Returns service status. Use to verify the API is running.

Returns all organisations registered on the platform with name, subdomain, and branding.

Returns app instances (activities) for organisations. Each activity links an app to an organisation.

Check if a Django user account exists for the given email address.

Per-org API key + member email. Returns a name + organisation envelope plus a `tiles` list. Tiles are server-side and registered per-app via a `dashboard_tile.py` module — when a new app ships its tile appears automatically without WP plugin changes. Tiles auto-skip when a count is zero (so a tenant without breakfast events doesn't see a breakfast tile).

Trust model: per-org API key is admin-tier trust. Calling shortcode ([member_dietary] in the Members WP plugin) gates on access_role in (admin, global_admin) before requesting. Returns name + dietary + partner name + partner_dietary + has_any_dietary boolean per row.

Returns all active members with name, email, mobile, member type, access role, and organisation.

Checks if an email belongs to an active member. Used by WordPress plugins to gate content behind Google SSO.

Exchange a Google ID token (from native Google Sign-In) for an opaque bearer session token. The token is returned alongside the member's profile and organisation.

Exchange an Apple identity token (from ASAuthorizationAppleIDCredential) for a bearer session token. Audience must match the app's bundle ID.

Redirects the browser to Apple's authorize URL. Used by WordPress plugins to initiate Sign in with Apple. Apple POSTs back to the callback endpoint.

Receives Apple's form_post callback with an authorization code + state. Exchanges the code for tokens, verifies the ID token, finds the member, and redirects back to the return_to URL with a signed payload (ok, email, expires, sig). If the member is not found, ok=false and apple_sub is included for linking.

For Hide-My-Email Apple users whose relay email doesn't match a membership. Sends a verification email to the provided club email. The email contains a signed link that binds the Apple subject to the membership.

Consumes a signed link token from email, binds apple_subject to the membership, and redirects back to the WP site with ok=true.

Returns notices currently within their visibility window. Includes title, description, event date/time, price, contact details, and access level.

Returns a QR code PNG image encoding the notice's website URL.

Returns the next upcoming breakfast event with title, date, time, and location.

Submit a breakfast choice for an event. Validates the choice code.

Returns the current breakfast activity for the organisation, including deadline and the member's latest choice.

Submit or change a breakfast choice. Validates deadline, normalises choice codes, supports guest bookings.

Full attendance report listing all members with their choices and summary totals.

Returns all active member groups for the organisation.

Returns members of a group for a given year, including ongoing (year-less) memberships. Includes role_label for each member.

Returns group members enriched with their position assignments. Members are derived from both explicit MemberGroupMembership and PositionAssignments where the position is scoped to this group. Sorted by position display_order. Also returns all OrgYears for a year picker.

Returns every active group for the organisation, each with its members and positions for the given year. Groups sorted by display_order; members within each group sorted by position display_order then last name. Designed for committee overview pages.

Returns all positions for the organisation with their current holders. Designed for 'Meet the Team' displays. Positions are ordered by display_order.

Same auth + access-control gates as /download/ but returns the signed URL as JSON instead of 302-redirecting to it. The WP in-browser viewer (Office Online + native browser PDF viewer) needs a URL that can be fetched anonymously by Microsoft's servers / the browser itself — admin-ajax proxied URLs require an `sts_session` cookie that those clients don't have. Logs an opened_editor event distinct from downloaded.

Fetches and parses the ICS feed configured for the given activity. Returns events with name, start, end, location, description, and access level.

Per-org API key + `email` of the calling member. Returns every request for the tenant including matched + cancelled, with per-viewer flags (is_requester / is_lender / can_match / can_cancel) so the WP table renders the right buttons.

Per-org API key + `email` of the calling member. Recipient privacy: non-donor viewers only see their OWN application on each listing (not the full applicant list); donors see them all.

Approving auto-rejects every other PENDING application on the same listing and flips the listing to `promised`.

Multipart/form-data ONLY (the photo is a file upload). Required fields: item_name, description, photo, email.

Returns published events with date, time, location, description, website, QR code URL, and access level.

Returns a QR code PNG image encoding the event's website URL.

Per-org API key required (X-API-Key). Pure read — does NOT increment the redemption counter; that happens in the feature's webhook AFTER payment. Returns the discount + final amount when valid; otherwise {valid:false, error:...} with HTTP 200 (so the WP form can render the error inline rather than treat it as a network failure).

