Skip to content

API Reference

Base URL in local development is usually:

text
http://localhost:8080

Authenticated requests use:

http
Authorization: Bearer <jwt>

Most endpoints return the shared response wrapper:

json
{
  "statusCode": 200,
  "message": "Message",
  "data": {},
  "meta": {}
}

Public and Auth Behavior

The security filter permits some URL groups publicly, but many individual methods still require role checks through @PreAuthorize. Treat the role column below as the source of truth for normal client development.

Auth

MethodPathRolePurpose
POST/api/auth/register-customerPublicRegister a customer.
POST/api/auth/loginPublicLogin for normal web users.
POST/api/auth/login-deliveryPublic, delivery account onlyLogin endpoint dedicated to delivery users. Rejects non-DELIVERY users.
POST/api/auth/register-managerADMINCreate manager account.
POST/api/auth/register-branch-managerMANAGERCreate branch manager account.

Register Customer

http
POST /api/auth/register-customer
Content-Type: application/json
json
{
  "name": "Customer Name",
  "email": "customer@example.com",
  "password": "Password123!",
  "phoneNumber": "+355..."
}

Login

http
POST /api/auth/login
Content-Type: application/json
json
{
  "email": "customer@example.com",
  "password": "Password123!"
}

Returns a LoginResponse containing the JWT and user information.

Users

MethodPathRolePurpose
GET/api/users/allADMIN, DELIVERY, MANAGERFiltered, paginated user list.
GET/api/users/branch_managersMANAGERList branch managers with optional filters.
GET/api/users/change-roleADMINChange a user's role.
PUT/api/users/updateAuthenticatedUpdate current user's profile. Multipart.
DELETE/api/users/deactivate-anyADMINDeactivate any account by ID.
DELETE/api/users/deactivate-branch-managersMANAGERDeactivate a manager-owned branch manager account.
POST/api/users/restore-branch-managersMANAGERRestore a branch manager account.
POST/api/users/restore-usersADMINRestore a user account.
DELETE/api/users/deactivate-my-accountAuthenticatedDeactivate own account.
GET/api/users/accountAuthenticatedCurrent user's account details.
PATCH/api/users/change-passwordAuthenticatedChange password. Also allowed when password-change is required.

User Filtering

GET /api/users/all accepts UserFilterRequest fields as query/model parameters and pageable values:

http
GET /api/users/all?page=0&size=20&sort=id

Update Own Account

http
PUT /api/users/update
Content-Type: multipart/form-data

Form fields come from UserDTO. Optional file:

text
imageFile=<profile image>

Roles

MethodPathRolePurpose
POST/api/rolesADMINCreate role.
PUT/api/rolesADMINUpdate role.
GET/api/rolesADMINList roles.
DELETE/api/roles/{id}ADMINDelete role.

Restaurant Categories

Restaurant categories are high-level marketplace categories such as pizza, burger, dessert, etc.

MethodPathRolePurpose
POST/api/restaurant-categoriesADMINCreate restaurant category. Multipart with image.
PUT/api/restaurant-categoriesADMINUpdate restaurant category. Multipart with optional image.
GET/api/restaurant-categories/{id}PublicGet one category.
GET/api/restaurant-categoriesPublicList categories.
DELETE/api/restaurant-categories/{id}ADMINDelete category.
PUT/api/restaurant-categories/categoriesMANAGERAssign category IDs to manager's restaurant.

Assign Restaurant Categories

http
PUT /api/restaurant-categories/categories
Content-Type: application/json
Authorization: Bearer <manager-jwt>
json
[1, 2, 3]

Menu categories are restaurant-owned food categories such as burgers, drinks, sides.

MethodPathRolePurpose
POST/api/categoriesADMIN, MANAGERCreate menu category.
PUT/api/categoriesADMIN, MANAGERUpdate category.
GET/api/categories/{id}PublicGet category.
GET/api/categoriesPublicList simple categories.
GET/api/categories/managerMANAGERList current manager restaurant categories.
DELETE/api/categories/{id}MANAGERSoft-delete category.
PUT/api/categories/{id}/restoreMANAGERRestore category.

