DELETE /api/account
Bearer
Delete account from the API
Example
curl -X DELETE "https://locationnotes.com/api/account" \
-H "Authorization: Bearer <access token>"
HTTP API
Use this page when you need the real HTTP routes, query parameters, authentication rules, and copy-paste examples behind the website and Android app. The public site, authenticated website flows, and Android client all talk to this same API surface on the same domain.
Need the product model behind the endpoints? What is a User?, What is a Team?, What is a Note?, and What is a Trackable?, and What is an External Link?, and What is an Image? and What is a Support Request? explain the objects these routes operate on. For step-by-step trackable sequences, use the authenticated trackable API flow, anonymous trackable API flow, and trackable error reference pages.
All examples on this page assume the current production host:
https://locationnotes.com
Requests and responses use JSON. GUIDs are the primary identifiers across notes, categories, teams, and devices.
Private, sync, and team endpoints require an
Authorization: Bearer <access token>
header unless the route is marked public below.
Public and management reads can pass
contentLanguage=en-US
or another supported content language to filter the returned note/category content.
Website sign-in pages and external-provider setup are documented on the Authentication page. Register first when the caller does not already have a LocationNotes account. API clients that want a bearer token should then use the identity API login route with cookies turned off, which is the same pattern the Android app uses.
POST /api/auth/register
Anonymous
{
"email": "tester@example.com",
"userName": "field_tester",
"password": "StrongP@ssw0rd!"
}
A successful register call creates the account and reserves the public profile user name, but it does not replace login. User names may contain lowercase letters, numbers, and underscores only. Call the bearer login route next when the client needs an access token for private, sync, team, or manage routes.
POST /api/auth/login?useCookies=false&useSessionCookies=false
Anonymous
{
"email": "tester@example.com",
"password": "StrongP@ssw0rd!"
}
{
"tokenType": "Bearer",
"accessToken": "eyJhbGciOi..."
}
curl -X POST "https://locationnotes.com/api/auth/login?useCookies=false&useSessionCookies=false" \
-H "Content-Type: application/json" \
-d '{
"email": "tester@example.com",
"password": "StrongP@ssw0rd!"
}'
The complete route inventory below also lists the current framework-managed identity routes under /api/auth. If you need the full interactive website flow, provider callbacks, account-security pages, or provider-linking behavior, use the Authentication page.
Use this endpoint for public map windows and browse-by-area experiences. This is the route the homepage map uses.
GET /api/notes/public/bounds
Anonymous
minLatitude, minLongitude, maxLatitude, maxLongitudecontentLanguageThese public map reads include normal Public notes and notes using VisibleOnceAssociatedTrackableAccessed only while they still have no associated trackables. Once a trackable is attached, the note drops out of anonymous public-map discovery until the viewer has unlocked one of the associated trackables on a page-level route.
curl "https://locationnotes.com/api/notes/public/bounds?minLatitude=41.78&minLongitude=-87.75&maxLatitude=41.96&maxLongitude=-87.54&contentLanguage=en-US"
[
{
"noteId": "4d6c5df3-3c53-4d0e-8e72-7d98a0f8a9f3",
"ownerUserId": "a7cfd28f-c17f-4cf7-8913-47fa10fd0d1f",
"categoryId": "4de6bb76-f25d-4c73-b8e3-81b9ca3bf08f",
"title": "Dock gate closed",
"body": "Security redirected vehicles to the south entrance.",
"contentLanguage": "en-US",
"latitude": 41.8818,
"longitude": -87.6231,
"visibility": "Public",
"isDeleted": false,
"updatedUtc": "2026-03-13T20:10:00Z",
"clientMutationId": "web-demo-public-1",
"teamId": null
}
]
Use this endpoint when the client already knows a center point and wants a distance-limited result set instead of a rectangular map window.
GET /api/notes/public/nearby
Anonymous
latitude, longituderadiusKm (default 5), contentLanguageThe same visibility rule applies here as the bounds endpoint: Public notes are included normally, and VisibleOnceAssociatedTrackableAccessed notes are included only until they gain their first associated trackable.
curl "https://locationnotes.com/api/notes/public/nearby?latitude=41.8818&longitude=-87.6231&radiusKm=8&contentLanguage=en-US"
These routes back the published map and note strip on public profile and public team pages. They use the same note-access rules as the page itself and accept either a nearby center point or full map bounds.
GET /api/public/profiles/{userName}/notes/nearby
Anonymous or Bearer
GET /api/public/teams/{teamName}/notes/nearby
Anonymous or Bearer
Required query string: latitude, longitude or full map bounds with minLatitude, minLongitude, maxLatitude, maxLongitude.
Optional query string: radiusKm (default 5), contentLanguage, includeAllLanguages
The website normally sends the current route language as contentLanguage so /en-US and /tlh public pages do not mix authored note languages in the same map or strip by default.
Set includeAllLanguages=true only when the client is intentionally building a multilingual browse surface instead of mirroring the website page.
curl "https://locationnotes.com/api/public/profiles/michael-kappel/notes/nearby?minLatitude=41.87&minLongitude=-87.64&maxLatitude=41.89&maxLongitude=-87.62&contentLanguage=en-US"
Sync clients should push local dirty data first, then pull server changes for the user, active teams, and public notes in the current area. Both sync routes require bearer auth.
POST /api/sync/push
Bearer
{
"deviceId": "5dd06ca7-34a5-4f2e-812d-3f1ef3e48290",
"notes": [
{
"noteId": "ef90c4ca-88a9-4a9b-b3a8-36e2649c5dcb",
"ownerUserId": "a7cfd28f-c17f-4cf7-8913-47fa10fd0d1f",
"categoryId": "4de6bb76-f25d-4c73-b8e3-81b9ca3bf08f",
"title": "Offline inspection",
"body": "Saved while disconnected.",
"contentLanguage": "en-US",
"latitude": null,
"longitude": null,
"visibility": "Private",
"externalLinkUrl": "https://example.com/offline-inspection",
"externalLinkDescription": "",
"applyExternalLinkChanges": true,
"isDeleted": false,
"updatedUtc": "2026-03-13T20:12:00Z",
"clientMutationId": "android-offline-42",
"teamId": null
}
],
"categories": []
}
{
"appliedNoteIds": [
"ef90c4ca-88a9-4a9b-b3a8-36e2649c5dcb"
],
"appliedCategoryIds": [],
"conflicts": []
}
POST /api/sync/pull
Bearer
{
"lastSyncUtc": "2026-03-13T19:45:00Z",
"publicArea": {
"minLatitude": 41.78,
"minLongitude": -87.75,
"maxLatitude": 41.96,
"maxLongitude": -87.54
}
}
{
"serverSyncUtc": "2026-03-13T20:13:02Z",
"userNotes": [],
"userCategories": [],
"teamCategories": [],
"publicNotes": [],
"teamNotes": []
}
Sync endpoints reject anonymous requests. If the server blocks an older Android beta build, check
GET /api/system/status
for the minimum compatible version and beta-page URL.
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
GET /api/notes/mine
Bearer
Optional query string: contentLanguage and full map bounds with minLatitude, minLongitude, maxLatitude, maxLongitude.
Note read payloads now include lastActivityUtc so clients can show the most recent activity separately from persistence/update timestamps.
POST /api/notes/mine
Bearer
{
"categoryId": "4de6bb76-f25d-4c73-b8e3-81b9ca3bf08f",
"title": "Category-only feedback",
"body": "This note stays off the map on purpose.",
"contentLanguage": "en-US",
"externalLinkUrl": "https://example.com/field-guide",
"externalLinkDescription": "",
"latitude": null,
"longitude": null,
"visibility": "VisibleOnceAssociatedTrackableAccessed",
"commentPolicy": "LoggedInUsers"
}
visibility accepts Private, Public, and VisibleOnceAssociatedTrackableAccessed. The associated-trackable mode behaves like Public until the note has one or more associated trackables. After that, public discovery and note-page access require that the viewer has already unlocked one of those associated trackables.
GET /api/public/notes/{noteId}
Anonymous or Bearer
GET /api/public/notes/{noteId}/comments
Anonymous or Bearer
POST /api/public/notes/{noteId}/comments
Bearer
GET /api/public/notes/{noteId}/trackables
Anonymous or Bearer
POST /api/public/notes/{noteId}/trackables
Bearer
{
"body": "I found it too."
