URLs and address resolution
Relative paths
All endpoints in the contract are relative (/pages/home,
/api/orders?page={page}). The client resolves them against the manifest origin
(not against the current page’s URL). One fixed base per service.
No absolute URLs
Absolute URLs in navigate, submit, rows_endpoint, badge_source,
search.endpoint, source are forbidden. The client refuses to run such an
action.
Consequence: one JSON works on staging and prod unchanged.
Moving a service to another domain = reconnecting the manifest.
Authorization
Authorization: Bearer(or the transport fromguard) is attached only to requests on the manifest origin.- Under no circumstances does the credential leave for another domain.
- Cross-origin redirects (3xx to a foreign origin) do not carry authorization — the client does not follow them with the header.
Request headers
On every contract request the client sends:
Accept: application/json- a set of
X-Vaktor-*: app version, platform, OS, device, language, region Content-Type: application/json— only onsubmit(JSON body)Idempotency-Key: <UUID>— on everysubmit
Exceptions — absolute URLs are allowed, always without Authorization
- The
open_url,tel,mailtoactions image.urlandicon_url(CDN)