Restaurants

MethodPathRolePurpose
POST/api/restaurantsADMIN, MANAGERCreate restaurant. Multipart with cover and profile images.
GET/api/restaurants/all-restaurantsPublicPublic paginated restaurant list.
GET/api/restaurants/all-restaurants-adminADMINAdmin paginated list, includes deleted filter.
GET/api/restaurants/available-restaurants-dashboardPublic/auth optionalDashboard groups: normal, fastest, trending, top rated.
GET/api/restaurants/available-restaurantsPublic/auth optionalLocation-aware available restaurants with filters and sort.
GET/api/restaurants/search-by-restaurant/{id}PublicRestaurant summary by restaurant ID.
GET/api/restaurants/manager/restaurant-branchesMANAGERBranch list for current manager's restaurant.
PUT/api/restaurants/manager/change-manager/{branchId}MANAGERAssign/unassign branch manager. Body is user ID or empty/null.
DELETE/api/restaurants/manager/delete-branch/{branchId}MANAGERSoft-delete branch.
PUT/api/restaurants/manager/restore-branch/{branchId}MANAGERRestore branch.
GET/api/restaurants/restaurantMANAGERCurrent manager's restaurant.
DELETE/api/restaurants/admin/delete-restaurant/{restaurantId}ADMINSoft-delete restaurant.
PUT/api/restaurants/admin/restore/{restaurantId}ADMINRestore restaurant.
PUT/api/restaurants/admin/unassign-restaurant/{restaurantId}ADMINUnassign restaurant owner.

Create Restaurant

http
POST /api/restaurants
Content-Type: multipart/form-data
Authorization: Bearer <admin-or-manager-jwt>

Form fields:

text
name=<restaurant name>
description=<description>
phoneNumber=<phone>
coverImage=<file>
profileImage=<file>

Available Restaurants

http
GET /api/restaurants/available-restaurants?lat=41.3275&lng=19.8189&page=0&size=10&sort=delivery_time

Supported sort values in service:

text
default
rating
prep_time
time
delivery_time
trending
popularity

The filter object is RestaurantFilterCriteria and is passed as query/model attributes.

Restaurant Branches

MethodPathRolePurpose
PUT/api/restaurant-branch/edit-branch/{id}MANAGEREdit any owned branch.
PUT/api/restaurant-branch/edit-branch/my-branchBRANCH_MANAGEREdit current branch manager's branch operations data.
PUT/api/restaurant-branch/myBranch/opening-hoursAuthenticated/currently no annotationSave opening hours. Should be protected.
POST/api/restaurant-branch/branchADMIN, MANAGERCreate branch.
GET/api/restaurant-branch/{id}PublicGet branch details.
GET/api/restaurant-branch/{branchId}/menuPublicGet branch menu, optional search.
GET/api/restaurant-branch/myBranchBRANCH_MANAGERCurrent branch manager's branch.
PUT/api/restaurant-branch/change-opening-statusBRANCH_MANAGERToggle current branch open/closed.
GET/api/restaurant-branch/location/{orderId}DELIVERYGet branch location for assigned delivery order.

Save Opening Hours

http
PUT /api/restaurant-branch/myBranch/opening-hours
Content-Type: application/json
json
{
  "openingHours": [
    {
      "dayOfWeek": "MONDAY",
      "openTime": "09:00",
      "closeTime": "22:00"
    }
  ]
}

