auto.cc API

v1.0

Complete REST API for the Auto China Connect platform — service, sales, accounting, vehicle management, AI assistants, and image generation for Chinese electric vehicles in Europe.

https://auto.cc/api

Overview

The auto.cc API is composed of two backends served under a unified domain:

Backend	Stack	Path	Purpose
Dashboard API	Node.js / Express	`/api/*`	Core platform: auth, sales, accounting, vehicles, AI, wallets
Client API	NestJS / Prisma	`/api/*`	Client portal: orders, configurations, payments, public forms
Image Studio	Python / Flask	`/studio/*`	Photo processing & AI image generation for car listings

All requests use JSON (application/json) unless otherwise noted. File uploads use multipart/form-data.

Supported Brands

Xiaomi (SU7 Max, SU7 Ultra, YU7), Zeekr (001, 9X), BYD (Seal 05 DM-i), Avatr (12), Li Auto (L6), Jetour (T2 i-DM, G700), Maextro (S800)

Supported Markets

DE, AT, CH, FR, IT, ES, PT, NL, BE, FI, GR, IE, SK, SI, LU, AE (UAE). Currencies: EUR, AED.

Authentication

All authenticated endpoints require a JWT Bearer token in the Authorization header:

Authorization: Bearer <token>

Tokens are issued by POST /api/login (Dashboard API) or POST /api/auth/login (Client API). They use HS256 signing and expire after 8 hours.

Token Payload (Dashboard API)

{
  "username": "john.doe",
  "department": "Sales",
  "role": "admin",
  "iat": 1774880047,
  "exp": 1774908847
}

Authorization Levels

Level	Badge	Who Qualifies
Public	Public	No token required
Auth Required	Auth	Any valid token
Sales Access	Sales	`department = "Sales"` or `role = "admin"`
Accounting	Accounting	`department = "Accounting"` or `role = "admin"`
Admin	Admin	`role = "admin"`

Permissions Object

The login response includes a permissions object. Admins get all permissions:

{
  "service": true,
  "sales": true,
  "logistics": true,
  "accounting": true
}

Error Handling

Errors are returned as JSON with an error field:

{ "error": "Invalid credentials." }

Status	Meaning
400	Bad request — missing or invalid parameters
401	Unauthorized — missing, expired, or invalid JWT token
403	Forbidden — valid token but insufficient role/department
404	Not found — resource does not exist
413	Payload too large — upload exceeds limit
429	Rate limited — too many requests
500	Internal server error
503	Service unavailable — AI assistant not configured

POST /api/login Public

Authenticate and receive a JWT token.

Request

{
  "username": "john.doe",
  "password": "secret",
  "department": "Sales"
}

All three fields are required. department must be one of: Service, Sales, Logistics, Accounting.

Response

{
  "token": "eyJhbGciOiJIUzI1NiIs...",
  "user": {
    "username": "john.doe",
    "role": "admin",
    "department": "Sales",
    "permissions": { "service": true, "sales": true, "logistics": true, "accounting": true }
  }
}

Errors

400 — Missing username, password, or department
401 — Invalid credentials
403 — Account pending approval

Verify & Logout

GET /api/verify Auth Validate token & return decoded user

POST /api/logout Auth Log the logout event (client-side token removal)

GET /api/users/me Auth Current user profile with meta (name, company, address, geo)

POST /api/users/avatar Auth Upload avatar (JPEG/PNG/WebP, max 2 MB) to S3

User Management

Admin-only CRUD for platform user accounts.

GET /api/users Admin List all users

POST /api/users Admin Create user (username, password, email, role, department, market, permissions, meta)

PUT /api/users/:username Admin Update user (password, email, role, department, market, permissions, meta)

DELETE /api/users/:username Admin Delete user account

Leads (CRM)

Sales leads synced with Close.com CRM. All endpoints require Sales department access.

GET /api/leads Sales List leads (Close.com + local)

GET /api/leads/search?q=... Sales Search leads by name/email/phone

POST /api/leads Sales Create lead (syncs to Close.com)

PUT /api/leads/:id/status Sales Update lead status (new, contacted, qualified, won, lost)

PUT /api/leads/:id/assign Sales Assign lead to sales agent

Deals

Sales deals with pipeline tracking, value, and analytics.