}
{
"trackableSecretCodes": "LN4C8R2Z",
"selectedActiveTrackableIds": [
"f3a8f841-20db-4f1e-a3f8-9f14bc0b3c31"
],
"activeTrackableAttachMode": "Self"
}
These note-page routes respect note access rules, including private notes and notes gated by associated-trackable access. If the caller can open the note page, the API can return comments and visible trackables for that note. Attaching trackables requires the note owner or a team admin.
GET /api/categories/mine
Bearer
GET /api/categories/mine/tree
Bearer
GET /api/categories/mine/tree/sections
Bearer
GET /api/categories/mine/tree/children?parentCategoryId={categoryId}
Bearer
Use these lighter helper routes for lazy-loaded category pickers and sidebar trees. tree/sections groups root categories by contentLanguage. tree/children returns the direct child nodes for one parent and includes childCategoryCount so the client can decide whether to show an expand affordance before loading grandchildren.
[
{
"contentLanguage": "en-US",
"rootCategories": [
{
"categoryId": "68cb4c9b-d9bd-4bde-8c6a-a03a4c70b283",
"name": "Field Reports",
"contentLanguage": "en-US",
"parentCategoryId": null,
"childCategoryCount": 2
}
]
}
]
[
{
"categoryId": "c4b2e65f-5cf2-4ab6-8577-a89dfb51407f",
"name": "Dock checks",
"contentLanguage": "en-US",
"parentCategoryId": "68cb4c9b-d9bd-4bde-8c6a-a03a4c70b283",
"childCategoryCount": 0
}
]
POST /api/categories/mine
Bearer
POST /api/categories/mine/{categoryId}/move
Bearer
{
"name": "Field Reports",
"contentLanguage": "en-US",
"parentCategoryId": null
}
GET /api/notes/mine/gpx
Bearer
GET /api/notes/mine/gpx exports only mapped personal notes with saved coordinates as GPX 1.1 waypoints.
POST /api/notes/mine/gpx
Bearer
POST /api/notes/mine/gpx accepts multipart form data with file, visibility, and optional contentLanguage. The import reads waypoint entries only, creates normal mapped notes, and never overwrites an existing note.
Duplicate checks stay inside the selected personal scope. Matching title plus coordinates with the same note text are reported as duplicates. Matching title plus coordinates with different note text are skipped to avoid overwrite.
curl "https://locationnotes.com/api/notes/mine/gpx" \
-H "Authorization: Bearer <access token>"
curl -X POST "https://locationnotes.com/api/notes/mine/gpx" \
-H "Authorization: Bearer <access token>" \
-F "file=@waypoints.gpx;type=application/gpx+xml" \
-F "visibility=Private" \
-F "contentLanguage=en-US"
What is Import and Export? covers how GPX waypoint exchange differs from the full JSON and portable ZIP account exports.
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
GET /api/teamsGET /api/teams/{teamId}/notesGET /api/teams/{teamId}/categoriesGET /api/teams/{teamId}/categories/treeGET /api/teams/{teamId}/invite-linksTeam and team-note read models include lastActivityUtc. Public trimming prefers the most recently active records first.
GET /api/teams/{teamId}/categories/tree/sections
Bearer
GET /api/teams/{teamId}/categories/tree/children?parentCategoryId={categoryId}
Bearer
These routes use the same section and child-node shapes as the personal workspace tree helpers, but the data stays inside the selected team scope and still requires active team membership.
Use DELETE /api/teams/{teamId}/notes/{noteId} when the note should leave the team workspace but continue existing for the owner, and use DELETE /api/teams/{teamId}/notes/{noteId}/delete when the team note itself should be permanently deleted.
{
"name": "Beta Testers",
"title": "Beta Testers",
"description": "Public beta release gate for Android validation.",
"externalLinkUrl": "https://example.com/beta-program",
"externalLinkDescription": "",
"joinPolicy": "RequestsAllowed",
"pageVisibility": "Public",
"defaultNoteVisibility": "Public",
"contentLanguage": "en-US"
}
POST /api/teams/{teamId}/notes
Bearer
{
"categoryId": "68cb4c9b-d9bd-4bde-8c6a-a03a4c70b283",
"title": "Shared dock inspection",
"body": "Visible to the team until we publish it.",
"contentLanguage": "en-US",
"externalLinkUrl": "https://example.com/shared-briefing",
"externalLinkDescription": "",
"latitude": 41.8818,
"longitude": -87.6231,
"visibility": "Private",
"commentPolicy": "TeamMembers"
}
GET /api/teams/{teamId}/notes/gpx
Bearer
POST /api/teams/{teamId}/notes/gpx
Bearer
GET /api/teams/{teamId}/notes/gpx and POST /api/teams/{teamId}/notes/gpx apply the same GPX rules inside the selected team scope. Duplicate and overwrite checks only compare against that team's notes.
curl "https://locationnotes.com/api/teams/{teamId}/notes/gpx" \
-H "Authorization: Bearer <access token>"
curl -X POST "https://locationnotes.com/api/teams/{teamId}/notes/gpx" \
-H "Authorization: Bearer <access token>" \
-F "file=@team-waypoints.gpx;type=application/gpx+xml" \
-F "visibility=Public" \
-F "contentLanguage=en-US"
POST /api/teams/{teamId}/memberships/requestPOST /api/teams/{teamId}/memberships/invitePOST /api/teams/{teamId}/memberships/{membershipId}/acceptPOST /api/teams/{teamId}/memberships/{membershipId}/refusePOST /api/teams/{teamId}/memberships/{membershipId}/approvePOST /api/teams/{teamId}/memberships/{membershipId}/denyPOST /api/teams/{teamId}/memberships/{membershipId}/promote-adminDELETE /api/teams/{teamId}/memberships/{membershipId}POST /api/teams/invite-links/{teamSlug}/{inviteCode}/join{
"isSingleUse": false
}
{
"inviteLinkId": "9a4726dc-4fb1-4c16-b7b3-5d48ea68fdce",
"teamId": "0f4ddf5d-f3dc-4417-b96d-8e212d24235e",
"teamName": "Invite Team",
"teamSlug": "invite-team",
"code": "8K4V9T",
"createdByDisplayName": "invite-admin",
"createdByCurrentUser": true,
"inviterIsCurrentlyAdmin": true,
"isSingleUse": false,
"createdUtc": "2026-03-18T21:15:00Z"
}
{
"teamSlug": "invite-team",
"membershipStatus": "RequestingMembership"
}
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows. Secret short codes and scan-only QR URLs are only returned from the create endpoints below. They are never returned again from read, lookup, comment, or detail routes.
| Format | Example | Lookup rule |
|---|---|---|
| Public code token | LN-7K4V9T |
Globally unique short public token. Safe for public lookup and public links. |
| Public entry route | GET /trackable/LN-7K4V9T |
Short public share URL. The same base route is used for public codes, short secret codes, and long scan-only QR tokens. |
| Localized public trackable page | GET /en-US/trackables/LN-7K4V9T |
Language-specific rendered public page reached after the share URL resolves the code. |
| Secret entry route | GET /trackable/LN4C8R2Z |
Short possession-based entry URL for someone holding the item. It uses the same <code>/trackable/{code}</code> base route as the public and long scan forms. |
| System short secret code | LN4C8R2Z |
Globally unique across all trackables and also unique against public codes. Intended for manual possession-based entry. |
| Alternate system prefix | GT8M2Q7V |
Same generated short-secret pattern on sister deployments that use the <code>GT</code> prefix. |
| Bring-your-own secret code | ITEM42X |
Advanced external identifier. Must stay unique across all trackables and must not start with <code>LN</code> or <code>GT</code>. |
| Private scan route | https://locationnotes.com/trackable/AB4D5QW2...<100 chars total>... |
Unique across all trackables and intended to come from QR scanning instead of manual entry. |
Generated public-code tokens and generated short-secret bodies use the same smudge-resistant character family. Typed lookup treats O like 0, I or L like 1, S like 5, and U like V. For system short-secret codes, that normalization applies to the generated body after the literal prefix. Public codes use that same configured prefix with a dash before the generated body, so they are visually distinct from short secret codes.
Public list reads are capped by the site's public-data exposure limit, which is currently 500 by default.
