- Always return amounts in API responses as cents / milli-sats
- Never add JavaScript code examples to API documentation
- Never expose secrets in admin API responses — tokens, API keys, webhook secrets, and other sensitive values must never be returned in GET/list responses. Use sanitized structs with boolean indicators (e.g.,
has_token: true) instead of actual values. - All
list_*APIs must use database-level pagination — never fetch all rows and paginate in Rust (skip/take). UseLIMIT ? OFFSET ?in the SQL query, and return a separateCOUNT(*)or equivalent for thetotalfield in the paginated response. Results must be ordered deterministically (typicallyORDER BY id DESCorORDER BY created DESC) so pagination is stable across requests.
When modifying any API (user-facing or admin), you MUST:
- Update the API documentation — Keep
ADMIN_API_ENDPOINTS.mdand any other API docs in sync with code changes. - Update the API changelog — Add an entry to
API_CHANGELOG.mdwith:- Date of change
- Type of change (Added, Changed, Deprecated, Removed, Fixed, Security)
- Brief description of what changed
- Which endpoints are affected