This guide centralizes SPA-facing API behavior across both services:
TaskManagement.ApiTaskManagement.Auth(user-management APIs underapi/*)
Use this as the single contract reference for filters, pagination, patch semantics, and error format.
List endpoints support pagination:
GET /api/projectsGET /api/taskitemsGET /api/activityGET /api/users(Auth service, role-restricted behavior)
Defaults and caps:
- Projects:
page=1,pageSize=50, max200 - TaskItems:
page=1,pageSize=50, max500 - Activity:
page=1,pageSize=50, max200 - Users:
page=1,pageSize=25, max100
Legacy compatibility:
GET /api/taskitemsandGET /api/activitysupportlimit(first page only, capped).GET /api/userssupportsskip/takein addition topage/pageSize.
Supported query params:
projectIdassignedUserIdupdatedByUserIdstatusunassignedOnlysearch(title/description contains)lastModifiedFrom(inclusive)lastModifiedTo(inclusive)page,pageSize,limit
Example:
GET /api/taskitems?projectId=...&status=InProgress&updatedByUserId=user-123&search=api&lastModifiedFrom=2026-02-01T00:00:00Z&page=1&pageSize=20Supported query params:
search(displayName/email/userName contains)isActiverolepage,pageSize,skip,take
Authorization behavior:
Administrator: full user listing/filtering.ProjectManager: allowed only whenrole=User; other queries return403.
Patch endpoints:
PATCH /api/projects/{id}PATCH /api/taskitems/{id}
Behavior:
- Field omitted from JSON: unchanged
- Field included with value: updated
- Field included with
null: cleared (for nullable fields)
{
"name": "Platform API",
"description": null
}Result:
nameupdateddescriptioncleared
{
"status": "Done",
"dueDate": null,
"assignedUserId": null
}Result:
statusupdateddueDatecleared- assignment cleared
Endpoints:
GET /api/usersGET /api/users/{id}/detailsPATCH /api/users/{id}/status
Endpoint access:
GET /api/users:Administrator+ProjectManager(PM restricted torole=User).GET /api/users/{id}/details:Administratoronly.PATCH /api/users/{id}/status:Administratoronly.
Status change payload:
{
"isActive": false
}Safety rules:
- Admin cannot deactivate own account.
- Last active administrator cannot be deactivated.
GET /api/activity and SignalR activity-created can return:
ProjectCreatedProjectRenamedProjectDeletedTaskCreatedTaskStatusChangedTaskRenamedTaskDeletedTaskAssigneeChangedTaskDueDateChanged
Additional payload fields:
- Rename/assignee/due-date events:
oldValue,newValue - Status transitions:
oldStatus,newStatus
Endpoint:
GET /api/dashboard/summary
Behavior:
- Returns aggregated counters for current user scope.
- Administrator sees global scope.
Both services use application/problem+json for API errors.
Base shape:
{
"type": "https://httpstatuses.com/400",
"title": "Validation Error",
"status": 400,
"detail": "One or more validation errors occurred.",
"instance": "/api/resource"
}Validation errors include errors (ValidationProblemDetails):
{
"type": "https://httpstatuses.com/400",
"title": "Validation Error",
"status": 400,
"detail": "One or more validation errors occurred.",
"instance": "/api/users/123/status",
"errors": {
"fieldName": [
"Example validation message."
]
}
}Expected error codes:
400validation/business rule401unauthenticated403unauthorized404not found429rate limit exceeded500unexpected error