# ohmesh

ohmesh is a DB-free auth and user-scoped JSON storage API for static apps.
Use this page when an automated client or LLM needs to understand how to write data through the ohmesh API.

Base URL: https://ohmesh.okgo.click

## Core Flow

1. Register an app in the ohmesh admin UI and keep its app slug.
2. Send the user to:
   GET https://ohmesh.okgo.click/login?app={app_slug}&redirect_url={encoded_app_url}
3. After OAuth succeeds, ohmesh redirects back to the registered redirect URL and sets an app-specific HttpOnly session cookie.
4. Browser API calls must use credentials: "include" so the cookie is sent.
5. Data records are always scoped to the current session user and app.
6. By default, each app allows up to 5 users and 10 total JSON records unless changed in app settings.

## Check Login

GET https://ohmesh.okgo.click/auth/me?app={app_slug}

JavaScript:
fetch("https://ohmesh.okgo.click/auth/me?app={app_slug}", {
  credentials: "include"
})

If the user is logged in, the response includes user, app, and session.expires_at.

## Insert JSON Data

POST https://ohmesh.okgo.click/api/apps/{app_slug}/records
Content-Type: application/json
Cookie auth: sent automatically by the browser with credentials: "include"

Body:
{
  "type": "note",
  "data": {
    "title": "Hello",
    "done": false
  }
}

JavaScript:
await fetch("https://ohmesh.okgo.click/api/apps/{app_slug}/records", {
  method: "POST",
  credentials: "include",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    type: "note",
    data: { title: "Hello", done: false }
  })
})

Success response: 201 Created with a record object containing id, app_id, user_id, type, data, created_at, updated_at.

## Read And Update Data

GET https://ohmesh.okgo.click/api/apps/{app_slug}/records?type=note&limit=100&offset=0
GET https://ohmesh.okgo.click/api/apps/{app_slug}/records/{id}
PATCH https://ohmesh.okgo.click/api/apps/{app_slug}/records/{id}
DELETE https://ohmesh.okgo.click/api/apps/{app_slug}/records/{id}

Patch body may include type, data, or both.
Delete returns 204 No Content.

## Logout

App logout URL. This clears the ohmesh session cookie and redirects immediately:
GET https://ohmesh.okgo.click/logout?app={app_slug}&redirect_url={encoded_app_url}

Programmatic app logout:
POST https://ohmesh.okgo.click/auth/logout?app={app_slug}&redirect_url={encoded_app_url}

## Constraints

- redirect_url must be registered for the app.
- API requests require the app-specific ohmesh session cookie.
- Never expect OAuth access tokens, refresh tokens, or raw session tokens in API responses.
- data must be valid JSON.
- type is required and must be 120 characters or less.
- Default app limits are 5 users and 10 total JSON records.
- CORS requests must come from a registered app domain or allowed origin.

Machine-readable OpenAPI spec: https://ohmesh.okgo.click/openapi.json