SafeSites API

Assessment Attempts

• POST /assessment-attempt-answers/{id}/review — Review a free-text answer. When all answers are reviewed, the attempt is finalized.
• GET /assessment-attempts — View assessment attempts. Filter by assessmentId, userId, or status.
• POST /assessment-attempts — Start a new assessment attempt. Returns existing in-progress attempt if one exists.
• DEL /assessment-attempts/{id} — Delete an assessment attempt.
• GET /assessment-attempts/{id} — View a specific assessment attempt.
• POST /assessment-attempts/{id}/submit — Submit answers for an assessment attempt. Calculates score and determines pass/fail.

Assessment Questions

• GET /assessment-questions — View assessment questions. Requires assessments.read permission.
• POST /assessment-questions — Create an assessment question. Requires assessments.create permission.
• DEL /assessment-questions/{id} — Delete an existing assessment question. Requires assessments.delete permission.
• GET /assessment-questions/{id} — View a specific assessment question. Requires assessments.read permission.
• PUT /assessment-questions/{id} — Update an assessment question. Requires assessments.update permission. If the parent assessment is confirmed, a new version of the question will be created.

Assessments

• GET /assessments — View assessments. Requires assessments.read permission.
• POST /assessments — Create an assessment. Requires assessments.create permission.
• DEL /assessments/{id} — Delete an existing assessment. Requires assessments.delete permission.
• GET /assessments/{id} — View a specific assessment. Requires assessments.read permission.
• PUT /assessments/{id} — Update an assessment. Requires assessments.update permission. If the assessment is confirmed, a new draft version will be created automatically.

Auth

• POST /login — Authenticate with email and password to receive a JWT token.
• POST /logout — Revoke the token used to authenticate the current request.
• POST /password/forgot — Request a password reset email. Always returns 200 to prevent user enumeration.
• POST /password/reset — Reset a user's password using a valid token.

Coworkers

• GET /coworkers — List coworkers in the current organization. Requires users.read permission.
• GET /coworkers/invitations — List pending invitations for the current organization. Requires users.read permission.
• POST /coworkers/invitations — Invite someone to join the organization. Requires users.invite permission.
• DEL /coworkers/invitations/{id} — Cancel a pending invitation. Requires users.invite permission.
• POST /coworkers/invitations/{id}/resend — Resend an invitation email. Requires users.invite permission.
• DEL /coworkers/{id} — Remove a coworker from the organization. Requires users.delete permission.
• GET /coworkers/{id} — View a specific coworker. Requires users.read permission.
• PUT /coworkers/{id} — Update a coworker's role and/or site assignments. Requires users.update permission.

Educational Contents

• GET /educational-contents — View educational contents. Requires educational-contents.read permission.
• POST /educational-contents — Create an educational content. Requires educational-contents.create permission.
• DEL /educational-contents/{id} — Delete an existing educational content. Requires educational-contents.delete permission.
• GET /educational-contents/{id} — View a specific educational content. Requires educational-contents.read permission.
• PUT /educational-contents/{id} — Update an educational content. Requires educational-contents.update permission. If the content is confirmed, a new draft version will be created automatically.

Equipment

• GET /equipment — View equipment. Requires equipment.read permission.
• POST /equipment — Create equipment. Requires equipment.create permission.
• DEL /equipment/{id} — Delete existing equipment. Requires equipment.delete permission.
• GET /equipment/{id} — View a specific equipment. Requires equipment.read permission.
• PUT /equipment/{id} — Update equipment. Requires equipment.update permission.

Equipment Groups

• GET /equipment-groups — View equipment groups. Requires equipment-groups.read permission.
• POST /equipment-groups — Create an equipment group. Requires equipment-groups.create permission.
• DEL /equipment-groups/{id} — Delete an existing equipment group. Requires equipment-groups.delete permission.
• GET /equipment-groups/{id} — View a specific equipment group. Requires equipment-groups.read permission.
• PUT /equipment-groups/{id} — Update an equipment group. Requires equipment-groups.update permission.

Events

• GET /events — View events. Requires events.read permission.
• POST /events — Create a new event. Requires events.create permission.
• DEL /events/{id} — Delete an event. Requires events.delete permission.
• GET /events/{id} — View a specific event. Requires events.read permission.
• PUT /events/{id} — Update an event. Requires events.update permission.
• POST /events/{id}/assignments — Add an assignment to an event. Requires events.update permission.
• DEL /events/{id}/assignments/{assignmentId} — Remove an assignment from an event. Requires events.update permission.
• POST /events/{id}/confirm — Confirm a draft event. Requires events.update permission.
• POST /events/{id}/exceptions — Create an exception for an event occurrence. Requires events.update permission.
• DEL /events/{id}/exceptions/{exceptionId} — Delete an event exception. Requires events.update permission.
• GET /events/{id}/occurrences — Compute occurrences for an event in a date range. Requires events.read permission.

Jobs

• GET /jobs — View jobs assigned to the supplier organization. Users with jobs.read see all jobs; otherwise only assigned jobs are returned.
• GET /jobs/{id} — View a specific job. Requires jobs.read permission.