GET /api/deals Sales List deals (filterable by status, brand, date range)

GET /api/deals/summary Sales Deals summary: counts, total value, win rate, pipeline value

POST /api/deals Sales Create deal

PUT /api/deals/:id Sales Update deal

DELETE /api/deals/:id Sales Delete deal

Sales Orders

GET /api/orders Sales List orders (paginated)

GET /api/orders/analytics Sales Order analytics: total, by status, by brand

GET /api/orders/:id Sales Single order detail

GET /api/sales Sales List sales activity log

GET /api/sales/stats Sales Sales statistics and team analytics

POST /api/sales Sales Create sales entry

Test Drives

Test drive booking with Stripe payments, calendar scheduling, SMS/email confirmations.

GET /api/testdrives Sales List all test drives

POST /api/testdrives Sales Create test drive booking

POST /api/testdrives/book Sales Book with Stripe payment link (returns checkout URL)

PUT /api/testdrives/:id/status Sales Update test drive status

GET /api/testdrives/calendar Sales Calendar view of booked test drives

Test Drive Pricing

Prices per model (in EUR cents): SU7 Max: 9900, SU7 Ultra: 14900, YU7: 9900, Zeekr 001: 7900, Zeekr 9X: 14900, BYD Seal 05: 4900, Avatr 12: 9900, Li Auto L6: 7900, Jetour T2: 5900, Jetour G700: 9900, Maextro S800: 19900.

Vehicle Pipeline

End-to-end vehicle import pipeline from order to delivery, with Kanban board and full audit history.

GET /api/pipeline Auth List orders (filter: status, brand, customer, source, date range, search)

GET /api/pipeline/stats Auth Pipeline analytics: funnel, value, margin, avg processing time

GET /api/pipeline/kanban Auth Orders grouped by status for Kanban board

GET /api/pipeline/:id Auth Single order with status change history

POST /api/pipeline Auth Create pipeline order (auto-generates order number)

PUT /api/pipeline/:id Auth Update pipeline order (logs status changes to history)

Pipeline Status Flow

order_received → order_confirmed → supplier_ordered → in_production → ready_for_export → in_transit → customs_clearance → at_hub → delivered → completed

Additional: cancelled, on_hold

Unified Customer Profile

Multi-source customer deduplication engine (Close.com, Lexoffice, Stripe, Postgres, Configurator). Includes AI-powered duplicate detection with Claude review.

GET /api/customers Auth List customers (paginated, filterable by type/status)

GET /api/customers/search?q=... Auth Search by name, email, phone, company, VIN

GET /api/customers/stats Auth Customer statistics: total, B2B/B2C split, sources

GET /api/customers/profile/:id Auth Full customer profile with linked data from all sources

GET /api/customers/:id Auth Get customer by ID

GET /api/customers/:id/financials Auth Financial summary: invoices, payments, outstanding

POST /api/customers Auth Create customer (auto-detects B2B/B2C, dedup matching)

PUT /api/customers/:id Auth Update customer

GET /api/customers/duplicates Auth List detected duplicate pairs with confidence scores

POST /api/customers/duplicates/:id/merge Auth Merge duplicate customer records

POST /api/customers/duplicates/:id/dismiss Auth Dismiss false positive duplicate

POST /api/customers/duplicates/:id/claude-review Auth AI-powered duplicate review via Claude

POST /api/customers/:id/enrich Auth Enrich customer data from external sources

POST /api/customers/dedup/scan Auth Trigger full deduplication scan

Customer Sync Sources

POST/api/customers/sync/closeSalesSync from Close.com CRM

POST/api/customers/sync/lexofficeAuthSync from Lexoffice

POST/api/customers/sync/postgresAuthSync from local database records

POST/api/customers/sync/stripeAuthSync from Stripe customers

POST/api/customers/sync/allAuthSync from all sources

Invoices

All accounting endpoints require Accounting department access or Admin role.

GET /api/accounting/invoices Accounting List invoices (filter: type, status)

POST /api/accounting/invoices Accounting Create invoice

PUT /api/accounting/invoices/:id Accounting Update invoice

POST /api/accounting/upload Accounting Upload document (max 20 MB)

GET /api/accounting/reports Accounting Financial reports: revenue, expenses, P&L

Expenses & Documents

GET /api/accounting/expenses Accounting List expenses

POST /api/accounting/expenses Accounting Create expense

PUT /api/accounting/expenses/:id Accounting Update expense

GET /api/accounting/documents Accounting List documents

POST /api/accounting/documents Accounting Create document record

Banking (CAMT52 & CSV)

Import and reconcile bank transactions from CAMT52 XML, CSV statements, or manual upload.