Trackable and trackable-group read models include lastActivityUtc so dashboards and API clients can show recent activity explicitly.
GET /api/trackables/publicGET /api/trackables/mineGET /api/trackables/{trackableId}POST /api/trackables/{trackableId}/watchDELETE /api/trackables/{trackableId}/watchGET /api/trackables/{trackableId}/journeyPOST /api/trackables/{trackableId}/journey-stopsDELETE /api/trackables/{trackableId}/journey-stops/{journeyStopId}GET /api/trackables/public and the website's public trackable browse pages stay multilingual so public journey and logistics data are not hidden by route language.
Switch the website language when you want localized chrome around the same public trackable data.
POST /api/trackables
Bearer
{
"name": "Promo coin",
"description": "Launch event inventory item",
"externalLinkUrl": "https://example.com/promo-coin",
"externalLinkDescription": "",
"teamId": null,
"visibility": "AlwaysVisibleToEveryone",
"activateImmediately": false,
"secretCode": ""
}
{
"trackableId": "f3a8f841-20db-4f1e-a3f8-9f14bc0b3c31",
"heading": "Unactivated Trackable",
"description": "Please activate this trackable item",
"items": [
{
"trackableId": "f3a8f841-20db-4f1e-a3f8-9f14bc0b3c31",
"name": "Unactivated Trackable",
"publicCode": "LN-7K4V9T",
"secretCode": "LN4C8R2Z",
"scanUrl": "https://locationnotes.com/trackable/ABCD...<100 characters total>...",
"qrPayload": "ABCD...<100 characters total>..."
}
]
}
{
"name": "Marketing token",
"description": "Bring-your-own identifier",
"teamId": null,
"visibility": "VisibleOnceAccessed",
"activateImmediately": true,
"secretCode": "TAG42"
}
The server accepts caller-supplied secret codes that do not start with LN, GT, or GC and do not match any existing secret or public code. The returned public code is still system-generated.
POST /api/trackables/groups
Bearer
{
"name": "Gnomes in this hunt",
"description": "Seasonal hunt inventory",
"defaultTrackableTitle": "",
"defaultTrackableDescription": "",
"defaultExternalLinkUrl": "https://example.com/hunt-rules",
"defaultExternalLinkDescription": "",
"trackableCount": 12,
"teamId": null,
"visibility": "AlwaysVisibleToEveryone",
"activateImmediately": false,
"watchGroupActivityWhenCreated": true
}
Groups are limited to 100 trackables. Unactivated items fall back to the group defaults until activation. Once activated, they must use their own title and description.
Trackable-group creation can also accept watchGroupActivityWhenCreated when an unactivated batch should start on the creator's watch list.
POST /api/trackables/lookup matches a public code token or short secret code after normalizing the common smudged-character substitutions listed above.GET /trackable/{code} is the short website entry route shown to users and API clients. It accepts a public code, a short secret code, or the long QR token and then routes to the correct flow.GET /api/trackables/active lists the client's current active secret-code session when one exists.GET /api/trackables/active/{trackableId} returns the active landing payload, including activation requirements and grouped items when available.POST /api/trackables/active/{trackableId}/message updates the remembered status text.DELETE /api/trackables/active/{trackableId} ends the remembered secret-code session on that client.Secret-code lookups and scan-only QR visits create an active client session instead of returning the secret value. That active session is what lets later note flows attach the trackable without re-entering the code.
When the caller is authenticated, the same Visible Once Accessed lookup also links the trackable to that account so later signed-in devices can reopen the trackable, its group page, and normal follow-up routes without re-entering the secret.
The website intentionally uses the same direct entry base route for all three forms: /trackable/{publicCode}, /trackable/{secretCode}, and /trackable/{qrToken}.
The localized /{lang}/trackable/{code} route is the rendered single-item landing after automatic language selection, but it still should not be shown as the shareable or printed URL.
After a public-code lookup resolves, the rendered public page lives at /{lang}/trackable/{publicCode}.
That shared entry route stays valid even if the configured short-code lengths change later, because the server resolves the code value instead of depending on hard-coded website path variations.
Owner-scoped website trackable routes are intentionally not part of the public URL system.
That distinction also applies on note pages: a public code is for opening the public trackable page, while note attachment expects an existing short secret code or an already-active browser session.
GET /api/trackables/lookup?code=LN4C8R2Z
{
"found": true,
"trackableId": "f3a8f841-20db-4f1e-a3f8-9f14bc0b3c31",
"isPublicCodeMatch": false,
"usesSecretAccess": true,
"redirectUrl": "/en-US/trackables/active/f3a8f841-20db-4f1e-a3f8-9f14bc0b3c31"
}
GET /trackable/LN-7K4V9T
GET /en-US/trackables/LN-7K4V9T
GET /trackable/ABCD...<100 characters total>...
POST /api/trackables/{trackableId}/activate
Bearer
{
"name": "",
"description": "",
"useGroupDefaultTitle": true,
"useGroupDefaultDescription": true,
"externalLinkUrl": "",
"externalLinkDescription": "",
"useGroupDefaultExternalLink": true,
"teamId": "optional-team-guid"
}
If teamId is supplied, the trackable becomes team-owned, team admins can manage it, and the activating member keeps control while they remain on that team. Without teamId, the trackable becomes personally owned.
When a grouped item is activated, the owner can either save an explicit item title and description or intentionally copy the group's current default title and description into the item.
DELETE /api/trackables/{trackableId}/group removes the current group association.POST /api/trackables/{trackableId}/group with { "trackableGroupId": "..." } associates a detached trackable with a new group.POST /api/trackables/groups/{trackableGroupId}/watch starts monitoring the group's visible members. Existing member-item watches from that same group can still collapse into the group watch, and owner-or-watch overlap is deduplicated per user.DELETE /api/trackables/groups/{trackableGroupId}/watch stops monitoring the group.A trackable can only belong to one group at a time. The server enforces the detach-first rule. Only the original activator can reattach a detached trackable, and the destination group must also be controlled by that user or an eligible team admin.
{
"trackableGroupId": "4bdffcab-bb51-4fd8-8c15-59f7b2d72c3f"
}
GET /api/trackables/{trackableId}/commentsPOST /api/trackables/{trackableId}/commentsPUT /api/trackables/{trackableId}/comments/{commentId}DELETE /api/trackables/{trackableId}/comments/{commentId}Unactivated trackables cannot receive comments or journey stops.
Authenticated users can post comments directly. Anonymous callers can also post, but every anonymous write must come from that browser's active trackable session or resend the exact short secret code or private QR token for that specific trackable.
Only the signed-in comment author can edit their own comment. Trackable owners and current team admins can delete comments or journey stops, but they still cannot rewrite somebody else's words.
{
"body": "Starting the route now.",
"accessCode": "LN4C8R2Z"
}
The journey feed is now an immutable stop history. Note-backed stops snapshot the location when the note is attached, and direct map reports can be saved without creating a note first.
If a linked note later moves to a different coordinate, the trackable journey still keeps the original snapped stop so logistics history does not silently rewrite itself.
Anonymous direct reports follow the same rule as anonymous comments: the caller must use that browser's active trackable session or resend the short secret code or private QR token on the write request.
{
"latitude": 41.8819,
"longitude": -87.6278,
"accessCode": "LN4C8R2Z"
}
GET /api/trackables/{trackableId}/journey returns label-first place facts. Each point carries coordinateId, locationLabel, and currentNotesAtCoordinate so clients can show the current visible notes at that coordinate without treating the stop as if it owns one saved note.
Journey responses do not split the outward place contract into city, stateOrProvince, and country fields anymore. Read locationLabel plus the coordinates instead.
[
{
"journeyStopId": "8a274ad6-5dd4-45c4-969a-c13cc1b8d92c",
"coordinateId": "565c42dd-2e12-49b4-a16b-c89ff4502b8e",
"latitude": 41.8819,
"longitude": -87.6278,
"associatedUtc": "2026-04-05T18:30:00Z",
"isLocationOnly": false,
"isAnonymous": false,
"canDelete": false,
"canConvertToNote": false,
"locationLabel": "Chicago, Illinois, United States",
"creatorDisplayText": "Jordan",
"creatorProfileUserName": "jordan",
"currentNotesAtCoordinate": [
{
"noteId": "4d6c5df3-3c53-4d0e-8e72-7d98a0f8a9f3",
"title": "Lobby drop",
"contentLanguage": "en-US",
"thumbnailUrl": "/api/images/notes/4d6c5df3-3c53-4d0e-8e72-7d98a0f8a9f3/thumbnail"
}
]
}
]
Trackable journey pages may show mapped locations even when some underlying notes are private. In those cases, unauthorized viewers can receive the location point but not the protected note content.