Manufacturers

• GET /manufacturers — View manufacturers. Requires manufacturers.read permission.
• POST /manufacturers — Create a manufacturer. Requires manufacturers.create permission.
• DEL /manufacturers/{id} — Delete an existing manufacturer. Requires manufacturers.delete permission. Manufacturers with associated equipment cannot be deleted.
• GET /manufacturers/{id} — View a specific manufacturer. Requires manufacturers.read permission.
• PUT /manufacturers/{id} — Update a manufacturer. Requires manufacturers.update permission.

Orders

• GET /orders — View orders. Requires orders.read permission.
• POST /orders — Create a new order. Requires orders.create permission.
• DEL /orders/{id} — Delete a draft order. Requires orders.delete permission.
• GET /orders/{id} — View a specific order. Requires orders.read permission.
• PUT /orders/{id} — Update an order. Requires orders.update permission.
• POST /orders/{id}/transition — Transition an order to a new status. Requires orders.update permission.
• POST /orders/{id}/work-tasks — Add work tasks to a draft order. Requires orders.update permission.
• PUT /orders/{id}/work-tasks/reorder — Reorder work task groups in a draft order. Requires orders.update permission.
• DEL /orders/{id}/work-tasks/{workTaskGroupId} — Remove a work task group from a draft order. Requires orders.update permission.

Organizations

• GET /organizations — List organizations the authenticated user belongs to.
• POST /organizations — Create a new organization. The authenticated user must have permission to create organizations.
• GET /organizations/{id} — View a single organization.
• PUT /organizations/{id} — Update an organization.

Roles

• GET /roles — View roles. Requires roles.read permission.
• POST /roles — Create a role. Requires roles.write permission.
• DEL /roles/{id} — Delete an existing role. Requires roles.write permission. Roles with assigned users cannot be deleted.
• GET /roles/{id} — View a specific role. Requires roles.read permission.
• PUT /roles/{id} — Update a role. Requires roles.write permission.

Safety Requirements

• GET /safety-requirements — View safety requirements. Requires safety-requirements.read permission.
• POST /safety-requirements — Create a safety requirement. Requires safety-requirements.create permission.
• DEL /safety-requirements/{id} — Delete an existing safety requirement. Requires safety-requirements.delete permission.
• GET /safety-requirements/{id} — View a specific safety requirement. Requires safety-requirements.read permission.
• PUT /safety-requirements/{id} — Update a safety requirement. Requires safety-requirements.update permission. Updating a confirmed requirement automatically creates a new version.
• GET /safety-requirements/{id}/versions — List all versions of a specific safety requirement. Requires safety-requirements.read permission.

Sites

• GET /sites — View sites. Requires sites.read permission.
• POST /sites — Create a site. Requires sites.create permission.
• DEL /sites/{id} — Delete an existing site. Requires sites.delete permission. Sites with associated equipment or events cannot be deleted.
• GET /sites/{id} — View a specific site. Requires sites.read permission.
• PUT /sites/{id} — Update a site. Requires sites.update permission.

Suppliers

• GET /suppliers — List supplier relationships for the current organization. Requires suppliers.read permission.
• GET /suppliers/invitations — List pending supplier invitations for the current organization. Requires suppliers.read permission.
• DEL /suppliers/invitations/{id} — Cancel a pending supplier invitation. Requires suppliers.delete permission.
• GET /suppliers/invitations/{id} — View a specific supplier invitation. Requires suppliers.read permission.
• POST /suppliers/invitations/{id}/resend — Resend a supplier invitation with an updated email address. Requires suppliers.invite permission.
• DEL /suppliers/{id} — Delete a supplier relationship. Requires suppliers.delete permission. Hard delete (historical orders retain supplier org reference).
• GET /suppliers/{id} — View a specific supplier relationship. Requires suppliers.read permission.
• PATCH /suppliers/{id} — Update a supplier relationship status. Requires suppliers.update permission. Only allows Active ↔ Inactive transitions.

Tokens

• GET /tokens — List all API tokens for the authenticated user.
• POST /tokens — Create a new API token.
• DEL /tokens/{id} — Delete (revoke) an API token.
• GET /tokens/{id} — View a single API token by ID.

User

• GET /profile — View your account profile
• PUT /profile — Update your account profile. SSO users cannot update firstName/lastName.
• GET /settings — View your account settings
• PUT /settings — Update your account settings

Work Steps

• GET /work-steps — View work steps. Requires work-steps.read permission.
• POST /work-steps — Create a work step. Requires work-steps.create permission.
• DEL /work-steps/{id} — Delete an existing work step. Requires work-steps.delete permission.
• GET /work-steps/{id} — View a specific work step. Requires work-steps.read permission.
• PUT /work-steps/{id} — Update a work step. Requires work-steps.update permission. Updating a confirmed work step automatically creates a new version.
• GET /work-steps/{id}/versions — List all versions of a specific work step. Requires work-steps.read permission.

Work Tasks

• GET /work-tasks — View work tasks. Requires work-tasks.read permission.
• POST /work-tasks — Create a work task. Requires work-tasks.create permission. Only draft status is accepted on create.
• DEL /work-tasks/{id} — Delete an existing work task. Requires work-tasks.delete permission. Work tasks with associated work steps or events cannot be deleted.
• GET /work-tasks/{id} — View a specific work task. Requires work-tasks.read permission.
• PUT /work-tasks/{id} — Update a work task. Requires work-tasks.update permission. Updating a confirmed work task automatically creates a new version.
• GET /work-tasks/{id}/versions — List all versions of a specific work task. Requires work-tasks.read permission.