POST /api/banking/import-camt52 Accounting Import CAMT52 XML files (up to 50 files)

POST /api/banking/import-csv Accounting Import CSV bank statements (up to 20 files)

POST /api/banking/upload-statement Accounting Upload single bank statement file

POST /api/banking/import-directory Accounting Batch-import from server directory

GET /api/banking/transactions Accounting List transactions (filter: account, date range, category, matched)

GET /api/banking/analytics Accounting Transaction analytics: totals, by category, trends

GET /api/banking/cashflow Accounting Cash flow report

GET /api/banking/balances Accounting Current account balances

GET /api/banking/categories Accounting List transaction categories

GET /api/banking/reconciliation Accounting Reconciliation status and suggestions

PUT /api/banking/transactions/:id/match Accounting Match transaction to invoice

PUT /api/banking/transactions/:id/categorize Accounting Categorize transaction

GET /api/accounting/bank-accounts Accounting List bank accounts with metadata

Lexoffice Integration

GET/api/lexoffice/invoicesAccountingList Lexoffice invoices

GET/api/lexoffice/invoices/:idAccountingGet single invoice

POST/api/lexoffice/invoicesAccountingCreate invoice in Lexoffice

GET/api/lexoffice/invoices/:id/documentAccountingDownload invoice PDF

GET/api/lexoffice/contactsAccountingList Lexoffice contacts

GET/api/lexoffice/contacts/:idAccountingGet single contact

POST/api/lexoffice/contactsAccountingCreate Lexoffice contact

GET/api/lexoffice/overviewAccountingLexoffice overview dashboard data

POST/api/lexoffice/syncAccountingSync local invoices to Lexoffice

Intercompany Invoicing

GET/api/intercompany/invoicesAccountingList intercompany invoices

POST/api/intercompany/invoicesAccountingCreate intercompany invoice

PUT/api/intercompany/invoices/:idAccountingUpdate intercompany invoice

GET/api/intercompany/prefixesAccountingInvoice numbering prefixes

POST/api/intercompany/invoices/:id/sendAccountingSend intercompany invoice by email

DATEV Export

GET/api/datev/export/documentsAccountingExport documents in DATEV format

POST/api/datev/uploadAccountingUpload DATEV export file

GET/api/datev/accountsAccountingDATEV chart of accounts

GET/api/datev/statusAccountingDATEV sync status

Vehicle Inventory

GET/api/vehiclesAuthList vehicles with brand/model/VIN details

GET/api/vehicles/statsAuthVehicle statistics by brand, model, status

GET/api/vehicles/vinsAuthList all known VINs

GET/api/vehicles/inventoryAuthAvailable inventory for test drive scheduling

GET/api/vehicles/:idAuthVehicle by ID

GET/api/vehicles/vin/:vinAuthVehicle by VIN

GET/api/vehicles/:vin/documentsAuthAll documents linked to a VIN

Tax & Registration Documents

POST/api/vehicles/tax-docs/uploadAuthUpload tax document (customs, COC, type approval) to S3

GET/api/vehicles/tax-docsAuthList all tax documents

GET/api/vehicles/tax-docs/summaryAuthSummary: completeness scores, traffic lights

GET/api/vehicles/tax-docs/by-vin/:vinAuthTax docs for a specific VIN (with completeness check)

GET/api/vehicles/tax-docs/:idAuthGet single document

PUT/api/vehicles/tax-docs/:idAuthUpdate document metadata

Repair Manuals

DRM-protected repair manual viewer. PDFs are stored on S3 and rendered server-side as watermarked PNG pages (per-user watermark with username).

