EduTrack Online - API Overview

Version: 1.1
Date: April 29, 2026
Target Audience: Next.js Frontend Developers
Backend: Django REST Framework

https://edutrackonline.savekiteg.com

All endpoints are prefixed with /api/.

The API uses JWT tokens stored in HTTP-Only cookies.

Login: Call POST /api/accounts/login/. The server sets two cookies:
- access_token — short-lived (30 minutes)
- refresh_token — long-lived (7 days)
Subsequent Requests: The browser automatically sends cookies. No Authorization header needed.
API Clients (Postman): You can also send the access token in the Authorization: Bearer <token> header.
Token Refresh: When the access token expires, call POST /api/accounts/token/refresh/. The server reads the refresh token from the cookie, generates new tokens, and blacklists the old refresh token.
Logout: Call POST /api/accounts/logout/. The server blacklists the refresh token and clears both cookies.

Inactive User Blocking:

CSRF / Cross-Origin Notes:

The backend validates the Origin (or Referer) header against CSRF_TRUSTED_ORIGINS for cookie-based auth.
Ensure your frontend origin is listed in CSRF_TRUSTED_ORIGINS on the backend (e.g., https://eduonline-five.vercel.app).
If you see CSRF Failed: CSRF cookie not set, the origin is not trusted.

These error formats are shared across all endpoints:

Status	Condition	Response Body
`401 Unauthorized`	Not authenticated (missing/invalid token)	`{"detail": "Authentication credentials were not provided."}`
`401 Unauthorized`	Token expired	`{"error": "Invalid or expired refresh token"}`
`403 Forbidden`	Insufficient permissions	`{"detail": "You do not have permission to perform this action."}`
`404 Not Found`	Object does not exist	`{"detail": "Not found."}` or `{"error": "String"}`
`500 Internal Server Error`	Unexpected server error	`{"detail": "Internal server error"}`

List endpoints that support pagination return this wrapper by default:

{
  "count": "Integer",
  "next": "String (URL) | null",
  "previous": "String (URL) | null",
  "results": "Array[Object]"
}

Bypass pagination by adding ?all=true to get all results in a single response:

{
  "count": "Integer",
  "results": "Array[Object]"
}

Query Parameters:

Parameter	Type	Description
`page`	Integer	Page number (default: 1)
`page_size`	Integer	Items per page (default: 50, max: 200)
`all`	String	Set to `true` to bypass pagination

Appendix A: Permission Matrix

Endpoint	SiteOwner	Teacher	Assistant	Student	Public
`POST /accounts/login/`	Yes	Yes	Yes	Yes	Yes
`GET /accounts/me/`	Yes	Yes	Yes	Yes	No
`POST /accounts/student/register/`	No	No	No	No	Yes
`GET /accounts/subjects/`	Yes	Yes	Yes	Yes	Yes
`GET /accounts/public/teachers/`	Yes	Yes	Yes	Yes	Yes
`GET /accounts/teachers/`	Yes	No	No	No	No
`POST /accounts/teachers/`	Yes	No	No	No	No
`GET /accounts/students/`	Yes	No	No	No	No
`GET /accounts/profile/me/`	No	No	No	Yes	No
`GET /courses/`	Yes	Yes	Yes	Yes	No
`GET /courses/by-subject/<id>/`	Yes	Yes	Yes	Yes	No
`POST /courses/`	Yes	No	No	No	No
`GET /courses/<id>/lectures/`	No	No	No	Yes*	No
`POST /courses/enrollments/enroll/`	No	No	No	Yes	No
`POST /courses/enrollments/<id>/approve/`	No	Yes**	Yes**	No	No
`POST /courses/purchases/buy/`	No	No	No	Yes	No
`GET /courses/dashboard/teacher/`	No	Yes	Yes	No	No

* Must be enrolled and approved
** Must own the course (or be the course teacher's assistant)