Cabgo API — guía de auth
OAuth 2.0 + scope catalog + permisos. Esta página explica cómo autenticarse contra la API; para la referencia interactiva con ejemplos curl / JS / Python y consola try-it-out usa /api-docs.
Empezando
La API expone dos niveles de acceso:
- Operador (audience=
dashboard): scopestenant.*mapeados a los permisos deMembershipPermission. Una pérdida de permiso en el dashboard invalida el scope correspondiente en tiempo real. - Usuario final (audience=
riderodriver): scopesrider.*/driver.*condicionados a los flags de tenant (taxiEnabled,deliveryEnabled). Si un operador desactiva delivery, los tokens existentes conrider.orders:createdejan de funcionar inmediatamente.
Discovery
- /.well-known/openid-configuration— OpenID Connect discovery
- /.well-known/oauth-authorization-server— OAuth 2.0 server metadata (RFC 8414)
- /.well-known/oauth-protected-resource— Resource metadata (RFC 9728)
- /.well-known/jwks.json— JWKS — public signing key
- /.well-known/api-catalog— API catalog (RFC 9727)
- /openapi.json— OpenAPI 3.1 spec
Flujo authorization_code + PKCE
- Registra tu cliente vía POST
/oauth/registercon tus redirect URIs. Para apps públicas (CLI, desktop) usatoken_endpoint_auth_method=none+ PKCE obligatorio. - Genera
code_verifier+code_challenge(S256) y redirige al usuario ahttps://www.cabgo.app/oauth/authorize. Para tokens rider/driver pasatenant_hint=<slug>. - Tu redirect URI recibe
?code=...&state=.... Intercambia inmediatamente por tokens vía POST/oauth/tokencongrant_type=authorization_code+code_verifier. - Llama
/api/v1/*conAuthorization: Bearer <access_token>. Verifica offline contra JWKS — sin round-trips al issuer. - Cuando el access token expira, intercambia el
refresh_tokenpor uno fresco. La rotación es obligatoria — si reutilizas un refresh ya consumido, toda la cadena de tokens del par (cliente, actor) queda revocada.
Scopes
OIDC (compat)
| Scope | Descripción | Requiere |
|---|---|---|
| openid | OIDC authentication | — |
| profile | Read profile claims | — |
| Read email claim | — |
Operador — audience=dashboard
| Scope | Descripción | Requiere |
|---|---|---|
| tenant.trips:read | List and read trips for the tenant | Permission: VIEW_TRIPS |
| tenant.trips:write | Create and update trips for the tenant | Permission: CREATE_TRIPS |
| tenant.trips:delete | Delete trips for the tenant | Permission: DELETE_TRIPS |
| tenant.drivers:read | List and read driver profiles | Permission: VIEW_DRIVERS |
| tenant.drivers:write | Create and update drivers | Permission: CREATE_DRIVERS |
| tenant.customers:read | List and read customer profiles | Permission: VIEW_CUSTOMERS |
| tenant.customers:write | Create and update customers | Permission: CREATE_CUSTOMERS |
| tenant.settings:read | Read tenant settings (pricing, zones, services) | Permission: VIEW_SETTINGS |
| tenant.settings:write | Update tenant settings | Permission: EDIT_SETTINGS |
| tenant.reports:read | Read reports and analytics | Permission: VIEW_REPORTS |
| tenant.reports:export | Export reports | Permission: EXPORT_REPORTS |
| tenant.businesses:read | List businesses (delivery module) | Permission: VIEW_BUSINESSES |
| tenant.businesses:write | Create and update businesses | Permission: MANAGE_BUSINESSES |
| tenant.delivery:read | List food orders | Permission: VIEW_FOOD_ORDERS |
| tenant.delivery:write | Update food orders | Permission: MANAGE_FOOD_ORDERS |
| tenant.wallets:read | Read driver / customer wallet balances | Permission: VIEW_WALLETS |
| tenant.wallets:write | Adjust wallets and approve withdrawals | Permission: MANAGE_WALLETS |
| tenant.branding:write | Update branding (logos, colors, copy) | Permission: EDIT_BRANDING |
Rider — audience=rider
| Scope | Descripción | Requiere |
|---|---|---|
| rider.profile:read | Read your profile | — |
| rider.profile:write | Update your profile | — |
| rider.trips:read | Read your trips | — |
| rider.trips:create | Request a ride | Tenant flag: taxiEnabled |
