OpenAPI 3.0-documented bearer-token API across 15 endpoints + 41 outbound webhook event types. Integrations for HRIS, fleet management, 3rd-party compliance dashboards.
Published at /api/v1/openapi.json + rendered at /docs/api. Generated from the live tRPC router so endpoint shapes always match the implementation.
Tokens shaped aa_<live|test>_<32hex>. Scope-checked per endpoint (e.g. trainees:read, bookings:write, mel:read, fa_training:read).
41 event types — booking.created, mel.deferral.expired, fa_training.expired, dat.test.resulted, stage_check.failed, etc. HMAC-signed payloads, retry on failure.
List endpoints take cursor + limit (max 200). Stable under inserts via (createdAt DESC, id DESC) keyset.
Date range (from/to), status, search query — all pass through to the underlying tRPC procedure with input validation.
Token is shown ONCE at creation in the Integrations UI. DB only stores SHA-256 hash + last-4 suffix. Lost token = revoke + reissue.
/docs/api renders the live OpenAPI 3.0 spec. Spec is also served as raw JSON at /api/v1/openapi.json for tooling (Postman, Insomnia, codegen).
Each API key carries a scopes array. Each endpoint declares a required scope (mel:read, fa_training:read, etc.). Mismatch returns 403. Wildcard "*" grants everything.
41 event types across bookings, work orders, invoices, compliance, MEL, reserve, trip-trades, FA training, DAT, stage checks. Full catalog in packages/api/src/lib/webhooks.ts.
Every webhook delivery includes X-AviationAlley-Signature header — HMAC-SHA256 of the request body, signed with the per-endpoint signing secret (shown once at endpoint creation).
Failed deliveries (non-2xx, timeout, network error) get retried via a Vercel cron every 5 minutes, with exponential backoff up to 24 hours. After that, deliveries are permanently failed and the operator gets an email.
Launching Q1 2027 — join the waitlist for early access.