Beta
Make a first authenticated API call
Discover runtime capabilities, choose the correct authentication boundary, and call one read-only operation against a local Node.
Before you start
- Run a v0.3 release-candidate Node on the default loopback listener.
- Install
curlandjqand keep credentials in environment variables rather than shell history. - Use a disposable test profile and the narrowest identity appropriate to the operation.
- Read the current OpenAPI security declaration; public runtime discovery does not make administrative routes public.
First-call steps
- Read the public runtime snapshot and record schema, deployment, readiness, and advertised capabilities.
- Confirm the Node version and operation exist in the generated OpenAPI contract.
- Choose standalone Basic Auth, hosted Bearer JWT, or a scoped
mbz_API token as declared for that operation. - Call a read-only endpoint first and inspect both HTTP status and response envelope.
- Remove credentials from terminal output, logs, screenshots, and support evidence.
bash
BASE_URL=http://127.0.0.1:5102
curl -fsS "$BASE_URL/v1/runtime-config" | jq
curl -fsS \
-H "Authorization: Bearer $MBZ_API_TOKEN" \
"$BASE_URL/v1/webhooks" | jqExpected result and verification
Runtime discovery should return a success envelope without requiring an administrative credential. The protected call should succeed only when the token is valid and has the required scope. Confirm the response belongs to the intended Node before building automation around it.
If something fails
401indicates missing or invalid authentication; do not retry rapidly with guessed credentials.403indicates the resolved identity lacks the required permission or scope.404may mean wrong base URL, version, route, or unavailable composition; check OpenAPI and runtime capabilities.409usually requires state reconciliation before retry.429requires bounded backoff and respect for server guidance.- A transport success with an application error still requires error handling.