Reviews

MethodPathRolePurpose
GET/api/reviews/{branchId}PublicList branch reviews.
POST/api/reviewsCurrently public in controllerCreate review. Should be authenticated/customer in production.
GET/api/reviews/menu-item/{menuId}PublicAverage rating for menu item.
MethodPathRolePurpose
POST/api/menuMANAGERCreate master menu item. Multipart with image.
PUT/api/menuMANAGERUpdate master menu item. Multipart, optional image.
GET/api/menu/{id}PublicGet menu response by branch menu ID.
DELETE/api/menu/{id}MANAGERDelete menu.
GET/api/menuMANAGERList manager menus with optional category/search/myMenus.
POST/api/menu/optionMANAGERCreate option group and variants for a menu.
PUT/api/menu/optionMANAGEREdit option group and variants.
GET/api/menu/options-restaurantMANAGEROptions for a restaurant menu item.
GET/api/menu/options-customer/{branchMenuId}/{branchId}PublicCustomer-visible option groups with branch overrides applied.
GET/api/menu/options-branch-managerBRANCH_MANAGERBranch manager option data for branch menu item.
PUT/api/menu/unlinkMANAGERUnlink option group from menu.
PUT/api/menu/linkMANAGERLink option group to menu.
GET/api/menu/allOptionsMANAGERAll option groups for current restaurant.
GET/api/menu/available-optionsMANAGERAvailable option groups for linking to a menu.
DELETE/api/menu/optionsMANAGER, BRANCH_MANAGERDelete option group/option config depending service logic.
PUT/api/menu/option-branchBRANCH_MANAGEROverride branch variant config.

Create Menu Item

http
POST /api/menu
Content-Type: multipart/form-data
Authorization: Bearer <manager-jwt>

Fields come from CreateMenuRequest, plus:

text
imageFile=<file>

Create Option Group

http
POST /api/menu/option?menuId=10
Content-Type: application/json
Authorization: Bearer <manager-jwt>
json
{
  "name": "Choose sauce",
  "minSelection": 0,
  "maxSelection": 2,
  "variants": [
    { "name": "Garlic sauce", "recommendedPrice": 50 },
    { "name": "Spicy sauce", "recommendedPrice": 60 }
  ]
}

Branch Option Override

http
PUT /api/menu/option-branch?optionId=15
Content-Type: application/json
Authorization: Bearer <branch-manager-jwt>
json
[
  {
    "variantId": 101,
    "priceOverride": 80,
    "isAvailable": true
  },
  {
    "variantId": 102,
    "priceOverride": null,
    "isAvailable": false
  }
]

Branch Manager Menu

MethodPathRolePurpose
GET/api/branch-manager/menuBRANCH_MANAGERPaginated branch menu items.
POST/api/branch-manager/menuBRANCH_MANAGERAdd/inherit a restaurant menu item to branch.
GET/api/branch-manager/menu/restaurantBRANCH_MANAGERList simple restaurant master menus.
PUT/api/branch-manager/menuBRANCH_MANAGERUpdate branch menu price, availability, highlighted.

Update Branch Menu Item

http
PUT /api/branch-manager/menu
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer <branch-manager-jwt>
text
id=44
price=550
available=true
highlighted=false

Cart

MethodPathRolePurpose
POST/api/cart/basketCUSTOMERAdd item to cart.
GET/api/cart/basket/{branchId}CUSTOMERGet cart for branch.
POST/api/cart/basket/increment/{cartItemId}CUSTOMERIncrease quantity.
POST/api/cart/basket/decrement/{cartItemId}CUSTOMERDecrease quantity. Removes item at zero.
DELETE/api/cart/basket/remove/{cartItemId}CUSTOMERRemove item.
DELETE/api/cart/basket/clear/{branchId}CUSTOMERClear branch cart.
PUT/api/cart/orderAgain/{orderId}CUSTOMERRebuild cart from previous order.