PUBLIC — no API key. The banner runs in unauthenticated browsers, so it can't carry one. We hash the IP (sha256, salted) for dedupe only — no raw IP stored. 60-second dedupe per (org, ip_hash, action) prevents page-spam from filling the table. Always returns 200 with {"ok": true} unless org/action are invalid.

PUBLIC — no API key. Visitors must be able to read this BEFORE any non-essential cookies are set, so authentication isn't possible. Cache-Control: public, max-age=300. Returns inline HTML + signed PDF URL + structured `categories` list (the WP banner JS reads `categories` to build the customise UI).

Caller must attest DPO role server-side; the WP plugin enforces access_role in (admin, global_admin) and DPO group membership.

Creates a DSAR. If `attest_fresh_sso` is true and the caller is using a per-org or global API key (server-side proxy attests the requester is a signed-in member), identity is recorded immediately as `fresh_sso` and the 30-day statutory clock starts. Otherwise a magic-link email is sent if `verify_url` is provided.

UK ICO permits a "reasonable fee" only for manifestly excessive repeat requests. First request per email per 12-month window is always free; second-or-later auto-flagged with fee_required=True. Pays to Investcope's central Stripe account (no Connect destination charge — the platform does the technical work).

PUBLIC — no API key. UK GDPR Art. 12-14 require the privacy notice to be readily accessible BEFORE any data is collected, so authentication is by design absent. Cache-Control: public, max-age=300. Returns the inline HTML + a 1-hour signed PDF URL.

Returns charities with Charity Commission data, income, contact details, areas served, and tags.

Returns grant funders with type, geographic focus, grant range, eligibility, and how to apply.

Per-tenant view of which STS plugins are running where, with per-row version-status (✅ up to date / ⚠ update available / · no release / ? unknown) computed against the latest published PluginRelease per slug. Sites whose URL doesn't match any Organisation.wp_site_url bucket under '(unmatched sites)' so misconfiguration is visible. Backs the [platform_installations] WP shortcode in spotthesplat-platform-health.

Public, no auth. Returns headline numbers for the [platform_stats] shortcode used on marketing pages.

Returns the cached Alpaca portfolio for an activity: account summary (equity, cash, buying power), open positions, recent orders (last 10), and intraday portfolio history (5-min intervals). Refreshes from Alpaca if the cache is older than 5 minutes. Respects per-member access control via ActivityMemberAccess and ActivityGroupAccess.

Self-hosted update server — every STS WP plugin polls its own slug daily via WP-Cron and installs the new zip if version is newer than what's currently installed.

Initiates the QBO OAuth2 flow. Redirects the browser to Intuit's authorisation page. The organisation must have a QboConnection with Client ID and Secret configured in Django admin first.

Intuit redirects here after authorisation. Exchanges the authorisation code for access and refresh tokens, stores the realm_id (QBO Company ID), and confirms the connection.

Returns cached bank account balances and a simplified balance sheet (one level deep with sub-sections). Data is refreshed from QBO if the cache is older than 5 minutes. Access tokens are auto-refreshed if expired.

Returns custom action logs (sign-ins, page views, connections) for the organisation. Paginated with limit and offset.

Returns django-auditlog model change logs (create/update/delete) with field-level old and new values. Paginated.

Called by the WordPress plugin after a successful sign-in to record web platform access for audit tracking.

Returns all active members with their platform access status (web, iOS, Android) and counts. Used by the Member Access summary table.

Compose and immediately dispatch a message to all org members, a group, or explicit recipients via the specified channel. Per-org API key required.

Returns sent message history for the organisation with recipient counts and delivery status. Paginated.

Every STS WordPress plugin POSTs to this endpoint on activation, daily via WP-Cron, and on deactivation. Public, no API key required. Tolerant — any malformed payload returns 200 silently so a buggy plugin can never block a member's page render. Records site_url, plugin_slug, plugin_version, wp_version, php_version, event. No member data, no tokens.

Returns published LinkGroups (sorted by sort_order) for the organisation owning the API key, with each group's published Links nested. Powers the [link_library] WP shortcode.

Per-org API key + member email auth. Returns folders with cover thumb URL (signed, 1h TTL), photo count, originator + event labels, can_edit flag, and per-folder size_bytes. Top-level `totals` aggregates org-wide folder count, photo count, and bytes for the WP gallery's header banner.

Returns photos with signed `thumb_url` (inline disposition for <img> rendering), `view_url` (inline original), and `download_url` (attachment disposition for Save As).

Multipart/form-data ONLY. Server processes: EXIF-strip + auto- rotate + flatten alpha + cap 4MP original + generate 600px thumb. Both stored as JPEG quality 85 on R2.