GET/api/manuals?brand=...&model=...AuthList available manuals for a brand/model

GET/api/manuals/info?key=...AuthPDF page count for a given S3 key

GET/api/manuals/page?key=...&page=1AuthRender page as watermarked PNG (no-cache, DRM)

GET/api/manuals/index?key=...AuthFull TOC: chapters, headings, page numbers

GET/api/manuals/search?key=...&q=...AuthFull-text search across all pages (with snippets)

GET/api/manuals/page-info?key=...&page=1AuthText content and headings for a specific page

Parts Catalog

GET/api/parts-catalog?brand=...&model=...&q=...AuthSearch spare parts catalog (auto-built from manual indexing)

GET/api/parts-catalog/categoriesAuthList part categories

Parts Orders

POST/api/partsAuthCreate spare parts order (deducts wallet balance)

GET/api/partsAuthList parts orders (own orders or all for admin)

PUT/api/parts/:id/statusAuthUpdate order status

Remote Diagnostics

POST/api/diagnoseAuthCreate remote diagnose request (deducts wallet balance)

GET/api/diagnoseAuthList diagnostic requests

PUT/api/diagnose/:id/statusAuthUpdate diagnostic request status

Service Chat (RAG)

POST /api/chat Auth

Claude-powered AI technical assistant with Retrieval-Augmented Generation. Searches repair manuals and parts catalogs via tool-use loop (up to 5 rounds).

Request

{
  "messages": [
    { "role": "user", "content": "How do I replace the brake pads on the Xiaomi SU7 Max?" }
  ],
  "vehicle": "Xiaomi SU7 Max",
  "brand": "Xiaomi",
  "model": "SU7 Max",
  "vin": "LSJ..."
}

Response

{
  "reply": "To replace the brake pads on the Xiaomi SU7 Max...",
  "sources": [
    { "manual": "SU7-Max-Brake-System", "s3Key": "manuals/xiaomi/su7max/...", "page": 42, "brand": "Xiaomi", "model": "SU7 Max" }
  ],
  "parts": [
    { "partId": "SU7-BP-F01", "description": "Front brake pad set", "category": "Brakes" }
  ],
  "usage": { "input_tokens": 1234, "output_tokens": 567 },
  "toolCalls": 2
}

Model: claude-sonnet-4-20250514 with manual search, parts search, and page context tools.

Sales Agent

POST /api/sales-chat Public*

Claude-powered public-facing sales agent for vehicle inquiries, pricing, and lead capture. Available with or without authentication (rate-limited for anonymous users).

Request

{
  "messages": [
    { "role": "user", "content": "What's the price of a Xiaomi SU7 Max in Germany?" }
  ],
  "sessionId": "abc123"
}

Response

{
  "reply": "The Xiaomi SU7 Max starts at...",
  "usage": { "input_tokens": 800, "output_tokens": 300 },
  "toolCalls": 1
}

Model: claude-sonnet-4-20250514 with sales-specific tools.

Wallet

Internal credit system. Used for parts orders (25 EUR fee) and remote diagnostics (75 EUR fee). Top-up via Stripe.

GET/api/walletAuthCurrent balance and currency

GET/api/wallet/transactionsAuthTransaction history

POST/api/wallet/topupAuthCreate Stripe checkout session for top-up (returns URL)

POST/api/wallet/verifyAuthVerify Stripe payment and credit balance

POST/api/wallet/admin-creditAuthAdmin: manually credit a user's wallet

POST/api/wallet/deductAuthDeduct from wallet (for service fees)

Push Notifications

Push notification management via OneSignal.

POST/api/push/registerAuthRegister device for push notifications

DELETE/api/push/unregisterAuthUnregister device

GET/api/push/devicesAuthList registered devices

PUT/api/push/preferencesAuthUpdate notification preferences

POST/api/push/testAdminSend test push notification

Companies

GET/api/companiesAuthList companies

GET/api/companies/:idAuthGet company detail

POST/api/companiesAuthCreate company

PUT/api/companies/:idAuthUpdate company

GET/api/companies/:id/statsAuthCompany statistics: orders, revenue, vehicles

GET/api/bank-accountsAuthList bank accounts

GET/api/bank-accounts/summaryAuthBank accounts summary

PUT/api/bank-accounts/:idAuthUpdate bank account

Mail, SMS & OTP

POST/api/contactPublicSubmit contact form (sends email)

GET/api/mail/statusAuthMailer health check

POST/api/otp/sendPublicSend OTP via SMS (Twilio)

