Platform API
Base URL: https://<platform-host>/api. Authentication: Authorization: Bearer <Entra access token> for the sprig-platform-api audience. The Ops app role gates the decision endpoints.
| Method | Route | Caller | Purpose |
|---|---|---|---|
GET |
/health |
anyone | Liveness (no auth) |
GET |
/config |
any signed-in user | Non-secret config for tooling |
POST |
/apps {name} |
builder | Create or update an app: Entra registration (owner-locked), Static Web App in the builder’s sandbox, metadata + audit |
GET |
/apps |
builder | List own apps |
POST |
/apps/{name}/deploy-token |
owner | Scoped deployment token for content upload |
POST |
/apps/{name}/share {groupId | groupName} |
owner | Create a share request (pending Ops) |
GET |
/share-requests |
Ops | List pending requests |
POST |
/share-requests/{id}/decision {ownerOid, approve} |
Ops | Approve (assigns the group) or reject |
Conventions: JSON bodies; errors as {error, message} with conventional status codes (401 unauthenticated, 403 missing role, 404 unknown/foreign resource, 409 conflicts). App names are slugs: 2–40 chars, lowercase letters/digits/hyphens, starting with a letter. All mutating calls append audit events attributed to the caller.