Add Item to Cart

Use branchMenuItemId, not menuId.

http
POST /api/cart/basket
Content-Type: application/json
Authorization: Bearer <customer-jwt>
json
{
  "branchMenuItemId": 44,
  "quantity": 2,
  "options": [
    {
      "optionGroupId": 7,
      "variantIds": [21, 22]
    }
  ]
}

Checkout

MethodPathRolePurpose
GET/api/checkout/{branchId}CUSTOMERCheckout preview with totals, delivery info, tips, selected method.
POST/api/checkout/increment/{cartItemId}CUSTOMERIncrement and return checkout preview.
POST/api/checkout/decrement/{cartItemId}CUSTOMERDecrement and return checkout preview.
PUT/api/checkout/tip/{cartId}CUSTOMERUpdate tip.
PUT/api/checkout/delivery-note/{cartId}CUSTOMERUpdate delivery note.
PUT/api/checkout/payment-methodCUSTOMERUpdate cart payment method.

Update Tip

json
{
  "amount": 100
}

Update Delivery Note

json
{
  "note": "Call me when outside."
}

Update Payment Method

json
{
  "paymentMethodId": 3,
  "branchId": 12
}

Orders

MethodPathRolePurpose
POST/api/orders/checkout/{branchId}CUSTOMERPlace order from cart.
GET/api/orders/order-item/{orderItemId}Authenticated/public by filter configGet order item details.
GET/api/orders/allAuthenticatedPaginated, role-scoped orders.
PUT/api/orders/update-statusAuthenticatedUpdate one order status or payment status.
PUT/api/orders/assign-order-delivery/{orderId}DELIVERYAssign current driver to order.
GET/api/orders/unique-customersADMIN, MANAGERCustomer statistics.
GET/api/orders/stats/total-ordersADMIN, DELIVERYTotal order statistics.
GET/api/orders/stats/total-revenueADMINTotal revenue statistics.
GET/api/orders/stats/status-distributionADMINCount by order status.
GET/api/orders/unassigned-ordersDELIVERYGlobal delivery pool.
GET/api/orders/order-details/{orderId}CUSTOMERCustomer order details.

Search Orders

http
GET /api/orders/all?page=0&size=20&orderStatus=READY_FOR_PICKUP&sortBy=lastUpdated&sortDirection=desc

OrderSearchCriteria supports filters such as:

  • orderId
  • orderStatus
  • paymentStatus
  • customerId
  • page
  • size
  • sortBy
  • sortDirection

Role scoping is applied in service:

  • Customer sees own orders.
  • Manager sees own restaurant.
  • Branch manager sees own branch.
  • Delivery sees assigned delivery orders.
  • Admin can see all.

Update Order Status

Only update one status field at a time.

http
PUT /api/orders/update-status
Content-Type: application/json
Authorization: Bearer <jwt>
json
{
  "id": 9001,
  "orderStatus": "PREPARING"
}

or:

json
{
  "id": 9001,
  "paymentStatus": "COMPLETED"
}

Payments

MethodPathRolePurpose
GET/api/paymentADMINList system payment methods.
PUT/api/payment/{paymentMethodId}ADMINEdit payment method display name.
GET/api/payment/restaurant-branchBRANCH_MANAGERBranch payment method config.
PUT/api/payment/my-branch/update-methodsAuthenticated but should be BRANCH_MANAGERUpdate current branch accepted payment methods.
GET/api/payment/check-payment-successfulAuthenticatedCheck payment status by transaction ID.
POST/api/payment/{paymentId}/refundBRANCH_MANAGERRefund payment with JSON reason object.
GET/api/payment/allAuthenticatedPaginated, role-scoped payment list.
POST/api/payment/ask-for-refund/{orderId}CUSTOMERCustomer asks for refund after cancellation.
POST/api/payment/refund/{paymentId}BRANCH_MANAGERDuplicate refund endpoint taking raw string reason.

Branch Payment Methods

http
PUT /api/payment/my-branch/update-methods
Content-Type: application/json
Authorization: Bearer <branch-manager-jwt>
json
{
  "paymentMethodIds": [1, 3]
}

Check Payment Status

http
GET /api/payment/check-payment-successful?transactionId=sdk-order-id
Authorization: Bearer <customer-jwt>

Returns:

json
{
  "transactionId": "sdk-order-id",
  "paymentStatus": "COMPLETED"
}

PokPay Webhook

MethodPathRolePurpose
POST/api/v1/payments/webhookPublicPokPay webhook receiver.

