Improve API documentation for clarity and completeness

[dtinth]

Summary

• Expanded getting-started.md with API overview and clearer prerequisites
• Clarified API application request process (callback URL always required)
• Rewrote types-of-resources.md with clear scope explanations (public vs organizer)
• Combined app-authentication-flow.md and user-authentication-flow.md into single authentication.md page
• Added missing refresh token documentation
• Added scope parameter and common errors sections
• Added CLAUDE.md for future AI assistance

Key Changes

1. getting-started.md: Added brief intro explaining what the API does, expanded prerequisites with explanations, added clear next steps
2. eventpop-api-application.md: Clarified callback URL requirement and credential security
3. types-of-resources.md: Complete rewrite explaining User Resources (public scope) vs Organizer Resources (organizer scope) with use cases
4. authentication.md (new): Combined authentication flows, added refresh token flow, scope parameters, and error handling
5. CLAUDE.md (new): Documentation for future Claude Code instances working in this repo

Result

Documentation is now more scannable and complete while staying concise. Critical missing information (refresh tokens, scopes) has been added.

🤖 Generated with Claude Code

Summary by CodeRabbit

Release Notes

• New Features

  • Added new API endpoints for organizers to manage events, tickets, and orders
  • Introduced OAuth2 security definitions supporting user and application authentication flows

• Documentation

  • Consolidated authentication documentation with detailed OAuth 2.0 flows and examples
  • Expanded getting started guide with prerequisites and resource type guidance

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
eventpop-docs	Ready	Preview	Comment	Oct 29, 2025 11:29am

[coderabbitai]

Walkthrough

The PR consolidates OAuth2 authentication documentation into a single comprehensive guide, updates the OpenAPI schema with OAuth2 security definitions, new endpoints, and data models, restructures guides for getting-started and resource types, adds Claude code usage documentation, and specifies pnpm as the package manager.

Changes

Cohort / File(s)	Summary
Configuration & Documentation Setup CLAUDE.md, package.json	Added Claude code usage guidance; specified pnpm@9.6.0 as package manager with hash verification
OpenAPI Schema schemas/public.json	Added OAuth2 security definitions (user\_token, application\_token), updated host to www.eventpop.me, introduced multiple new endpoints under /organizers path, added six new public data model definitions (Ticket, TicketType_PartnerEntity, TicketResponse, Order, Event, User), expanded tag names and endpoint metadata
Authentication Guides src/content/docs/guides/authentication.md (new)	Introduced consolidated authentication guide covering User and App authentication flows with OAuth 2.0 details, token exchange examples, scope breakdown, and error handling
Authentication Guides src/content/docs/guides/app-authentication-flow.md (deleted), src/content/docs/guides/user-authentication-flow.md (deleted)	Removed separate authentication flow documentation (consolidated into authentication.md)
Guides Restructuring src/content/docs/guides/eventpop-api-application.md, src/content/docs/guides/getting-started.md, src/content/docs/guides/types-of-resources.md	Expanded terse descriptions into structured multi-section guides with clearer prerequisites, next steps, and resource type explanations

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Focus areas for extra attention:
  • schemas/public.json: Verify OAuth2 security definitions (authorizationUrl, tokenUrl, scopes) are correctly configured; validate all new endpoint definitions reference correct data models; confirm host change to www.eventpop.me is intentional
  • Cross-reference: Ensure OpenAPI schema changes align with consolidated authentication.md guidance
  • Deleted guides: Confirm no orphaned references to removed app-authentication-flow.md or user-authentication-flow.md files

Poem

🐰 A Rabbit's Ode to Organization

Through schemas new, the APIs flow,
OAuth tokens steal the show,
Guides consolidated, clear and bright,
Documentation shining right! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Improve API documentation for clarity and completeness" directly relates to the primary changes in this PR, which focus on enhancing multiple documentation files: expanding getting-started.md with prerequisites and next steps, clarifying the API application process, rewriting types-of-resources.md with detailed scope explanations, and consolidating authentication flows into a single comprehensive guide. The majority of the changeset consists of documentation improvements across guide files, and the title accurately captures this main objective. While the PR also includes updates to schemas/public.json and other supporting files, these are secondary to the primary documentation enhancements described in the PR objectives. The title is sufficiently specific and descriptive, avoiding vague terminology and clearly conveying the intent of the changes.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch improve-api-documentation

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

src/content/docs/guides/authentication.md (1)

29-29: Add language specifications to all fenced code blocks.

Five code blocks lack language identifiers. Per Markdown best practices and linting standards, specify the language for syntax highlighting and clarity:

• Line 29 (URL format) → use ```url or ```http
• Line 43 (callback URL) → use ```http
• Line 51 (POST request) → use ```http
• Line 83 (POST request) → use ```http
• Line 106 (POST request) → use ```http

Also applies to: 43-43, 51-51, 83-83, 106-106

schemas/public.json (1)

579-582: Minor: Consider adding maxItems constraint to forms array.

