Vaktor v0.1

URLs and address resolution

Relative paths

All endpoints in the contract are relative (/pages/home, /api/orders?page={page}). The client resolves them against the manifest origin (not against the current page’s URL). One fixed base per service.

No absolute URLs

Absolute URLs in navigate, submit, rows_endpoint, badge_source, search.endpoint, source are forbidden. The client refuses to run such an action.

Consequence: one JSON works on staging and prod unchanged. Moving a service to another domain = reconnecting the manifest.

Authorization

  • Authorization: Bearer (or the transport from guard) is attached only to requests on the manifest origin.
  • Under no circumstances does the credential leave for another domain.
  • Cross-origin redirects (3xx to a foreign origin) do not carry authorization — the client does not follow them with the header.

Request headers

On every contract request the client sends:

  • Accept: application/json
  • a set of X-Vaktor-*: app version, platform, OS, device, language, region
  • Content-Type: application/jsononly on submit (JSON body)
  • Idempotency-Key: <UUID> — on every submit

Exceptions — absolute URLs are allowed, always without Authorization

  • The open_url, tel, mailto actions
  • image.url and icon_url (CDN)