POST/api/otp/verifyPublicVerify OTP code

POST/api/notify/smsAuthSend SMS notification

POST/api/notify/callAuthMake voice call notification

GET/api/twilio/statusAuthTwilio service status

Admin & Server

GET/api/healthPublicHealth check: API status, mailer, Twilio

GET/api/buildPublicGit build info (commit, branch, date)

GET/api/logsAdminApplication logs

GET/api/kb/statusAuthKnowledge base build status

POST/api/kb/rebuildAdminForce rebuild knowledge base

GET/api/admin/anthropic-files/statusAdminAnthropic Files API sync status

POST/api/admin/anthropic-files/syncAdminSync files to Anthropic Files API

GET/api/admin/instance/statusAdminProxmox VM status (CPU, RAM, disk, uptime)

GET/api/admin/instance/rrddataAdminProxmox RRD performance data

POST/api/admin/instance/restartAdminRestart Proxmox VM

Stripe Webhooks

POST /api/stripe/webhook Stripe Signature

Handles checkout.session.completed events for wallet top-ups and test drive payments. Automatically marks test drives as paid, sends confirmation email/SMS, and notifies sales team via push.

Authentication: Stripe webhook signature verification (not JWT).

Content

GET/api/newsPublicNews feed from Sanity CMS

Image Studio — Upload & Process

Base URL: https://auto.cc/studio. Separate Flask backend for car listing image processing.

Auth for Image Studio

Image Studio uses the same JWT tokens. Additionally supports ?token= query param for <img> tags. AI endpoints require Sales access.

POST /studio/upload Auth Upload photos → background removal, gradient BG, enhancement, watermark

GET /studio/processed/{filename} Auth Serve processed image (supports ?token= for img tags)

POST /studio/download-all Auth Download processed images as ZIP

POST /studio/clear Auth Clear all processed images

Image Studio — AI Generation

Generate photorealistic showroom images using Kling AI (text-to-image and image-to-image).

POST /studio/ai/generate Sales Generate showroom images (text-to-image or image-to-image)

POST /studio/ai/upload-reference Sales Upload reference photo for img2img generation

POST /studio/ai/generate-full-listing Sales Generate complete 6-view listing set (3-9 min)

Detailed Image Studio Docs

For complete Image Studio documentation including request/response formats, background presets, SU7 color options, AI view templates, and processing parameters, see /studio/docs.

Image Studio — Reference

Background Presets

Preset	Description
showroom_white	Clean white showroom with grey floor
showroom_dark	Dramatic dark showroom
studio_grey	Neutral studio grey
outdoor_warm	Warm outdoor sky-to-ground
premium_black	Premium deep black

AI View Templates

Key	Angle
exterior_front_34	Front three-quarter
exterior_side	Full side profile
exterior_rear_34	Rear three-quarter
exterior_rear	Direct rear
interior_dashboard	Dashboard from driver door
interior_rear_seats	Rear seats from B-pillar

SU7 Color Options

Name	Hex
Aqua Blue	#3A7CA5
Olive Green	#5C6B3C
Midnight Purple	#3B2D4F
Titanium Silver	#A8A9AD
Pearl White	#F0EDE8
Black	#1A1A1A
Red	#8B1A1A

Client API — Auth

Separate NestJS API for the client-facing portal (vehicle ordering, configurator, financing). Uses cookie-based auth with access_token cookie + JWT Bearer header.

POST/api/auth/registerPublic + reCAPTCHARegister new client account

POST/api/auth/send-otpPublic + reCAPTCHASend SMS OTP (rate limited: 1/min, 5/day)

POST/api/auth/verify-emailPublicVerify email address

POST/api/auth/loginPublicLogin (email + password)

POST/api/auth/logoutPublicLogout (clears cookies)

POST/api/auth/forgot-passwordPublic + reCAPTCHARequest password reset email

POST/api/auth/reset-passwordPublic + reCAPTCHAReset password with token

POST/api/auth/change-passwordAuthChange password (requires current password)

GET/api/auth/refresh-tokenAuthRefresh access token

Client Portal

All endpoints require client authentication.