Authorized viewers receive the note title, description, and note link directly from the preloaded journey payload and map pin popups.
Deleting one account does not automatically delete every trackable that account ever touched. Shared or team-owned trackables can remain while only the deleted user's removable personal activity is removed.
Review the Delete Data page and the account-delete API section for the current retention boundaries.
The trackable API has both a full signed-in ownership workflow and a lighter anonymous secret-backed reporting workflow. Use the dedicated pages below when you need ordered call sequences, decision points, and copy-paste examples instead of a route catalog.
From found-item lookup through browser secret access, sign-in, activation, note linking, direct journey logging, moderation, and export/deletion considerations.
For callers who will not sign in but do have the exact secret code or private QR token and need to post a direct location report or comment safely.
Trackable problem-details responses now include a stable machine-readable code field. Use the error reference page to map failures to likely causes and fixes.
External-link support is available on note, team, trackable, trackable-group, and sync APIs. Clients can call the verify endpoint first, but create and update routes still revalidate the link server-side before saving.
POST /api/external-links/verify
Bearer
Call this before showing the description field in a custom client. A successful response returns a normalized URL, the suggested description from the page title, and a support URL for review issues. Failed responses return HTTP 400 with a detail message, a support URL, and an upstreamStatusCode when the destination site itself returned an HTTP error.
{
"url": "https://example.com/hunt-rules"
}
{
"normalizedUrl": "https://example.com/hunt-rules",
"suggestedDescription": "Example Domain",
"supportUrl": "/en-US/support"
}
{
"title": "Request rejected.",
"status": 400,
"detail": "The external page returned HTTP 405 Method Not Allowed during verification.",
"supportUrl": "/en-US/support",
"upstreamStatusCode": 405
}
Create and update note, team, and sync payloads use externalLinkUrl plus externalLinkDescription. When ApplyExternalLinkChanges is true on sync note payloads, the server revalidates the link before saving.
CreateNoteRequest.ExternalLinkUrlCreateNoteRequest.ExternalLinkDescriptionCreateTeamRequest.ExternalLinkUrlCreateTeamRequest.ExternalLinkDescriptionUpdateTeamSettingsRequest.ExternalLinkUrlUpdateTeamSettingsRequest.ExternalLinkDescriptionNoteDto.ExternalLinkUrlNoteDto.ExternalLinkDescriptionNoteDto.ApplyExternalLinkChangesTrackable creation and update payloads use externalLinkUrl, externalLinkDescription, and externalLinkAppendPublicTrackableCode. Trackable-group creation and update use defaultExternalLinkUrl, defaultExternalLinkDescription, and defaultExternalLinkAppendPublicTrackableCode. Activation still accepts useGroupDefaultStatusMessage alongside useGroupDefaultTitle, useGroupDefaultDescription, and useGroupDefaultExternalLink when the owner intentionally wants to start from the group's defaults.
TrackableGroupCreateInputModel.Name accepts letters, numbers, spaces, and capital letters in requests. The server stores the page slug separately in lowercase with underscores and keeps that slug fixed after creation.
When a stored trackable or trackable-group default link opts in, LocationNotes appends LN={publicCode} only when the click starts from a specific trackable page. Group pages still use the stored URL by itself because no individual trackable code is in context there.
Activation can also accept optional initialJourneyStopLatitude and initialJourneyStopLongitude values when the first tracked location should be created in the same request.
TrackableCreateInputModel.ExternalLinkUrlTrackableCreateInputModel.ExternalLinkDescriptionTrackableCreateInputModel.ExternalLinkAppendPublicTrackableCodeTrackableActivationInputModel.StatusMessageTrackableGroupCreateInputModel.DefaultExternalLinkUrlTrackableGroupCreateInputModel.DefaultExternalLinkDescriptionTrackableGroupCreateInputModel.DefaultExternalLinkAppendPublicTrackableCodeTrackableGroupCreateInputModel.DefaultStatusMessageTrackableGroupCreateInputModel.WatchGroupActivityWhenCreatedTrackableActivationInputModel.UseGroupDefaultTitleTrackableActivationInputModel.UseGroupDefaultDescriptionTrackableActivationInputModel.UseGroupDefaultStatusMessageTrackableActivationInputModel.ExternalLinkUrlTrackableActivationInputModel.ExternalLinkDescriptionTrackableActivationInputModel.UseGroupDefaultExternalLinkTrackableActivationInputModel.InitialJourneyStopLatitudeTrackableActivationInputModel.InitialJourneyStopLongitudeImage visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
Clients should also remember that uploads are screened before save, originals are not retained, and the server stores only resized JPEG variants. The website and Android app both use these same API contracts and file routes.
GET /api/images/profiles/{userId}
Anonymous or Bearer
GET /api/images/notes/{noteId}
Anonymous or Bearer
GET /api/images/teams/{teamId}
Anonymous or Bearer
GET /api/images/trackables/{trackableId}
Anonymous or Bearer
GET /api/images/trackable-groups/{trackableGroupId}
Anonymous or Bearer
Use these reads to populate galleries. Each item includes the image GUID, original dimensions, and the relative URLs for the thumbnail, small, medium, and large stored copies.
originalWidth and originalHeight describe the uploaded source image for reference. The actual downloadable files are still the resized stored variants linked by thumbnailUrl, smallUrl, mediumUrl, and largeUrl.
curl "https://locationnotes.com/api/images/notes/4d6c5df3-3c53-4d0e-8e72-7d98a0f8a9f3"
[
{
"contentImageId": "f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1",
"targetType": 1,
"noteId": "4d6c5df3-3c53-4d0e-8e72-7d98a0f8a9f3",
"originalWidth": 1600,
"originalHeight": 1200,
"createdUtc": "2026-03-18T21:15:00Z",
"thumbnailUrl": "/Images/Thumbnail/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1-64.jpg",
"smallUrl": "/Images/Small/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1-306.jpg",
"mediumUrl": "/Images/Medium/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1-612.jpg",
"largeUrl": "/Images/Large/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1-1024.jpg"
}
]
GET /api/images/{contentImageId}/{variant}
Anonymous or Bearer
Valid variant values are thumbnail, small, medium, and large. Responses return image/jpeg.
The website file URLs under /Images/{Variant}/{guid}-{size}.jpg enforce the same parent-visibility rule before image bytes are served, so direct image links are still protected by the connected profile, note, team, trackable, or trackable-group permissions.
curl -L "https://locationnotes.com/api/images/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1/large" --output note-large.jpg
POST /api/images/profiles
Bearer
POST /api/images/notes/{noteId}
Bearer
POST /api/images/teams/{teamId}
Bearer
POST /api/images/trackables/{trackableId}
Bearer
POST /api/images/trackable-groups/{trackableGroupId}
Bearer
Send one multipart file field named file. The caller must already have parent-management permission for the target, which means team-admin access for team pages and the normal edit/management permission for the other parent types. Uploads are screened before save, then stored as resized JPEG copies only.
curl -X POST "https://locationnotes.com/api/images/trackables/721f5205-ed2c-43e8-8ecd-1502d5bb7b56" \
-H "Authorization: Bearer <access token>" \
-F "file=@tracker.jpg"
{
"image": {
"contentImageId": "f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1",
"targetType": 3,
"trackableId": "721f5205-ed2c-43e8-8ecd-1502d5bb7b56",
"originalWidth": 1600,
"originalHeight": 1200,
"createdUtc": "2026-03-18T21:15:00Z",
"thumbnailUrl": "/Images/Thumbnail/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1-64.jpg",
"smallUrl": "/Images/Small/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1-306.jpg",
"mediumUrl": "/Images/Medium/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1-612.jpg",
"largeUrl": "/Images/Large/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1-1024.jpg"
}
}
DELETE /api/images/{contentImageId}
Bearer
Deletion requires the same parent-management permission that upload requires. When a delete succeeds, the content-image row and all stored resized variants are removed together.
