logout

Public Endpoints (No Auth Required)

Pattern	Description
`/api/auth/**`	Login, register, refresh tokens
`/api/platform/auth/**`	Platform admin authentication
`/api/health`	Health check
`/api/public/**`	Public pages (email verification, approvals)
`/api/mfa/enroll/**`	MFA enrolment
`/api/photos/**`	Photo serving
`/api/webhooks/**`	Stripe webhook callbacks
`/actuator/**`	Spring Boot actuator

Endpoint Category	Limit	Window
Payment method operations	10 requests	1 minute
Charge operations	20 requests	1 minute
Credit pot top-ups	5 requests	1 minute

Resource	ADMIN	DISPATCHER	ACCOUNTS	AUDITOR	DRIVER
View Jobs	✅	✅	✅	✅	✅
Create/Edit Jobs	✅	✅	—	—	—
Delete Jobs	✅	✅	—	—	—
Billing & Payments	✅	—	✅	—	—
Analytics	✅	—	✅	—	—
Audit Logs	✅	—	—	✅	—
Company Profile	✅	—	—	—	—
Reserve/Complete Jobs	—	—	—	—	✅
Ratings & Favourites	✅	—	—	—	—

Param	Type	Required	Description
`page`	int	No	Page number (default: 0)
`size`	int	No	Page size (default: 10)
`search`	string	No	Search by job ID, pickup or delivery location
`status`	string	No	Filter by status

Code	Description
`201`	Job created, payment reserved
`402`	Job created but payment reservation failed
`400`	Incomplete billing profile or insufficient balance

Param	Type	Required	Description
`mode`	string	Yes	`GPS_RADIUS`, `POSTCODE_RADIUS`, or `CORRIDOR`
`latitude`	double	GPS_RADIUS	Latitude coordinate
`longitude`	double	GPS_RADIUS	Longitude coordinate
`postcode`	string	POSTCODE_RADIUS	UK postcode or town name
`origin`	string	CORRIDOR	Origin postcode/town
`destination`	string	CORRIDOR	Destination postcode/town
`radius`	double	Yes	Search radius in miles

Field	Type	Description
`documentType`	string	e.g., DRIVING_LICENCE, INSURANCE, MOT
`expiryDate`	date	ISO date (YYYY-MM-DD)
`file`	file	Document image/PDF

Param	Type	Description
`estimatedMiles`	decimal	Estimated distance in miles
`driverRatePerMile`	decimal	Driver rate per mile (default: 0)

Code	Meaning
`200`	Success
`201`	Created
`204`	No Content (successful delete or empty result)
`400`	Bad Request — validation error or missing fields
`401`	Unauthorized — missing or invalid JWT token
`403`	Forbidden — insufficient role/permissions
`404`	Not Found — resource doesn't exist
`402`	Payment Required — billing/payment failure
`409`	Conflict — resource already exists or state conflict
`422`	Unprocessable Entity — valid syntax but semantic error
`429`	Too Many Requests — rate limit exceeded
`500`	Internal Server Error

LogiLoop API

Base URL

Security Features

🔐 JWT Authentication

🛡️ Role-Based Access Control

🔑 Multi-Factor Authentication

🔒 BCrypt Password Hashing

⏱️ Rate Limiting

🏢 Multi-Tenant Isolation

🌐 CORS Protection

📋 Full Audit Trail

Authentication

Auth Flow

Public Endpoints (No Auth Required)

Auth Endpoints

Auth Endpoints

Request Body

Response 200 OK

Request Body

Response 201 Created

Request Body

Response 200 OK

Rate Limiting

Roles & Permissions

Platform Roles

Company Roles

Driver Role

Role Access Matrix

Job Management

Query Parameters

Headers

Response Codes

Request Body

Job Expenses

Driver API

Profile & Vehicle

Request Body

Job Workflow

Geo Search

Example: Corridor Search

Payments & Banking

Compliance Documents

Billing

Billing Profile

Payment Methods

Response

Credit Pot

Transactions & Invoices

Analytics

Ratings & Favourites

Driver Ratings

Favourite Drivers

Company

Disputes

Audit Logs

Approvals

Mapping

Webhooks

Error Handling

Error Response Format

Response `200 OK`

Response `201 Created`

Response `200 OK`