GET/api/client/ordersAuthList client's orders (paginated)

GET/api/client/configurationsAuthList client's saved configurations

GET/api/client/configuration/:idAuthGet single configuration

POST/api/client/save-configurationAuthSave vehicle configuration

POST/api/client/configuration/:idAuthUpdate existing configuration

POST/api/client/download-configurationAuthDownload configuration as PDF

POST/api/client/pay-depositAuthPay reservation deposit (Stripe/BTCPay)

GET/api/client/shippingsAuthList client's shipments

POST/api/client/shippingAuthSave shipping preferences

GET/api/client/financingAuthGet financing documents

POST/api/client/financing-uploadAuthUpload financing document

POST/api/client/financingAuthSave financing application

Admin (NestJS)

Admin role required for all endpoints.

GET/api/admin/ordersAdminList all orders (search, paginate)

GET/api/admin/order/:idAdminGet single order

POST/api/admin/update-order-payment/:idAdminUpdate payment details

POST/api/admin/refund-stripe-reservation-fee/:idAdminRefund Stripe reservation fee

POST/api/admin/send-contract/:idAdminSend Zoho contract for signing

POST/api/admin/send-final-invoice/:idAdminSend final invoice

POST/api/admin/mark-invoice-paid/:idAdminMark invoice as paid

GET/api/admin/shippingsAdminList all shipments

POST/api/admin/create-containerAdminCreate shipping container

GET/api/admin/containersAdminList containers

GET/api/admin/container/:idAdminGet container detail

POST/api/admin/update-container/:idAdminUpdate container

POST/api/admin/delete-container/:idAdminDelete container

Public Forms

All endpoints require reCAPTCHA token. No authentication needed.

POST/api/public/contact-formreCAPTCHASubmit contact form

POST/api/public/newsletter-formreCAPTCHASubscribe to newsletter

POST/api/public/brochure-formreCAPTCHARequest vehicle brochure

POST/api/public/dealer-formreCAPTCHADealer/partner inquiry

POST/api/public/inventory-formreCAPTCHAInventory inquiry

POST/api/public/signup-eventreCAPTCHARegister for event

POST/api/public/order-xtoolreCAPTCHAOrder XTool diagnostic device

POST/api/public/auction-registrationreCAPTCHARegister for vehicle auction

POST/api/public/auction-bidreCAPTCHAPlace auction bid

POST/api/public/auction-verificationreCAPTCHAVerify bidder identity

POST/api/public/container-exists/:idreCAPTCHACheck if container tracking ID exists

POST/api/public/logistics-uploadreCAPTCHAUpload logistics document

POST/api/public/save-logistics-documents/:idreCAPTCHASave logistics documents for container

Data & Inventory

Public/optional-auth endpoints for vehicle inventory browsing and XTool device management.

POST/api/data/inventoryPublic*Browse vehicle inventory (pricing varies by auth)

POST/api/data/inventory/:idPublic*Vehicle detail page

GET/api/data/xtool-order/:idPublicGet XTool order status

POST/api/data/xtool-order/:idPublicUpdate XTool order

GET/api/data/stationsPublicService station locations

GET/api/data/bidsPublicList auction bids

GET/api/data/bid/:idPublicGet single bid

GET/api/data/highest-bidPublicCurrent highest auction bid

Webhooks

Inbound webhooks from payment providers and external services. Signature verification replaces JWT auth.

POST/api/webhook/btcpayBTCPay-SigBTCPay Server payment webhook

POST/api/webhook/stripestripe-signatureStripe payment webhook

POST/api/webhook/stripe-refundstripe-signatureStripe refund webhook

POST/api/webhook/zoho-contract-signedx-zs-webhook-signatureZoho Sign contract completion

POST/api/webhook/close-opp-status-changeclose-sig-hashClose.com opportunity status change

User Management (NestJS)

Admin-only. Uses Prisma ORM with PostgreSQL.

GET/api/usersAdminList all users

GET/api/users/meAuthCurrent user profile

GET/api/users/:idAdminGet user by ID

GET/api/users/email/:emailAdminGet user by email

POST/api/usersAdminCreate user

PATCH/api/users/:idAdminUpdate user by ID

PATCH/api/users/email/:emailAdminUpdate user by email

DELETE/api/users/:idAdminDelete user by ID

DELETE/api/users/email/:emailAdminDelete user by email

auto.cc API — Auto China GmbH, Am Karlsplatz 3, 80335 Munich, Germany

Contact: [email protected] · auto.cc · VAT: DE352011127