API clients must send the HTTP DELETE verb here. Opening this URL directly in a browser address bar sends GET instead, which returns 405 Method Not Allowed because this route is not a download page.
Website delete buttons use the localized website form route at /{culture}/images/{contentImageId}/delete so browser gallery deletes keep anti-forgery protection.
curl -X DELETE "https://locationnotes.com/api/images/f1d52aa2-4d59-49bf-8d21-7d0b4e9e57f1" \
-H "Authorization: Bearer <access token>"
What is an Image? explains the visibility, moderation, reporting, resize, export, and deletion rules behind these routes.
Use these routes for inappropriate-content reports, tracked system errors, and the same support-ticket records that back the website support-request flow. Anonymous callers may submit reports, but only signed-in reporters can later track status updates and super-admin resolutions through the API.
POST /api/compliance/reports
Anonymous or Bearer
If the caller is authenticated by website cookie or bearer token, the created report is attached to that account so it appears under GET /api/compliance/reports/mine.
{
"pageType": 2,
"contentType": 5,
"pageTitle": "Reported note title",
"pageUrl": "/en-US/Note/2f4a9f80-b7db-4f4b-9d34-0c2cb8777d9a#note-page-title",
"pageReference": "2f4a9f80-b7db-4f4b-9d34-0c2cb8777d9a",
"contentLabel": "Note Page title and content",
"contentReference": "2f4a9f80-b7db-4f4b-9d34-0c2cb8777d9a:page-content",
"contentPreview": "Title: Reported note title\n\nContent: Reported note body",
"reportTitle": "Needs review",
"reportExplanation": "This title is not appropriate for a public note."
}
POST /api/compliance/errors
Anonymous or Bearer
If an API route already failed with an unexpected 500 and returned a ticketNumber in problem-details JSON, post that ticket here instead of creating a second error log row. Include userExplanation and set trackInSupportTickets when the caller wants super-admin follow-up.
{
"ticketNumber": "ERR-1M7Q4D9K2X5R8V6N",
"userExplanation": "Android app hit this right after I tapped refresh twice.",
"trackInSupportTickets": true,
"clientContext": {
"platform": "Android",
"screen": "My Journeys",
"appVersion": "1.0.0-beta.20260318.1"
}
}
When the failure happened only inside the Android app and there is no server ticket yet, create a new error ticket with a marker that describes where the app was.
{
"pageMarkerType": "Android screen",
"pageMarker": "My Journeys",
"requestCulture": "en-US",
"requestUrl": "https://locationnotes.com/api/trackables/active/721f5205-ed2c-43e8-8ecd-1502d5bb7b56?includeHistory=true",
"httpMethod": "GET",
"responseStatusCode": 503,
"exceptionType": "Java.Lang.IllegalStateException",
"exceptionMessage": "Journey list render failed.",
"stackTrace": "at com.locationnotes.trackables.MyJourneysFragment.render(MyJourneysFragment.kt:42)",
"userExplanation": "This happened right after scanning a QR code.",
"trackInSupportTickets": true,
"clientContext": {
"platform": "Android",
"deviceModel": "Pixel 9",
"osVersion": "Android 17",
"appVersion": "1.0.0-beta.20260318.1"
}
}
{
"ticketNumber": "ERR-1M7Q4D9K2X5R8V6N",
"usedExistingTicket": false,
"explanationSaved": true,
"trackedInSupportTickets": true,
"trackedContentReportId": "d91f6e1c-b8e2-4e38-9e96-f2de0cc4f0e2"
}
Use pageMarkerType values such as URL, Android screen, or Android background task. For server-generated tickets, keep the original URL marker and send the returned ticketNumber back here so the logged API URL stays attached to the same ticket.
GET /api/compliance/reports/mine
Bearer
GET /api/compliance/reports/{contentReportId}
Bearer
These routes return only the caller's own reports unless the caller is a super-admin. Use them to show Reported, Reviewing, or Resolved plus any final resolution note for both content reports and tracked system errors.
{
"contentReportId": "3ab419ab-4b71-4d43-b52c-303d6039f01f",
"reporterUserId": "6d650c55-b235-4370-8572-e4b772cd1aea",
"pageType": 2,
"pageTypeLabel": "Note Page",
"contentType": 5,
"contentTypeLabel": "Title and content",
"status": 2,
"statusLabel": "Resolved",
"pageTitle": "Reported note title",
"pageUrl": "/en-US/Note/2f4a9f80-b7db-4f4b-9d34-0c2cb8777d9a#note-page-title",
"pageReference": "2f4a9f80-b7db-4f4b-9d34-0c2cb8777d9a",
"contentLabel": "Note Page title and content",
"contentReference": "2f4a9f80-b7db-4f4b-9d34-0c2cb8777d9a:page-content",
"contentPreview": "Title: Reported note title\n\nContent: Reported note body",
"reportTitle": "Needs review",
"reportExplanation": "This title is not appropriate for a public note.",
"resolutionText": "Reviewed and recorded for moderation follow-up.",
"reporterDisplayName": "site-compliance-reporter",
"reviewerDisplayName": "site-compliance-admin",
"createdUtc": "2026-03-18T18:00:00Z",
"reviewedUtc": "2026-03-18T18:10:00Z"
}
GET /api/compliance/reports
Bearer + SuperAdmin
PUT /api/compliance/reports/{contentReportId}
Bearer + SuperAdmin
The admin list includes the report link, page metadata, offending-content metadata, reporter identity when available, and any previous review note. Updates write the current review state and visible resolution text.
{
"status": 1,
"resolutionText": "Review opened and queued for follow-up."
}
Set status to 2 and include a non-empty resolutionText when closing a report as resolved.
pageType: 0 profile page, 1 team page, 2 note page, 3 trackable page, 4 trackable group page, 5 system error, 6 support pagecontentType: 0 title, 1 description, 2 comment, 3 body, 4 bio, 5 title and content, 6 error details, 7 image, 8 support requeststatus: 0 reported, 1 reviewing, 2 resolvedWebsite page-level reports now use 5 so one report button can cover both the visible title and the visible description/body together. Comment-level reports still use the comment-specific content types.
Website general support requests create Support Page plus Support request tickets through the same COMPLIANCE.ContentReports store, even though the browser form uses the Support page instead of this raw API route.
Tracked website, API, and Android app errors are stored in LOG.Errors. When trackInSupportTickets is enabled, the linked support ticket also appears in COMPLIANCE.ContentReports so super-admin review and reporter status follow the same workflow.
GET /api/system/status
Anonymous
Use this for health checks, Android compatibility gating, the current beta-page URL, and the resolved map/privacy state for the current request.
GET /api/system/beta-android
Anonymous
Returns staged Android beta metadata, including display version, version code, minimum compatible version, and release notes.
GET /api/system/ip-location
Anonymous
Returns the current request's best-effort IP-based location for map centering and troubleshooting.
When the client IP is private, local, or otherwise untrusted, the response stays HTTP 200 and explains the failure in
failureReason
instead of throwing a transport error.
GET /api/system/coordinate-locality
Anonymous
Reverse-geocodes a latitude/longitude pair into city, state/province, and country labels for stop-planner and map-selection flows.
Invalid coordinates return a non-throwing payload with
resolved=false
and
failureReason=invalid-coordinates.
