API reference

Technical reference for integrating with the Datar Platform API. Build custom integrations and extend the platform to fit your needs.

For developers

This section is intended for developers and technical users who want to integrate with the Datar Platform programmatically.

Data architecture

How data flows through the platform

Web & Mobile

The Next.js web app and Expo mobile app both consume the same API. A shared codebase ensures consistent behavior across platforms.

Type-safe API

Built with tRPC, every request and response is fully typed. Input validation uses Zod schemas, and errors are caught at compile time, not at runtime.

Secure storage

DynamoDB single-table design with S3 for file storage. Encrypted at rest, fine-grained access controls, and full audit logging.

Overview

How the Datar API is structured

The Datar Platform exposes a type-safe API built on tRPC. All communication between the web and mobile clients uses this API. You can use it to build custom integrations, automate workflows, or connect Datar with other tools your organization uses.

Secure

Session-based authentication with HTTP-only cookies, fine-grained permissions, and comprehensive audit logging for all operations.

Consistent

All endpoints follow the same patterns for input validation, error handling, and response formatting.

Extensible

The modular architecture makes it straightforward to add new endpoints and integrations.

Authentication

How to authenticate with the API

The API uses session-based authentication powered by Better Auth. To make authenticated requests, you need a valid session token.

Session tokens

After successful authentication, the server issues a session token stored as an HTTP-only cookie. This token is automatically included in subsequent requests.

Token refresh

Sessions are automatically refreshed when active. Inactive sessions expire after a configurable period set by your administrator.

Never expose session tokens in client-side code or URLs. Always use HTTP-only cookies or secure server-side storage.

Available endpoints

The API is organized by module

Each platform module exposes its own set of API procedures. The main endpoint groups are:

Requests

Create, read, update, and manage requests. Includes approval workflows, status transitions, and line item management.

Projects

Manage projects, tasks, timesheets, and sprints. Supports assignment, status tracking, and board views.

People

Employee profiles, timesheets, leave management, performance goals, and attendance.

Drive

File and folder management, uploads, sharing, permissions, and storage operations.

Inventory

Product and stock management, categories, locations, and stock level tracking.

Procurement

Tender management, purchase orders, vendor management, and budget tracking.

Additional shared endpoints are available for tags, permissions, comments, notifications, and search.

Rate limits

Usage limits to keep the platform stable

To ensure reliable performance for all users, the API enforces rate limits on requests. If you exceed the limit, you will receive a 429 (Too Many Requests) response.

Standard requests

Up to 100 requests per minute per authenticated user. Sufficient for normal interactive use and moderate automation.

File uploads

File uploads have separate limits based on file size and your organization's storage quota. Contact your administrator for details.

Batch operations

Batch endpoints have lower rate limits. Space out bulk operations to avoid hitting the limit.

Error handling

How to handle API errors gracefully

The API uses standard HTTP status codes and returns structured error objects with details about what went wrong.

400 — Bad Request

The request was malformed or missing required fields. Check the error details for specific field-level validation messages.

401 — Unauthorized

Your session has expired or you are not authenticated. Re-authenticate and retry the request.

403 — Forbidden

You do not have permission to perform this action. Check that your role and item-level permissions are sufficient.

404 — Not Found

The requested resource does not exist or has been deleted. Verify the ID and check the trash if applicable.

429 — Too Many Requests

You have exceeded the rate limit. Wait before retrying. Implement exponential backoff in automated scripts.

Frequently asked questions

Can I use the API from a third-party application?

Yes. Any application that can make HTTP requests can integrate with the Datar API. You will need valid authentication credentials and should follow the rate limit guidelines. For server-to-server use, store tokens securely and rotate them periodically.

Is there a sandbox or test environment?

Contact your administrator to request access to a development or staging environment for testing integrations without affecting production data. Sandbox data resets are common, so avoid relying on long-lived test records.

How do I report a bug in the API?

Report API issues to your organization's IT administrator or contact the Datar support team directly. Include the endpoint, request payload, and error response to help with diagnosis. A timestamp and correlation ID (if returned) speeds triage.

Did this page help you?

Your feedback helps us improve our documentation.