The webhook body maps to PokWebhookPayload. The backend finds the order by transaction ID and marks payment/order state.

Delivery Locations and Live Driver Location

MethodPathRolePurpose
POST/api/delivery-location/deliverToAuthenticatedSave/select a customer delivery address.
DELETE/api/delivery-location/deliveryLocation/{id}AuthenticatedDelete saved delivery location.
GET/api/delivery-location/deliveryLocationAuthenticatedGet active delivery location.
GET/api/delivery-location/all-delivery-locationsAuthenticatedList current user's delivery locations.
POST/api/delivery-location/locationAuthenticated, intended DELIVERYKotlin delivery app submits current driver coordinates.

Save Delivery Address

http
POST /api/delivery-location/deliverTo?latitude=41.3275&longitude=19.8189&locationName=Tirana&nickname=Home
Authorization: Bearer <customer-jwt>

Optional:

text
prevLocationId=<id>

Submit Driver Live Location

http
POST /api/delivery-location/location
Content-Type: application/json
Authorization: Bearer <delivery-jwt>
json
{
  "latitude": 41.3275,
  "longitude": 19.8189
}

Backend behavior:

  • Reads current authenticated user ID.
  • Serializes payload as JSON.
  • Stores in Redis key driver_loc:{driverId}.
  • TTL is one hour.

Analytics

MethodPathRolePurpose
GET/api/analyticsMANAGERBranch revenue list.
GET/api/analytics/total-revenueMANAGERManager total revenue.
GET/api/analytics/successful-ordersMANAGERManager successful orders.
GET/api/analytics/unique-customer-metricsADMIN, MANAGER, BRANCH_MANAGERUnique customer metrics.
GET/api/analytics/popular-itemsAuthenticated by global rule, no method annotationMost popular items with role filter.
GET/api/analytics/revenue/monthlyADMIN, MANAGER, BRANCH_MANAGERMonthly revenue for year.
GET/api/analytics/revenue/dailyADMIN, MANAGER, BRANCH_MANAGERDaily revenue for month/year.
GET/api/analytics/underPrepare/deliveryDELIVERYCount assigned preparation orders.
GET/api/analytics/earningsDELIVERY, ADMINDelivery earnings by year, optional delivery ID.

Monthly Revenue

http
GET /api/analytics/revenue/monthly?year=2026&targetBranchId=12
Authorization: Bearer <jwt>

Role scoping:

  • Admin can pass branch or restaurant filters.
  • Manager is forced to own restaurant.
  • Branch manager is forced to own branch.
  • Delivery cannot access restaurant analytics except delivery-specific endpoints.

Upload

MethodPathRolePurpose
POST/api/uploadPublic by security configTest/direct S3 upload endpoint.
http
POST /api/upload
Content-Type: multipart/form-data
text
file=<file>
keyName=<s3 key>

For production, protect or remove this test endpoint.

Internal Jobs

These endpoints also require normal authentication unless explicitly permitted by configuration, and they require the internal header.

MethodPathRequired headerPurpose
POST/api/internal/jobs/daily-reset-order-countX-Internal-SecretReset daily branch order counts.
POST/api/internal/jobs/payment-cleanupX-Internal-SecretExpire pending payments and abandon old orders.

Example:

http
POST /api/internal/jobs/payment-cleanup
X-Internal-Secret: <secret>

Health

MethodPathRolePurpose
GET/healthPublicHealth check.

Returns:

text
OK

WebSocket

Endpoint:

text
/ws

STOMP CONNECT header:

text
Authorization: Bearer <jwt>

Subscribe:

text
/topic/branch.{branchId}.manager
/topic/delivery.global.unassigned
/user/queue/updates

Payloads are mostly OrderDTO. Delivery global updates include:

json
{
  "wsAction": "ADD"
}

or:

json
{
  "wsAction": "REMOVE"
}