/maps/tiles/{z}/{x}/{y}.png.Private-network, local-network, and otherwise unresolved IP requests intentionally take the stricter path, so a localhost or office-network test can legitimately show no_3rd_parties and hosted_maps even when the signed-in preference was different.
curl "https://locationnotes.com/api/system/status"
{
"status": "online",
"utcNow": "2026-03-13T21:15:00Z",
"androidMinimumCompatibleDisplayVersion": "1.0.0-beta.20260313.2",
"androidMinimumCompatibleVersionCode": "2026031302",
"androidCompatibilityMessage": "The API changed after older beta builds were published. Update to the latest beta before syncing or using live team management.",
"androidBetaPageUrl": "https://locationnotes.com/en-US/account/beta",
"requestedExperienceMode": "latest_and_greatest",
"effectiveExperienceMode": "no_3rd_parties",
"usesSavedExperienceModePreference": false,
"usesVisitorExperienceModePreferenceCookie": false,
"thirdPartyBrowserCallsAllowed": false,
"requestedMapSource": "openstreetmap",
"preferredMapSource": "hosted_maps",
"fallbackMapSource": "hosted_maps",
"usesSavedMapPreference": false,
"usesVisitorMapPreferenceCookie": false,
"googleMapsAllowed": false,
"googleMapsConfigured": false,
"openStreetMapAllowed": false,
"openStreetMapConfigured": true,
"hostedMapsConfigured": true,
"hostedMapsForcedByPrivacy": true,
"hostedMapTileUrlTemplate": "/maps/tiles/{z}/{x}/{y}.png"
}
curl "https://locationnotes.com/api/system/ip-location"
{
"resolved": true,
"clientIpAddress": "50.77.187.28",
"lookupIpAddress": "50.77.187.28",
"usedDevelopmentFallbackIp": false,
"sourceKind": "IpAddress",
"coordinateSourceProvider": "IpInfoDb",
"localitySourceProvider": "IpInfoDb",
"latitude": 41.8758,
"longitude": -87.6206,
"city": "Chicago",
"stateOrProvince": "Illinois",
"country": "United States of America",
"isApproximate": true,
"accuracyRadiusKm": null,
"failureReason": ""
}
curl "https://locationnotes.com/api/system/coordinate-locality?latitude=41.8818&longitude=-87.6231"
{
"resolved": true,
"sourceKind": "Coordinates",
"coordinateSourceProvider": "StopPlanner",
"localitySourceProvider": "HostedMapPostGIS",
"latitude": 41.8818,
"longitude": -87.6231,
"city": "Chicago",
"stateOrProvince": "Illinois",
"country": "United States",
"isApproximate": false,
"accuracyRadiusKm": null,
"failureReason": ""
}
This section is the exhaustive verb-and-path checklist for the current LocationNotes API surface, including the framework-managed identity routes under /api/auth. The detailed sections above explain the main workflows; this inventory is the route-level source of truth that should stay aligned with the live endpoint table.
POST /api/auth/register AnonymousPOST /api/auth/login AnonymousPOST /api/auth/refresh AnonymousGET /api/auth/confirmEmail AnonymousPOST /api/auth/resendConfirmationEmail AnonymousPOST /api/auth/forgotPassword AnonymousPOST /api/auth/resetPassword AnonymousGET /api/auth/manage/info BearerPOST /api/auth/manage/info BearerPOST /api/auth/manage/2fa BearerDELETE /api/account BearerGET /api/system/status AnonymousGET /api/system/beta-android AnonymousGET /api/system/ip-location AnonymousGET /api/system/coordinate-locality AnonymousPOST /api/sync/push BearerPOST /api/sync/pull BearerPOST /api/external-links/verify BearerGET /api/notes/public/bounds AnonymousGET /api/notes/public/nearby AnonymousGET /api/notes/mine BearerPOST /api/notes/mine BearerGET /api/notes/mine/gpx BearerPOST /api/notes/mine/gpx BearerPOST /api/notes/mine/{noteId}/move BearerDELETE /api/notes/mine/{noteId} BearerGET /api/public/profiles/{userName}/notes/nearby Anonymous or BearerGET /api/public/teams/{teamName}/notes/nearby Anonymous or BearerGET /api/public/notes/{noteId} Anonymous or BearerGET /api/public/notes/{noteId}/comments Anonymous or BearerPOST /api/public/notes/{noteId}/comments BearerGET /api/public/notes/{noteId}/trackables Anonymous or BearerPOST /api/public/notes/{noteId}/trackables BearerGET /api/categories/mine BearerGET /api/categories/mine/tree BearerGET /api/categories/mine/tree/sections BearerGET /api/categories/mine/tree/children BearerPOST /api/categories/mine BearerPOST /api/categories/mine/{categoryId}/move BearerDELETE /api/categories/mine/{categoryId} BearerGET /api/teams BearerPOST /api/teams BearerPUT /api/teams/{teamId}/settings BearerGET /api/teams/{teamId}/notes BearerGET /api/teams/{teamId}/notes/gpx BearerDELETE /api/teams/{teamId}/notes/{noteId} BearerPOST /api/teams/{teamId}/notes BearerPOST /api/teams/{teamId}/notes/gpx BearerPOST /api/teams/{teamId}/notes/{noteId}/move BearerDELETE /api/teams/{teamId}/notes/{noteId}/delete BearerGET /api/teams/{teamId}/categories BearerGET /api/teams/{teamId}/categories/tree BearerGET /api/teams/{teamId}/categories/tree/sections BearerGET /api/teams/{teamId}/categories/tree/children BearerPOST /api/teams/{teamId}/categories BearerPOST /api/teams/{teamId}/categories/{categoryId}/move BearerDELETE /api/teams/{teamId}/categories/{categoryId} BearerPOST /api/teams/{teamId}/memberships/request BearerPOST /api/teams/{teamId}/memberships/invite BearerPOST /api/teams/{teamId}/memberships/{membershipId}/accept BearerPOST /api/teams/{teamId}/memberships/{membershipId}/refuse BearerPOST /api/teams/{teamId}/memberships/{membershipId}/approve BearerPOST /api/teams/{teamId}/memberships/{membershipId}/deny BearerPOST /api/teams/{teamId}/memberships/{membershipId}/promote-admin BearerDELETE /api/teams/{teamId}/memberships/{membershipId} BearerGET /api/teams/{teamId}/invite-links BearerPOST /api/teams/{teamId}/invite-links BearerDELETE /api/teams/{teamId}/invite-links/{inviteLinkId} BearerPOST /api/teams/invite-links/{teamSlug}/{inviteCode}/join BearerDELETE /api/teams/{teamId} BearerGET /api/trackables/public Anonymous or BearerGET /api/trackables/mine BearerGET /api/trackables/{trackableId} Anonymous or BearerGET /api/trackables/{trackableId}/journey Anonymous or BearerPOST /api/trackables BearerPOST /api/trackables/groups BearerPOST /api/trackables/{trackableId}/activate BearerPOST /api/trackables/{trackableId}/watch BearerDELETE /api/trackables/{trackableId}/watch BearerDELETE /api/trackables/{trackableId}/group BearerPOST /api/trackables/{trackableId}/group BearerPOST /api/trackables/groups/{trackableGroupId}/watch BearerDELETE /api/trackables/groups/{trackableGroupId}/watch BearerGET /api/trackables/lookup AnonymousPOST /api/trackables/lookup AnonymousGET /api/trackables/active AnonymousGET /api/trackables/active/{trackableId} AnonymousPOST /api/trackables/active/{trackableId}/message AnonymousDELETE /api/trackables/active/{trackableId} AnonymousGET /api/trackables/{trackableId}/comments Anonymous or BearerPOST /api/trackables/{trackableId}/comments Anonymous or BearerPUT /api/trackables/{trackableId}/comments/{commentId} BearerDELETE /api/trackables/{trackableId}/comments/{commentId} BearerPOST /api/trackables/{trackableId}/journey-stops Anonymous or BearerDELETE /api/trackables/{trackableId}/journey-stops/{journeyStopId} BearerGET /api/images/profiles/{userId} Anonymous or BearerGET /api/images/notes/{noteId} Anonymous or BearerGET /api/images/teams/{teamId} Anonymous or BearerGET /api/images/trackables/{trackableId} Anonymous or BearerGET /api/images/trackable-groups/{trackableGroupId} Anonymous or BearerGET /api/images/{contentImageId}/{variant} Anonymous or BearerPOST /api/images/profiles BearerPOST /api/images/notes/{noteId} BearerPOST /api/images/teams/{teamId} BearerPOST /api/images/trackables/{trackableId} BearerPOST /api/images/trackable-groups/{trackableGroupId} BearerDELETE /api/images/{contentImageId} BearerPOST /api/compliance/reports Anonymous or BearerPOST /api/compliance/errors Anonymous or BearerGET /api/compliance/reports/mine BearerGET /api/compliance/reports/{contentReportId} BearerGET /api/compliance/reports Bearer + SuperAdminPUT /api/compliance/reports/{contentReportId} Bearer + SuperAdminThis section is the exhaustive verb-and-path checklist for the current LocationNotes API surface, including the framework-managed identity routes under /api/auth. The detailed sections above explain the main workflows; this inventory is the route-level source of truth that should stay aligned with the live endpoint table.
