Pure REST backend — no UI rendered server-side. Verify X-Auth bearers on every sensitive endpoint with a single annotation.
Same starter as the full Spring Boot quickstart — works for both REST-only APIs and full-stack apps.
dependencies {
implementation("org.springframework.boot:spring-boot-starter-web")
implementation("com.xentranet:x-auth-spring-boot-starter:1.0.0")
}Set via Spring properties — pulls from env or a secrets manager.
xauth:
tenant-id: ${XAUTH_TENANT_ID}
strict: true # reject any expectation mismatch (default)Apply @Verified to every action that needs binding. Receive the TransactionContext as an injected parameter.
package com.example.api;
import com.xentranet.xauth.spring.Verified;
import com.xentranet.xauth.TransactionContext;
import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api")
public class TransferController {
@PostMapping("/transfer")
@Verified(action = "transfer", expect = { "amount", "currency" })
public TransferResult transfer(
@RequestBody TransferRequest body,
TransactionContext ctx) {
return ledger.transfer(body, ctx);
}
@PostMapping("/profile/email")
@Verified(action = "profile.email_change")
public ProfileResult changeEmail(
@RequestBody EmailChangeRequest body,
TransactionContext ctx) {
return profile.updateEmail(body, ctx);
}
}SPA, mobile, or another backend service — the bearer protocol is identical.
const { decision, access_token } = await advice({
action: 'transfer', amount: 2999, currency: 'USD',
});
await fetch('https://api.example.com/transfer', {
method: 'POST',
headers: { Authorization: `Bearer ${access_token}` },
body: JSON.stringify({ amount: 2999, currency: 'USD' }),
});Add custom expectations, plug in CAEP signals, expose error mappings.