All Docs
API ReferenceNurtureHubUpdated March 25, 2026

Security Notice: OpenAPI Schema Public Accessibility (SCR-22)

Security Notice: OpenAPI Schema Public Accessibility (SCR-22)

Version introduced: v1.0.98
Control reference: SCR-22
Category: Competitive Exposure

Overview

During a supply chain security review, it was confirmed that two API endpoints are publicly accessible without authentication:

EndpointTypePublic?
/api/v1/docsHuman-readable API documentation✅ Yes
/api/v1/openapi.jsonMachine-readable OpenAPI schema✅ Yes

Both routes are covered by the isPublic allowlist in middleware.ts. The /api/v1/openapi.json endpoint additionally responds with Access-Control-Allow-Origin: *, making it accessible from any origin via cross-origin requests.

What is exposed

The OpenAPI JSON schema includes:

  • All API endpoint paths
  • Request and response field names and data types
  • Available contact categories (e.g. Seller, Landlord, Buy-to-Let Investor, Active Tenant)
  • Pagination mechanisms
  • CRM integration patterns and data structures

This information is sufficient for a third party to reconstruct a detailed picture of the platform's data model and integration surface without holding a valid API key or account.

Current status

Public access to /api/v1/docs is likely intentional — CRM integration partners (agentOS, Reapit, Alto, Street, Loop) need a stable reference to implement and maintain their integrations.

Public access to /api/v1/openapi.json (the machine-readable schema) is the higher-risk surface because it is trivially consumable by automated tooling and provides field-level detail beyond what a human-readable page offers.

Recommended actions

Option A — Accept public access, reduce discoverability

If public schema access is a deliberate business decision:

  1. Document the decision explicitly so it is not re-raised in future security reviews.
  2. Add a robots.txt disallow rule for /api/v1/ to prevent search engine indexing:
User-agent: *
Disallow: /api/v1/

Option B — Restrict the machine-readable schema

If the full OpenAPI JSON should not be freely accessible:

  1. Remove /api/v1/openapi.json from the isPublic allowlist in middleware.ts.
  2. Require a valid API key in the Authorization header to access the schema, or restrict to an IP/token allowlist of known CRM partners.
  3. Keep /api/v1/docs public if human-readable documentation is still intended to be open.

Example middleware change (conceptual):

// middleware.ts
const isPublic = [
  '/api/v1/docs',         // keep public for CRM developers
  // '/api/v1/openapi.json' — removed; now requires API key
];

Option C — Full authentication for both endpoints

Require authentication (API key or OAuth token) for both /api/v1/docs and /api/v1/openapi.json. This provides the strongest protection but may increase friction for new CRM integration partners onboarding.

Affected file

src/app/api/v1/openapi.json/route.ts

References

  • Internal control: SCR-22
  • Supply chain review category: competitive_exposure
  • Middleware configuration: middleware.tsisPublic allowlist