Public API expansion: mobieusMarket, files, moderation, plan gate

The Public API just covered marketplace, files, and moderation.

Yesterday we shipped events, users, posts, and webhooks. Today we expanded the surface to the four resource families operators ask for next: mobieusMarket listings, file uploads, moderation reports, and the moderation-actions log. Plus four new scopes, a plan gate, and rate-limit knobs in the admin UI.

What is now in the API

mobieusMarket

The marketplace endpoints let you read listings (or filter by status, seller, or category) and react to listing-lifecycle events.

GET /api/v1/listings — paginated listings, filter by status, seller_id, category_id.
GET /api/v1/listings/{id} — a single listing.
New events: listing.created, listing.updated, listing.sold, listing.withdrawn.
Scope: listings:read.

Files

File uploads land in quarantine, get scanned, then approved. The API exposes approved files only (quarantined and rejected files stay internal).

GET /api/v1/files — paginated files, filter by area_slug, uploader_id.
GET /api/v1/files/{id} — a single file.
New event: file.uploaded (fires when the file clears quarantine).
Scope: files:read.

Moderation

The moderation surface is both readable and writeable. You can list and read reports, dismiss or resolve them via POST, and read the moderator action log (the mod_log table).

GET /api/v1/reports — paginated reports, filter by status, reported_user_id.
GET /api/v1/reports/{id} — a single report including the full description.
POST /api/v1/reports/{id}/dismiss — mark a report resolved with a dismiss reason.
POST /api/v1/reports/{id}/resolve — mark a report resolved with notes (when you took action outside the system you want recorded).
GET /api/v1/moderation/actions — read the moderator action log, filter by action, actor_id, affected_user_id.
New events: report.created, report.resolved, moderation.action_taken (with data.action = warn / suspend / ban / shadow_ban / dismiss).
Scopes: reports:read, reports:manage.

Plan gate

The public REST API is now gated to Pro, Creator Plus, and Sovereign. Starter tenants who call any API endpoint get a clear error:

{
  "error": {
    "code": "plan_gated",
    "message": "The public REST API is available on Pro and higher plans. Upgrade in /admin/billing.",
    "current_plan": "starter",
    "required_plans": ["pro", "creator-plus", "sovereign"],
    "request_id": "req_..."
  }
}

Upgrade in /admin/billing and the API lights up immediately. No key re-mint needed; the plan resolution is dynamic.

Rate-limit knobs moved into the admin UI

Before today, the rate limit was a single value in app.ini. Now there are three layers, in precedence order:

Per-key override on /admin/api-keys/<id>/edit. Highest precedence.
Tenant default on /admin/api/settings. Applies when the per-key override is blank.
Platform default (app.ini, currently 600 req/min). Fallback when both overrides are blank.

Every API response carries X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers so clients can self-throttle.

OpenAPI 1.2.0

The OpenAPI spec at /api/docs is now at 1.2.0. Bumps were additive (no breaking changes), so every existing client keeps working. We also tightened the spec description copy.

What to try next

Subscribe a webhook to listing.created and pipe new listings into your CRM or Slack.
Wire report.created into your incident channel so the team sees moderation activity in real time.
Pipe moderation.action_taken into an audit log for compliance.
Pull the mod_log via /moderation/actions on a nightly cron to feed your BI tool.

Browse the OpenAPI spec Read the deep-dive guide