| Does Plan✕ have an API? | Yes, PlanX has two public APIs • A REST API at https://api.editor.planx.uk • A GraphQL API at https://hasura.editor.planx.uk/v1/graphql | | --- | --- |
| What users can and can't do using the API | Members of the public using PlanX can - • Proxy payment requests to GovPay • Proxy map tile requests to Ordnance Survey • Proxy GIS queries to Planning Data and Ordnance Survey • Upload private files • Access and interrogate the content and structure of digital services • Log analytics events • Save and resume application sessions
Authenticated users (”Editors”) can additionally - • Authenticate (via Google SSO and Microsoft) to login/logout of PlanX • Copy, publish, and query services (flows) • Upload public files • Download applications submitted via email
OSL staff and other PlanX services have additional permissions which allow them to execute a number of other endpoints. | | --- | --- | | Security | Our REST API is secured in a number of ways - • Cloudflare's Web Application Firewall (WAF) safeguards our API by filtering out malicious traffic and applying security rules to prevent unauthorised access and potential attacks • Rate limiting • A role-based permissions model which ensures users have appropriate access to endpoints (using a JWT). This model is enforced at the API level, the database level (via Hasura), and where appropriate at the user-interface level. | | API documentation formats | Open API | | API documentation (production) | https://api.editor.planx.uk/docs/
Currently not all endpoints are fully documented. Scheduled for this phase. | | API documentation (staging) | https://api.editor.planx.dev/docs/
Currently not all endpoints are fully documented. Scheduled for this phase. |
| What users can and can't do using the API | Members of the public using PlanX can: • Access and interrogate the content and structure of digital services • Log analytics events • Save and resume application sessions • Generate and fetch payment requests • Query planning data (project types, BLPU codes, etc) • Query team data (logo, theme etc)
Authenticated users (”Editors”) can additionally - • Create, update and delete flows • Update team settings
OSL staff and other PlanX services have additional permissions which allow them to execute a number of other endpoints. | | --- | --- | | Security | Our GraphQL API is secured in a number of ways - • Cloudflare's Web Application Firewall (WAF) safeguards our API by filtering out malicious traffic and applying security rules to prevent unauthorised access and potential attacks • A role-based permissions model which ensures users have appropriate access to queries and mutations | | API documentation formats | GraphQL Schema - Our GraphQL API is self-documenting and the public schema can be introspected directly at the endpoint | | API documentation (production) | https://hasura.editor.planx.uk/v1/graphql | | API documentation (staging) | https://hasura.editor.planx.dev/v1/graphql |