docs: document public watchlist

This commit is contained in:
2026-06-29 13:39:42 +02:00
parent be71ec91c8
commit ed7dfea834
2 changed files with 15 additions and 0 deletions

View File

@@ -168,6 +168,17 @@ Configuration is loaded from environment variables, and a local `.env` file is r
</details>
### Public Watchlist JSON
`GET /api/public/users/{user_id}/watchlist` returns a versioned, agent-friendly JSON view of a
user's complete watchlist. It includes status summaries, episode progress,
added/completed/last-watched dates, and localized titles. Add `?download=1` to receive the same
response as a `watchlist-{user_id}.json` attachment; the watchlist page's export action uses this
URL.
This endpoint is intentionally unauthenticated. A deployment that should keep watchlist and
playback data private must restrict access to `/api/public/` at the network or reverse-proxy layer.
### Repository Map
| Path | Responsibility |

View File

@@ -55,6 +55,10 @@ dependency monitoring.
Use a strong `PLAYBACK_PROXY_SECRET` if playback proxy token signing is enabled. Do not commit real
secrets, provider tokens, session data, or production databases to the repository.
The read-only `/api/public/users/{user_id}/watchlist` endpoint intentionally exposes watchlist
statuses, episode progress, and watchlist dates without authentication. Restrict `/api/public/` at
the network or reverse-proxy layer when that data should not be public.
## Dependency Security
Dependencies are managed through Go modules and Bun. When updating dependencies, run the normal