The forms array (lines 579-582) in PublicAPI_Entities_Ticket lacks a maxItems specification. Per OpenAPI best practices and Checkov (CKV_OPENAPI_21), bounded arrays prevent unbounded responses. While not critical for API correctness, adding "maxItems": 100 (or appropriate limit) would improve spec robustness:

  "forms": {
    "type": "array",
-   "description": "Custom form field responses for this ticket"
+   "description": "Custom form field responses for this ticket",
+   "maxItems": 100
  }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6ab53f7 and 5c5402b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (9)

• CLAUDE.md (1 hunks)
• package.json (1 hunks)
• schemas/public.json (6 hunks)
• src/content/docs/guides/app-authentication-flow.md (0 hunks)
• src/content/docs/guides/authentication.md (1 hunks)
• src/content/docs/guides/eventpop-api-application.md (1 hunks)
• src/content/docs/guides/getting-started.md (1 hunks)
• src/content/docs/guides/types-of-resources.md (1 hunks)
• src/content/docs/guides/user-authentication-flow.md (0 hunks)

💤 Files with no reviewable changes (2)

• src/content/docs/guides/user-authentication-flow.md
• src/content/docs/guides/app-authentication-flow.md

🧰 Additional context used

🪛 Checkov (3.2.334)

schemas/public.json

[medium] 579-581: Ensure that arrays have a maximum number of items

(CKV_OPENAPI_21)

🪛 Gitleaks (8.28.0)

src/content/docs/guides/authentication.md

[high] 136-137: Discovered a potential authorization token provided in a curl command header, which could compromise the curl accessed resource.

(curl-auth-header)

---

[high] 66-66: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 69-69: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

---

[high] 119-119: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🪛 markdownlint-cli2 (0.18.1)

src/content/docs/guides/authentication.md

29-29: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

43-43: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

51-51: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

83-83: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

106-106: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🔇 Additional comments (10)

package.json (1)

18-20: Good practice: packageManager field with hash pinning ensures team consistency.

Specifying pnpm with a cryptographic hash prevents version drift and improves reproducibility. This is a solid addition.

CLAUDE.md (1)

1-76: Well-structured guidance for Claude Code instances.

The file clearly documents project architecture, package manager requirements, and content organization. References to OpenAPI schema integration (line 38-70) and file conventions (line 72-76) are helpful and accurate based on the PR changes. This will significantly improve onboarding for AI-assisted development.

src/content/docs/guides/getting-started.md (1)

3-23: Excellent restructuring with clear prerequisites and actionable next steps.

The expanded description (line 3) and new Prerequisites (lines 10-16) and Next Steps (lines 18-23) sections transform this from a sparse guide into a well-scaffolded entry point. The progression—request credentials → understand resources → learn authentication—is logical and guides users effectively. Links to related guides support smooth navigation.

src/content/docs/guides/authentication.md (2)

1-12: Comprehensive OAuth 2.0 consolidation with valuable refresh token documentation.

Merging the two authentication flows into a single guide is well-executed. The progression from authorization URL → callback → token exchange → refresh → usage is clear and beginner-friendly. Adding refresh token flow (lines 79-94) and scope details (lines 150-155) fills important documentation gaps. The "legacy" callout (line 98) appropriately guides users away from deprecated patterns.

---

64-73: Example tokens and credentials are appropriately anonymized.

The placeholder examples (e.g., YOUR_CLIENT_ID, YOUR_ACCESS_TOKEN, 420c80567...) are clearly marked as examples or use realistic-looking tokens that are obviously not real credentials. This is acceptable for documentation purposes. Static analysis flags these as API keys, which is a false positive—they're illustrative examples, not actual secrets.

Also applies to: 117-126, 135-138, 144-146

src/content/docs/guides/types-of-resources.md (1)

3-37: Excellent clarity on resource scoping and OAuth patterns.

The rewrite clearly distinguishes User Resources (public scope) from Organizer Resources (organizer scope) with concrete use cases (ticket validation, analytics, check-in). The note on line 21 explaining that results are scoped to the specified organizer is important for preventing confusion. The deprecation note (line 37) appropriately steers users toward User Token with organizer scope rather than legacy App Token.

schemas/public.json (3)

1-38: Comprehensive OAuth2 security definitions and host consolidation.

The securityDefinitions (lines 18-37) correctly map to the authentication documentation, with user_token (authorizationCode flow) and application_token (application/client-credentials flow). Scopes align with the documented public and organizer resources. Host change to www.eventpop.me (line 38) is consistent across the PR.

---

516-789: Well-structured data models with detailed field documentation.

The new PublicAPI_Entities_* definitions (Ticket, Order, Event, User, TicketResponse) provide comprehensive type information. Field descriptions are specific (e.g., line 557: "Unique reference code for ticket validation (e.g., "ABC123")", line 783: "User birthday (YYYY-MM-DD format)"). ISO 8601 timestamps and format specifications improve clarity.

---

127-189: New endpoints for ticket management and event management are well-documented.

The three new/updated endpoints are properly structured:

• /organizers/{organizer_id}/events/{event_id}/tickets/invalidate (POST, line 127-189): Revocation endpoint with formData parameters (ticket_id, reference_code, reason)
• /organizers/{organizer_id}/events/{event_id}/tickets (POST, line 191-292): Ticket creation with idempotency via external_id
• Updated descriptions clearly state scope requirements (organizer scope) and access control (application ownership)

Response codes (201, 400, 401, 403, 404, 409, 422) are comprehensive.

Also applies to: 191-292

src/content/docs/guides/eventpop-api-application.md (1)

3-24: Clear API credential request process with improved security guidance.

The restructuring into "Requesting an API Application" and "Your Credentials" sections (lines 10-24) improves clarity. Explicitly calling out callback URL as required (line 16) and the use case examples prevent confusion. Security guidance (line 22) to keep Client Secret secure and not commit to version control is crucial for developer safety.