| rider.trips:cancel | Cancel a trip you requested | — |
| rider.orders:read | Read your delivery orders | Tenant flag: deliveryEnabled |
| rider.orders:create | Place a delivery order | Tenant flag: deliveryEnabled |
| rider.addresses:write | Manage your saved addresses | — |
| rider.payments:read | List your payment methods | — |
| rider.wallet:read | Read your wallet balance | — |
Driver — audience=driver
| Scope | Descripción | Requiere |
|---|---|---|
| driver.profile:read | Read your driver profile | — |
| driver.status:write | Go online or offline | — |
| driver.trips:read | Read your assigned trips | — |
| driver.trips:accept | Accept incoming ride offers | — |
| driver.trips:complete | Mark trips as arrived / started / completed | — |
| driver.wallet:read | Read your earnings and wallet | — |
| driver.documents:read | Read the status of your uploaded documents | — |
Endpoints
| Método | Path | Scopes | Permiso / Feature | Resumen |
|---|---|---|---|---|
| GET | /api/v1/me | rider.profile:readdriver.profile:read | — | Read your profile |
| GET | /api/v1/trips | tenant.trips:read | VIEW_TRIPS | List tenant trips |
| GET | /api/v1/trips/{id} | tenant.trips:read | VIEW_TRIPS | Read a single trip |
| GET | /api/v1/drivers | tenant.drivers:read | VIEW_DRIVERS | List tenant drivers |
| GET | /api/v1/customers | tenant.customers:read | VIEW_CUSTOMERS | List + search customers |
| GET | /api/v1/settings | tenant.settings:read | VIEW_SETTINGS | Read tenant settings |
| GET | /api/v1/services | tenant.settings:read | VIEW_SETTINGS | List tenant service types |
| GET | /api/v1/zones | tenant.settings:read | VIEW_SETTINGS | List dispatch zones |
| GET | /api/v1/branding | tenant.settings:read | VIEW_BRANDING | Read tenant branding |
| PATCH | /api/v1/branding | tenant.branding:write | EDIT_BRANDING | Update tenant branding |
| GET | /api/v1/reports/summary | tenant.reports:read | VIEW_REPORTS | Tenant KPI summary |
| GET | /api/v1/wallets | tenant.wallets:read | VIEW_WALLETS | Read wallet totals |
| GET | /api/v1/businesses | tenant.businesses:read | VIEW_BUSINESSES | List delivery businesses |
| GET | /api/v1/orders | tenant.delivery:read | VIEW_FOOD_ORDERS | List delivery orders |
| GET | /api/v1/me/trips | rider.trips:readdriver.trips:read | — | List your trips |
| POST | /api/v1/me/trips | rider.trips:create | taxiEnabled | Request a ride |
| POST | /api/v1/me/trips/{id}/cancel | rider.trips:cancel | — | Cancel your trip |
| GET | /api/v1/me/addresses | rider.profile:read | — | List saved addresses |
| POST | /api/v1/me/addresses | rider.addresses:write | — | Save a new address |
| GET | /api/v1/me/wallet | rider.wallet:readdriver.wallet:read | — | Read your wallet balance |
| GET | /api/v1/me/payment-methods | rider.payments:read | — | List saved payment methods |
| GET | /api/v1/me/orders | rider.orders:read | deliveryEnabled | List your delivery orders |
| PATCH | /api/v1/me/status | driver.status:write | — | Update driver status |
| POST | /api/v1/me/trips/{id}/accept | driver.trips:accept | — | Accept an open trip |
| POST | /api/v1/me/trips/{id}/arrived | driver.trips:complete | — | Mark as arrived at pickup |
| POST | /api/v1/me/trips/{id}/start | driver.trips:complete | — | Start the trip |
| POST | /api/v1/me/trips/{id}/complete | driver.trips:complete | — | Complete the trip |
Errores estándar
401 unauthorized— token ausente, inválido o revocado. HeaderWWW-Authenticate: Bearer ....403 insufficient_scope— el token no tiene los scopes que el endpoint requiere. HeaderWWW-Authenticate: Bearer error="insufficient_scope".403 forbidden— operador perdió elPermissionrequerido.403 feature_disabled— el tenant tiene la feature requerida apagada. Cuerpo incluyefeature.
SDK / MCP
El paquete oficial cabgo-mcp implementa el flujo OAuth completo + expone cada endpoint como tool MCP para Claude Desktop, Cursor, Continue y otros clientes. Instalación y configuración en /docs/api/mcp.