# memberapi.ose.tw backend

## Quick start

```bash
cd backend
python -m venv .venv
source .venv/bin/activate
pip install -e .
cp .env.example .env
./scripts/start_dev.sh
```

## Keycloak env

- Required:
  - `KEYCLOAK_BASE_URL`
  - `KEYCLOAK_REALM`
  - `KEYCLOAK_CLIENT_ID`
  - `KEYCLOAK_CLIENT_SECRET`
  - `KEYCLOAK_ADMIN_CLIENT_ID`
  - `KEYCLOAK_ADMIN_CLIENT_SECRET`
- Optional:
  - `KEYCLOAK_ADMIN_REALM` (default = `KEYCLOAK_REALM`)
  - `KEYCLOAK_ISSUER`
  - `KEYCLOAK_JWKS_URL`
  - `KEYCLOAK_TOKEN_ENDPOINT`
  - `KEYCLOAK_USERINFO_ENDPOINT`
  - `KEYCLOAK_AUDIENCE`
  - `KEYCLOAK_VERIFY_TLS`

## Main APIs

- `GET /healthz`
- `GET /auth/oidc/url`
- `POST /auth/oidc/exchange`
- `GET /me` (Bearer token required)
- `GET /me/permissions/snapshot` (Bearer token required)
- `POST /internal/users/upsert-by-sub`
- `GET /internal/permissions/{user_sub}/snapshot`
- `POST /internal/idp/users/ensure`