Data Operations
All data entities (products, customers, discounts, tenders, etc.) follow a consistent REST pattern. This page describes the common operations available on every resource.
Base URL Pattern
Section titled “Base URL Pattern”All secured endpoints follow the pattern:
/api/secure/{resource}For example: /api/secure/plu, /api/secure/customer, /api/secure/discount.
Common Fields
Section titled “Common Fields”Every entity managed through the API has these standard fields:
| Field | Type | Description |
|---|---|---|
id | guid | Unique identifier (UUID). |
active | boolean | Whether the entity is active. Used for soft-deletes. |
data | object | JSON object containing entity-specific configuration and settings. |
Most entities also have a name field and are scoped to a company.
Listing Resources
Section titled “Listing Resources”GET /api/secure/{resource}Returns an array of all entities the current user has access to. Results are scoped by the user’s company — you only see data belonging to your company (and parent company data where applicable).
curl -X GET "https://www.mando.fi/api/secure/plu" \ -H "Authorization: Bearer YOUR_API_KEY"Response:
[ { "id": "6ec1fdd5-d50a-4233-bb5d-9a0675ed239a", "active": true, "name": "Kahvi", "data": { ... } }, ...]Filtering
Section titled “Filtering”Some resources accept query parameters to filter results. Available filters are resource-specific and are given as url parameters.
Example — list products in a specific department:
curl -X GET "https://www.mando.fi/api/secure/plu?dpt_id=88baebc9-0898-4a5a-854c-bff13285d383" \ -H "Authorization: Bearer YOUR_API_KEY"Getting a Single Resource
Section titled “Getting a Single Resource”GET /api/secure/{resource}/{id}Returns a single entity by its GUID.
curl -X GET "https://www.mando.fi/api/secure/plu/6ec1fdd5-d50a-4233-bb5d-9a0675ed239a" \ -H "Authorization: Bearer YOUR_API_KEY"Creating a Resource
Section titled “Creating a Resource”POST /api/secure/{resource}Create a new entity by sending a JSON object. If no id is provided, a new UUID is generated automatically.
curl -X POST "https://www.mando.fi/api/secure/customer" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "active": true, "customer_num": 1001, "name": "Acme Corp", "data": { "email": "info@acme.com" } }'The entity is automatically assigned to the current user’s company.
Upsert Behavior
Section titled “Upsert Behavior”If you include an id field in the POST body and a record with that GUID already exists, the API updates the existing
record instead of creating a new one. This makes POST work as an upsert:
curl -X POST "https://www.mando.fi/api/secure/customer" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "id": "6ec1fdd5-d50a-4233-bb5d-9a0675ed239a", "active": true, "name": "Acme Corp Updated", "data": { ... } }'Batch Operations
Section titled “Batch Operations”POST also accepts an array of objects to create or update multiple entities in a single request. Each item in the
array follows the same upsert logic — items with an existing id are updated, items without an id are created.
curl -X POST "https://www.mando.fi/api/secure/customer" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '[ { "id": "existing-guid-1", "name": "Updated Customer", "data": { ... } }, { "name": "New Customer", "customer_num": 1002, "data": { ... } } ]'Response is an array of the created/updated entities in the same order.
Updating a Resource
Section titled “Updating a Resource”PUT /api/secure/{resource}/{id}Update an existing entity. Send only the fields you want to change — unspecified fields are not modified. Each entity type defines which fields are updatable.
curl -X PUT "https://www.mando.fi/api/secure/customer/6ec1fdd5-d50a-4233-bb5d-9a0675ed239a" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "name": "Acme Corporation", "data": { "email": "contact@acme.com", "phone": "+358 40 1234567" } }'Deactivating a Resource (Soft Delete)
Section titled “Deactivating a Resource (Soft Delete)”Entities are not physically deleted through the API. Instead, set active to false:
curl -X PUT "https://www.mando.fi/api/secure/customer/6ec1fdd5-d50a-4233-bb5d-9a0675ed239a" \ -H "Authorization: Bearer YOUR_API_KEY" \ -H "Content-Type: application/json" \ -d '{ "active": false }'Deactivated entities remain in the system and continue to appear in list responses. They are excluded from POS terminal data syncs and are typically hidden in management UI views.
To reactivate, set active back to true.
Data Serialization
Section titled “Data Serialization”ID Format
Section titled “ID Format”The API uses UUIDs as identifiers:
{ "id": "6ec1fdd5-d50a-4233-bb5d-9a0675ed239a"}The data Field
Section titled “The data Field”Most entities store their detailed configuration in a JSON data field. The structure of data is entity-specific and
documented in the Data Models reference. In API responses, data is always returned as a parsed JSON
object (not a string).
Foreign Key References
Section titled “Foreign Key References”Foreign keys are returned as GUIDs of the referenced entity. For example, a product references its department by GUID:
{ "id": "product-guid", "dpt_id": "department-guid", "tax_id": "tax-rate-guid"}When creating or updating, provide the GUID of the referenced entity. The entity must already exist in the system.
Event Logging
Section titled “Event Logging”All create and update operations are automatically logged in the event system. Each event records the user who made the change, the entity type, the entity ID, and the full payload. This provides a complete audit trail of all data modifications.