API Reference

MovaLab provides 80+ REST API endpoints via Supabase, with automatic Row Level Security enforcement on all requests.

Overview

MovaLab uses Supabase as its backend, which provides auto-generated REST APIs for all database tables. Every table has full CRUD operations available via HTTP.

80+ Endpoints

Full CRUD on 48+ tables

Row Level Security

APIs respect RLS policies automatically

Rate Limiting

100 req/15min (API), 5 req/15min (auth)

Direct DB Access

PostgreSQL access for self-hosted

Base URL

Local Development:

http://localhost:54321/rest/v1/

Cloud Supabase:

https://your-project.supabase.co/rest/v1/

Authentication

All API requests require authentication headers. RLS policies automatically filter data based on the authenticated user.

Required Headers

{
  "apikey": "your-supabase-publishable-key",
  "Authorization": "Bearer <user-jwt-token>",
  "Content-Type": "application/json"
}

Example: Fetch Projects

const response = await fetch(
  'http://localhost:54321/rest/v1/projects',
  {
    headers: {
      'apikey': process.env.SUPABASE_ANON_KEY,
      'Authorization': `Bearer ${session.access_token}`,
    },
  }
);

const projects = await response.json();

Endpoints by Category

Users & Authentication

GET/user_profiles- List user profiles

GET/user_profiles?id=eq.{id}- Get single user

PATCH/user_profiles?id=eq.{id}- Update user profile

GET/roles- List all roles

GET/user_roles- User role assignments

POST/user_roles- Assign role to user

DELETE/user_roles?id=eq.{id}- Remove role assignment

Client Accounts

GET/accounts- List accounts

POST/accounts- Create account

PATCH/accounts?id=eq.{id}- Update account

DELETE/accounts?id=eq.{id}- Delete account

GET/account_members- List account members

POST/account_members- Add member to account

Projects

GET/projects- List projects

POST/projects- Create project

PATCH/projects?id=eq.{id}- Update project

DELETE/projects?id=eq.{id}- Delete project

GET/project_assignments- Project team assignments

POST/project_assignments- Assign user to project

GET/project_updates- Project status updates

POST/project_updates- Create project update

GET/project_issues- Project issues/blockers

Tasks

GET/tasks- List tasks

POST/tasks- Create task

PATCH/tasks?id=eq.{id}- Update task

DELETE/tasks?id=eq.{id}- Delete task

GET/task_dependencies- Task dependencies

GET/task_week_allocations- Weekly task allocations

Time Tracking

GET/time_entries- List time entries

POST/time_entries- Create time entry

PATCH/time_entries?id=eq.{id}- Update time entry

DELETE/time_entries?id=eq.{id}- Delete time entry

GET/clock_sessions- Active clock sessions

POST/clock_sessions- Start clock session

GET/user_availability- Weekly user availability

Capacity Planning

GET/weekly_capacity_summary- User capacity view

GET/department_capacity_summary- Department capacity view

GET/project_capacity_summary- Project capacity view

POST/user_availability- Set user availability

Departments

GET/departments- List departments

POST/departments- Create department

PATCH/departments?id=eq.{id}- Update department

DELETE/departments?id=eq.{id}- Delete department

Workflows

GET/workflow_templates- List workflow templates

POST/workflow_templates- Create workflow template

GET/workflow_instances- Active workflow instances

GET/workflow_node_transitions- Workflow transitions

Rate Limiting

Production deployments with Upstash Redis enforce rate limiting to prevent abuse.

Endpoint Type	Limit	Window
API Routes	100 requests	15 minutes
Auth Endpoints	5 requests	15 minutes

Rate limited responses return 429 Too Many Requests with a Retry-After header.

Filtering & Pagination

Supabase REST APIs support powerful filtering via query parameters.

# Exact match
GET /tasks?status=eq.in_progress

# Multiple conditions (AND)
GET /tasks?status=eq.in_progress&priority=eq.high

# IN clause
GET /tasks?status=in.(todo,in_progress,review)

# Pagination
GET /tasks?limit=20&offset=0

# Select specific columns
GET /tasks?select=id,name,status,priority

# Join related tables
GET /tasks?select=*,project:projects(name,account_id)

# Order results
GET /tasks?order=created_at.desc

# Full-text search
GET /user_profiles?name=ilike.*john*

Filter Operators

Operator	Description	Example
eq	Equals	status=eq.active
neq	Not equals	status=neq.deleted
gt, gte	Greater than (or equal)	hours=gt.40
lt, lte	Less than (or equal)	priority=lt.3
in	In list	status=in.(a,b,c)
is	Is null/true/false	deleted_at=is.null
ilike	Case-insensitive search	name=ilike.test

Error Codes

Code	Description
400	Bad Request - Invalid query parameters or body
401	Unauthorized - Missing or invalid API key/token
403	Forbidden - RLS policy denied access
404	Not Found - Resource doesn't exist
409	Conflict - Unique constraint violation
429	Too Many Requests - Rate limit exceeded
500	Internal Server Error

Direct Database Access

Self-hosted instances can connect directly to PostgreSQL:

# Local development connection
Host: localhost
Port: 54322
Database: postgres
User: postgres
Password: postgres

# Connect with psql
psql -h localhost -p 54322 -U postgres -d postgres

# Or use connection string
postgresql://postgres:postgres@localhost:54322/postgres

Learn More

For complete API documentation and advanced features, see the Supabase docs.

Supabase API Docs Database Schema Permissions