Backend API reference

Summary of Midsummer’s HTTP REST + WebSocket surface. The exhaustive, maintained listing lives in documentation/backend-api.md.

URL conventions

Prefix	Purpose
/app/<module>/...	App REST APIs (register, staff, schedule, vendors, shop, account, kioskos)
/app/<module>/api/m2m/...	DRF ViewSets on a DefaultRouter (many-to-many / CRUD endpoints)
/app/<module>/api/...	Function-based @api_view endpoints (the bulk of per-feature endpoints)
/api/v2026-01/...	Versioned public API (v2026_01 app)
/o/...	OAuth2 provider (only on the global OAuth domain)
/ws/...	Django Channels WebSockets (jury voting, staff ping)
/ui/...	Submenu + trigger endpoints
/login/...	Auth views (midsummer/login/)

Important

The base path is /app/<module>/ with an internal api/ prefix — not /api/<module>/. DRF routers sit under api/m2m/. This is the single most common routing assumption to get wrong.

Two styles of REST endpoint

1. DRF ViewSets registered on a DefaultRouter (typically under api/m2m/) — standard CRUD + filtering/search/pagination. Used for list/detail admin surfaces (e.g. registration-edit-logs, department titles, audit logs).

2. Function-based @api_views — the majority of feature endpoints. Each view is permission-gated via check_permission(request, '<module>') and scoped to request.current_event.

Authentication

• Session auth (browser SPA) and Token auth (API clients).

• Email/password, magic links, and MFA (TOTP/email) via the login flow.

• OIDC/OAuth2 — Midsummer is both consumer (SSO) and provider.

Permission gating

Most endpoints begin with a check_permission(...) gate returning a level (none/staff/admin/superadmin). The frontend menu is built from the same resolution in midsummer/common/ui.py. See Permissions.

WebSockets

Route	Consumer	Purpose
/ws/jurors/<display_id>/	vendors.consumers.JuryVotingConsumer	Real-time jury voting
(register routing)	register.consumers.*	Staff-ping / register WS support

See Real-time.

Endpoint groups at a glance

• register: form/level/item CRUD, checkout + Stripe webhooks, check-in (standard + rapid + kiosks), badge numbers, merch adjustment, merch pick, tier upgrade, metrics2, reports, staff-management ping, registration-edit-logs, name-watch, previous-years data, superadmin stripe transactions.

• vendors: application lifecycle, jury (WS), task flow, ping conversations, table payment, document center, check-in.

• schedule: panels, slots, rooms/categories/tracks, interest, responses, digital signage, static pages, import/export.

• staff: departments, roster (+ Excel export), titles, shifts/slots/bids, HR, onboarding, transfers, audit log.

• shop: items/addons, cart, checkout, orders, fulfillment + terminals.

• tenant: tenant/org, domains, custom domains, memberships, api-tokens, stripe-keys, billing, connections.

• kioskos: self-service / tether-mode terminal endpoints.

Deep dive

For the full endpoint-by-endpoint listing (paths, methods, gating, request/response shapes), read documentation/backend-api.md — it is the maintained source of truth and is updated by the syncer workflow.

Related

• Request resolution

• Permissions

• Data model