feat: migrate email send to V3 action; deprecate api.py legacy endpoints

- Add /v3/action/email/send router (api_v3_actions_email.py) replacing /util/email/send - Disable util_email router in registry; register new email action router - Mark /api/request_jwt and /api/temp_token as deprecated (TODO: remove) - Guide: add §8 Email Send Action, mark Axonius section EXPIRED, renumber §9-§11 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-01 14:44:28 -04:00
parent c378040ad4
commit 44e4f5c4e6
4 changed files with 126 additions and 4 deletions
--- a/documentation/GUIDE__AE_API_V3_for_Frontend.md
+++ b/documentation/GUIDE__AE_API_V3_for_Frontend.md
@@ -19,12 +19,16 @@ Required for any non-public data (Journals, Badges, Users, etc.).
    *   **Header:** `x-account-id: <account_id>`
 2.  **Administrative Bypass**: For authorized scripts needing global access.
    *   **Header:** `x-no-account-id: bypass`
+  *   **Scope:** Narrow escape hatch only. Keep it limited to allowlisted bootstrap/public/global-default paths and prefer `x-account-id` or JWT-backed requests everywhere else.
 3.  **Token Access**: Provide a **JWT** in the query string.
    *   **Query Param:** `?jwt=<token>`
 4.  **Important Distinction:** A query parameter named `key` is **not** an account-context bypass signal.
  *   `key` may be used by specific endpoints/business logic, but it must **not** cause the frontend to remove `x-account-id`.
  *   Only explicit `x-no-account-id: bypass` should strip account context.

+> [!NOTE]
+> The `x-no-account-id` path should continue to shrink over time. If you need a new use, document why `x-account-id` or JWT cannot cover it and mark the use as temporary unless it is a hard bootstrap/global-default requirement.
+
 > [!CAUTION]
 > **UNSUPPORTED HEADERS:** The header `x-aether-api-token` is **NOT recognized** by the V3 API. If you send it, the backend will treat you as a guest and block access to private data.

@@ -312,7 +316,42 @@ Frontend guidance:

 ---

-## Axonius Zoom CSV Upload (Temporary — Apr 2026)
+## 8. Email Send Action
+
+Send a transactional email via the Aether API.
+
+- **Method:** `POST`
+- **Path:** `/v3/action/email/send`
+- **Auth:** `x-aether-api-key` + `x-account-id` (or `x-no-account-id` / `?jwt=`)
+
+**Request body:**
+```json
+{
+  "from_email": "noreply@example.com",
+  "from_name": "Example App",
+  "to_email": "user@example.com",
+  "to_name": "Alice Smith",
+  "subject": "Your login link",
+  "body_html": "<p>Click <a href=\"...\">here</a> to log in.</p>",
+  "body_text": "Visit ... to log in.",
+  "cc_email": null,
+  "bcc_email": null
+}
+```
+
+**Query params:**
+
+| Parameter | Type | Default | Description |
+|---|---|---|---|
+| `test` | bool | `false` | Simulate send without delivering |
+
+**Response:** `data` contains `{ from_email, to_email, subject }` (first 40 chars of subject). `400` if delivery failed.
+
+> **Replaces:** `POST /util/email/send` (disabled as of May 2026).
+
+---
+
+## Axonius Zoom CSV Upload (Temporary — Apr 2026, EXPIRED)

 Purpose: Staff-only quick upload to upsert Event Person + Event Badge records from a Zoom Events registrant CSV.

@@ -531,7 +570,7 @@ Results are automatically scoped to the `x-account-id` provided in the request.

 ---

-## 9. Event Exhibit Tracking Export (Leads Export)
+## 10. Event Exhibit Tracking Export (Leads Export)

 Allows an exhibitor to download all lead-capture records for their exhibit as a CSV or XLSX file.

@@ -599,7 +638,7 @@ const url = URL.createObjectURL(blob);

 ---

-## 10. Troubleshooting 403 Forbidden
+## 11. Troubleshooting 403 Forbidden

 If you receive a 403 on a valid ID:
 1.  Verify `x-aether-api-key` is correct.