DELETE /api/account
Bearer
Delete account from the API
curl -X DELETE "https://locationnotes.com/api/account" \
-H "Authorization: Bearer <access token>"
GET /api/auth/confirmEmail
Anonymous
Identity auth and account security
curl "https://locationnotes.com/api/auth/confirmEmail?userId=3a856446-bd89-4b42-b44d-279d237fb5b7&code=CONFIRMATION-CODE"
POST /api/auth/forgotPassword
Anonymous
Identity auth and account security
curl -X POST "https://locationnotes.com/api/auth/forgotPassword" \
-H "Content-Type: application/json" \
-d '{ "email": "api-user@example.com" }'
POST /api/auth/login
Anonymous
Identity auth and account security
curl -X POST "https://locationnotes.com/api/auth/login?useCookies=false&useSessionCookies=false" \
-H "Content-Type: application/json" \
-d '{ "email": "api-user@example.com", "password": "Use-a-strong-password-123!" }'
POST /api/auth/manage/2fa
Bearer
Identity auth and account security
curl -X POST "https://locationnotes.com/api/auth/manage/2fa" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/auth/manage/info
Bearer
Identity auth and account security
curl "https://locationnotes.com/api/auth/manage/info" \
-H "Authorization: Bearer <access token>"
POST /api/auth/manage/info
Bearer
Identity auth and account security
curl -X POST "https://locationnotes.com/api/auth/manage/info" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/auth/refresh
Anonymous
Identity auth and account security
curl -X POST "https://locationnotes.com/api/auth/refresh" \
-H "Content-Type: application/json" \
-d '{ "refreshToken": "<refresh token>" }'
POST /api/auth/register
Anonymous
Identity auth and account security
curl -X POST "https://locationnotes.com/api/auth/register" \
-H "Content-Type: application/json" \
-d '{ "email": "api-user@example.com", "password": "Use-a-strong-password-123!" }'
POST /api/auth/resendConfirmationEmail
Anonymous
Identity auth and account security
curl -X POST "https://locationnotes.com/api/auth/resendConfirmationEmail" \
-H "Content-Type: application/json" \
-d '{ "email": "api-user@example.com" }'
POST /api/auth/resetPassword
Anonymous
Identity auth and account security
curl -X POST "https://locationnotes.com/api/auth/resetPassword" \
-H "Content-Type: application/json" \
-d '{ "email": "api-user@example.com", "resetCode": "RESET-CODE", "newPassword": "Use-a-strong-password-123!" }'
GET /api/categories/mine
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl "https://locationnotes.com/api/categories/mine" \
-H "Authorization: Bearer <access token>"
POST /api/categories/mine
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl -X POST "https://locationnotes.com/api/categories/mine" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/categories/mine/tree
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl "https://locationnotes.com/api/categories/mine/tree" \
-H "Authorization: Bearer <access token>"
GET /api/categories/mine/tree/children
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl "https://locationnotes.com/api/categories/mine/tree/children" \
-H "Authorization: Bearer <access token>"
GET /api/categories/mine/tree/sections
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl "https://locationnotes.com/api/categories/mine/tree/sections" \
-H "Authorization: Bearer <access token>"
DELETE /api/categories/mine/{categoryId}
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl -X DELETE "https://locationnotes.com/api/categories/mine/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
POST /api/categories/mine/{categoryId}/move
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl -X POST "https://locationnotes.com/api/categories/mine/3a856446-bd89-4b42-b44d-279d237fb5b7/move" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/compliance/errors
Anonymous
Compliance reporting
curl -X POST "https://locationnotes.com/api/compliance/errors" \
-H "Content-Type: application/json" \
-d '{ "message": "Client error detail", "url": "/api/example" }'
GET /api/compliance/reports
Bearer
Compliance reporting
curl "https://locationnotes.com/api/compliance/reports" \
-H "Authorization: Bearer <access token>"
POST /api/compliance/reports
Anonymous
Compliance reporting
curl -X POST "https://locationnotes.com/api/compliance/reports" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/compliance/reports/mine
Bearer
Compliance reporting
curl "https://locationnotes.com/api/compliance/reports/mine" \
-H "Authorization: Bearer <access token>"
GET /api/compliance/reports/{contentReportId}
Bearer
Compliance reporting
curl "https://locationnotes.com/api/compliance/reports/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
PUT /api/compliance/reports/{contentReportId}
Bearer
Compliance reporting
curl -X PUT "https://locationnotes.com/api/compliance/reports/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/external-links/verify
Bearer
External-link support is available on note, team, trackable, trackable-group, and sync APIs. Clients can call the verify endpoint first, but create and update routes still revalidate the link server-side before saving.
curl -X POST "https://locationnotes.com/api/external-links/verify" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{ "url": "https://example.com/resource" }'
GET /api/images/notes/{noteId}
Anonymous
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl "https://locationnotes.com/api/images/notes/3a856446-bd89-4b42-b44d-279d237fb5b7"
POST /api/images/notes/{noteId}
Bearer
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl -X POST "https://locationnotes.com/api/images/notes/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>" \
-F "files=@example.jpg"
POST /api/images/profiles
Bearer
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl -X POST "https://locationnotes.com/api/images/profiles" \
-H "Authorization: Bearer <access token>" \
-F "files=@example.jpg"
GET /api/images/profiles/{userId}
Anonymous
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl "https://locationnotes.com/api/images/profiles/3a856446-bd89-4b42-b44d-279d237fb5b7"
GET /api/images/teams/{teamId}
Anonymous
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl "https://locationnotes.com/api/images/teams/3a856446-bd89-4b42-b44d-279d237fb5b7"
POST /api/images/teams/{teamId}
Bearer
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl -X POST "https://locationnotes.com/api/images/teams/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>" \
-F "files=@example.jpg"
GET /api/images/trackable-groups/{trackableGroupId}
Anonymous
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl "https://locationnotes.com/api/images/trackable-groups/3a856446-bd89-4b42-b44d-279d237fb5b7"
POST /api/images/trackable-groups/{trackableGroupId}
Bearer
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl -X POST "https://locationnotes.com/api/images/trackable-groups/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>" \
-F "files=@example.jpg"
GET /api/images/trackables/{trackableId}
Anonymous
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl "https://locationnotes.com/api/images/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7"
POST /api/images/trackables/{trackableId}
Bearer
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl -X POST "https://locationnotes.com/api/images/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>" \
-F "files=@example.jpg"
DELETE /api/images/{contentImageId}
Bearer
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl -X DELETE "https://locationnotes.com/api/images/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
GET /api/images/{contentImageId}/{variant}
Anonymous
Image visibility always follows the parent item. If the caller can open the connected profile, note, team, trackable, or trackable-group page, the caller can open its images too. If the parent item is not accessible, image list reads return no items and direct image downloads return 404.
curl "https://locationnotes.com/api/images/3a856446-bd89-4b42-b44d-279d237fb5b7/thumbnail"
GET /api/notes/mine
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl "https://locationnotes.com/api/notes/mine" \
-H "Authorization: Bearer <access token>"
POST /api/notes/mine
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl -X POST "https://locationnotes.com/api/notes/mine" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/notes/mine/gpx
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl "https://locationnotes.com/api/notes/mine/gpx" \
-H "Authorization: Bearer <access token>"
POST /api/notes/mine/gpx
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl -X POST "https://locationnotes.com/api/notes/mine/gpx" \
-H "Authorization: Bearer <access token>" \
-F "file=@waypoints.gpx"
DELETE /api/notes/mine/{noteId}
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl -X DELETE "https://locationnotes.com/api/notes/mine/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
POST /api/notes/mine/{noteId}/move
Bearer
These routes back the signed-in website workspace and personal Android sync state. All require bearer auth.
curl -X POST "https://locationnotes.com/api/notes/mine/3a856446-bd89-4b42-b44d-279d237fb5b7/move" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/notes/public/bounds
Anonymous
Use this endpoint for public map windows and browse-by-area experiences. This is the route the homepage map uses.
curl "https://locationnotes.com/api/notes/public/bounds?minLatitude=41.78&minLongitude=-87.75&maxLatitude=41.96&maxLongitude=-87.54&contentLanguage=en-US"
GET /api/notes/public/nearby
Anonymous
Use this endpoint when the client already knows a center point and wants a distance-limited result set instead of a rectangular map window.
