API Overview
Internal API — Arc
The Sema Link backend API is served on the arc subdomain per environment.
| Environment | Base URL |
|---|---|
| Staging | https://staging-arc.semalink.africa |
| Test | https://test-arc.semalink.africa |
| Production | https://arc.semalink.africa |
Authentication
All API requests must include Cloudflare Access service token headers:
CF-Access-Client-Id: <value>
CF-Access-Client-Secret: <value>Requests without these headers are rejected at the Cloudflare edge with 403 Forbidden before reaching the server. See Zero Trust & API Access for full details.
HTTP Client
All API calls go through the centralised Axios instance at src/core/api/. Do not use fetch or create separate Axios instances — all requests should use the shared client so headers and interceptors are applied consistently.
API Version
All endpoints are prefixed with the API version:
/api/v1/<resource>The version is controlled by the API_VERSION environment variable on the server.
Response Format
Success
Responses return the resource or array directly (no wrapper envelope). HTTP status codes follow REST conventions — 200 OK, 201 Created, 204 No Content.
Errors
All errors return a consistent JSON shape:
{
"statusCode": 400,
"error": "Bad Request",
"message": "Human-readable description of the error"
}Common status codes:
| Code | Meaning |
|---|---|
400 | Validation error — check the message field |
401 | Missing or invalid access token / revoked refresh token |
403 | Authenticated but insufficient role permissions |
404 | Resource not found |
409 | Conflict — e.g. email already registered |
500 | Internal server error |
Endpoint Reference
| Resource | Page |
|---|---|
| Auth (register, login, refresh, logout) | Auth Endpoints |
| Users & Team management | Users Endpoints |