Skip to main content
This reference documents the endpoints that are real and supported today.

Canonical Base URL

Use https://api.tattooapi.com/v1 for public docs, SDK generation, and external integrations. https://api.tattooapi.com/v1 can remain an internal or compatibility alias for tattoo.co marketplace and Studio OS traffic, but it should not be the canonical developer-facing base URL.

Supported Surface

  • GET /health - public operational read
  • GET /studios - public directory read
  • GET /artists and GET /artists/{id} - authenticated artist read beta
  • GET /search - authenticated discovery read beta
  • GET /portfolios and GET /designs - authenticated creative read beta returning public projections
  • GET /me/portfolio-assets and GET /me/designs - authenticated owner-scoped creative read beta

Current Public Boundary

The public documentation surface is intentionally discovery-first while Wave D and Wave E close:
  • Public no-auth reads are limited to health and studios.
  • WorkOS is the default auth authority for internal beta and owner-scoped routes.
  • Authenticated discovery reads can be used internally and in controlled SDK beta flows.
  • Authenticated creative reads return projection-filtered portfolio/design data.
  • Owner creative reads are scoped to the authenticated owner actor and keep draft/private records out of cross-studio visibility.
  • Public write expansion remains blocked.
  • Owner write methods are present only as gated contract responses.
  • Public webhook and legacy auth ingress routes exist for compatibility, but they are not the promoted public API expansion path.
  • Future owner-scoped writes and public intake flows will be split onto separate route families rather than broad public mutation endpoints.
  • Local API key management routes are retired in WorkOS mode and return 410.
  • Mastra exists only as an internal Studio and agent runtime in this phase; it does not add new public API routes.
  • Internal API beta access uses WorkOS AuthKit and WorkOS API Keys, but detailed team setup remains repo-internal.
  • Wave F+ public read, SDK, free-tool, dataset, and intelligence surfaces remain gated until runtime truth, review lineage, rights, consent, privacy, and audit posture are proven.

Important Constraint

The current runtime still has mixed legacy response envelopes. These docs describe the current behavior truthfully instead of pretending the runtime is already fully unified. See Project Status for the current Wave D/E cutover posture and the public-surface boundaries. See API Access Model and Future Wave Gates for the current public/private split. See Current API Surface Map for the route-by-route public, beta, owner, internal, deprecated, and blocked posture.

Source of Truth

  • Domain model: packages/domain-ontology
  • Generated ontology reference: project-context/ontology
  • Current endpoint metadata: mintlify-docs/openapi.json
  • API access posture: project-context/ontology/api-access-and-privacy-matrix.md