design and build the Public REST API

[shivendra0712]

Implemented versioned Public REST API support for DevCards under /api/v1 with API key authentication, OpenAPI 3.1 documentation, Swagger UI, and integration test coverage.

---

Changes Made

API Key Management

Added ApiKey support in backend:

• POST /api/v1/keys to create API keys using session authentication
• DELETE /api/v1/keys/:id to revoke API keys
• API keys are hashed using bcryptjs
• Raw API key is returned only once during creation
• Tracks lastUsed
• Supports key revocation through revokedAt

---

API Key Authentication Plugin

Added apps/backend/src/plugins/apiKey.ts

Features:

• Validates Authorization: Bearer <key>
• Applies only to /api/v1 public API routes
• Separate from session-based authentication
• Updates lastUsed timestamp
• Supports separate rate limiting per API key

---

Public API v1 Endpoints

Implemented:

• GET /api/v1/profiles/me
• PUT /api/v1/profiles/me/links
• DELETE /api/v1/profiles/me/links/:id
• GET /api/v1/profiles/:username

---

OpenAPI 3.1 Documentation

Added runtime-generated OpenAPI documentation using Fastify Swagger:

• GET /api/v1/openapi.json
• Swagger UI available at /api/v1/docs

Additional updates:

• Added route schemas for automatic spec generation
• Configured OpenAPI 3.1 metadata and security schemas

---

Integration Tests

Added backend integration tests covering:

• API key creation
• API key validation
• Key rotation
• Revocation with immediate 401 Unauthorized
• Protected route access
• Public profile access
• OpenAPI spec endpoint

---

Result

• /api/v1/docs renders Swagger UI successfully
• API key authentication works independently from session auth
• Revoked keys immediately stop authenticating
• Backend tests pass for @devcard/backend
• All v1 endpoints conform to generated OpenAPI specification