curl "https://locationnotes.com/api/notes/public/nearby?latitude=41.8818&longitude=-87.6231&radiusKm=8&contentLanguage=en-US"
GET /api/public/notes/{noteId}
Anonymous
These routes back the published map and note strip on public profile and public team pages. They use the same note-access rules as the page itself and accept either a nearby center point or full map bounds.
curl "https://locationnotes.com/api/public/notes/3a856446-bd89-4b42-b44d-279d237fb5b7"
GET /api/public/notes/{noteId}/comments
Anonymous
These routes back the published map and note strip on public profile and public team pages. They use the same note-access rules as the page itself and accept either a nearby center point or full map bounds.
curl "https://locationnotes.com/api/public/notes/3a856446-bd89-4b42-b44d-279d237fb5b7/comments"
POST /api/public/notes/{noteId}/comments
Bearer
These routes back the published map and note strip on public profile and public team pages. They use the same note-access rules as the page itself and accept either a nearby center point or full map bounds.
curl -X POST "https://locationnotes.com/api/public/notes/3a856446-bd89-4b42-b44d-279d237fb5b7/comments" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/public/notes/{noteId}/trackables
Anonymous
These routes back the published map and note strip on public profile and public team pages. They use the same note-access rules as the page itself and accept either a nearby center point or full map bounds.
curl "https://locationnotes.com/api/public/notes/3a856446-bd89-4b42-b44d-279d237fb5b7/trackables"
POST /api/public/notes/{noteId}/trackables
Bearer
These routes back the published map and note strip on public profile and public team pages. They use the same note-access rules as the page itself and accept either a nearby center point or full map bounds.
curl -X POST "https://locationnotes.com/api/public/notes/3a856446-bd89-4b42-b44d-279d237fb5b7/trackables" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/public/profiles/{userName}/notes/nearby
Anonymous
These routes back the published map and note strip on public profile and public team pages. They use the same note-access rules as the page itself and accept either a nearby center point or full map bounds.
curl "https://locationnotes.com/api/public/profiles/field-user/notes/nearby?latitude=41.8818&longitude=-87.6231&radiusKm=8&contentLanguage=en-US"
GET /api/public/teams/{teamName}/notes/nearby
Anonymous
These routes back the published map and note strip on public profile and public team pages. They use the same note-access rules as the page itself and accept either a nearby center point or full map bounds.
curl "https://locationnotes.com/api/public/teams/field-team/notes/nearby?latitude=41.8818&longitude=-87.6231&radiusKm=8&contentLanguage=en-US"
POST /api/sync/pull
Bearer
Sync clients should push local dirty data first, then pull server changes for the user, active teams, and public notes in the current area.
curl -X POST "https://locationnotes.com/api/sync/pull" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/sync/push
Bearer
Sync clients should push local dirty data first, then pull server changes for the user, active teams, and public notes in the current area.
curl -X POST "https://locationnotes.com/api/sync/push" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/system/beta-android
Anonymous
System and beta metadata
curl "https://locationnotes.com/api/system/beta-android"
GET /api/system/coordinate-locality
Anonymous
System and beta metadata
curl "https://locationnotes.com/api/system/coordinate-locality?latitude=41.8818&longitude=-87.6231"
GET /api/system/ip-location
Anonymous
System and beta metadata
curl "https://locationnotes.com/api/system/ip-location"
GET /api/system/status
Anonymous
System and beta metadata
curl "https://locationnotes.com/api/system/status"
GET /api/teams
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl "https://locationnotes.com/api/teams" \
-H "Authorization: Bearer <access token>"
POST /api/teams
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/teams/invite-links/{teamSlug}/{inviteCode}/join
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/invite-links/field-team/INVITE-CODE/join" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
DELETE /api/teams/{teamId}
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X DELETE "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
GET /api/teams/{teamId}/categories
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/categories" \
-H "Authorization: Bearer <access token>"
POST /api/teams/{teamId}/categories
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/categories" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/teams/{teamId}/categories/tree
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/categories/tree" \
-H "Authorization: Bearer <access token>"
GET /api/teams/{teamId}/categories/tree/children
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/categories/tree/children" \
-H "Authorization: Bearer <access token>"
GET /api/teams/{teamId}/categories/tree/sections
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/categories/tree/sections" \
-H "Authorization: Bearer <access token>"
DELETE /api/teams/{teamId}/categories/{categoryId}
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X DELETE "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/categories/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
POST /api/teams/{teamId}/categories/{categoryId}/move
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/categories/3a856446-bd89-4b42-b44d-279d237fb5b7/move" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/teams/{teamId}/invite-links
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/invite-links" \
-H "Authorization: Bearer <access token>"
POST /api/teams/{teamId}/invite-links
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/invite-links" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
DELETE /api/teams/{teamId}/invite-links/{inviteLinkId}
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X DELETE "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/invite-links/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
POST /api/teams/{teamId}/memberships/invite
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/memberships/invite" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/teams/{teamId}/memberships/request
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/memberships/request" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
DELETE /api/teams/{teamId}/memberships/{membershipId}
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X DELETE "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/memberships/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
POST /api/teams/{teamId}/memberships/{membershipId}/accept
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/memberships/3a856446-bd89-4b42-b44d-279d237fb5b7/accept" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/teams/{teamId}/memberships/{membershipId}/approve
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/memberships/3a856446-bd89-4b42-b44d-279d237fb5b7/approve" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/teams/{teamId}/memberships/{membershipId}/deny
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/memberships/3a856446-bd89-4b42-b44d-279d237fb5b7/deny" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/teams/{teamId}/memberships/{membershipId}/promote-admin
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/memberships/3a856446-bd89-4b42-b44d-279d237fb5b7/promote-admin" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/teams/{teamId}/memberships/{membershipId}/refuse
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/memberships/3a856446-bd89-4b42-b44d-279d237fb5b7/refuse" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/teams/{teamId}/notes
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/notes" \
-H "Authorization: Bearer <access token>"
POST /api/teams/{teamId}/notes
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/notes" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/teams/{teamId}/notes/gpx
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/notes/gpx" \
-H "Authorization: Bearer <access token>"
POST /api/teams/{teamId}/notes/gpx
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/notes/gpx" \
-H "Authorization: Bearer <access token>" \
-F "file=@waypoints.gpx"
DELETE /api/teams/{teamId}/notes/{noteId}
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X DELETE "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/notes/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
DELETE /api/teams/{teamId}/notes/{noteId}/delete
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X DELETE "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/notes/3a856446-bd89-4b42-b44d-279d237fb5b7/delete" \
-H "Authorization: Bearer <access token>"
POST /api/teams/{teamId}/notes/{noteId}/move
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X POST "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/notes/3a856446-bd89-4b42-b44d-279d237fb5b7/move" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
PUT /api/teams/{teamId}/settings
Bearer
Team routes cover membership, invites, settings, team notes, and team categories. All require bearer auth and the server enforces admin/member permissions per route.
curl -X PUT "https://locationnotes.com/api/teams/3a856446-bd89-4b42-b44d-279d237fb5b7/settings" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/trackables
Bearer
Base URL and conventions
curl -X POST "https://locationnotes.com/api/trackables" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/trackables/active
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl "https://locationnotes.com/api/trackables/active"
DELETE /api/trackables/active/{trackableId}
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X DELETE "https://locationnotes.com/api/trackables/active/3a856446-bd89-4b42-b44d-279d237fb5b7"
GET /api/trackables/active/{trackableId}
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl "https://locationnotes.com/api/trackables/active/3a856446-bd89-4b42-b44d-279d237fb5b7"
POST /api/trackables/active/{trackableId}/message
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X POST "https://locationnotes.com/api/trackables/active/3a856446-bd89-4b42-b44d-279d237fb5b7/message" \
-H "Content-Type: application/json" \
-d '{}'
POST /api/trackables/groups
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X POST "https://locationnotes.com/api/trackables/groups" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
DELETE /api/trackables/groups/{trackableGroupId}/watch
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X DELETE "https://locationnotes.com/api/trackables/groups/3a856446-bd89-4b42-b44d-279d237fb5b7/watch" \
-H "Authorization: Bearer <access token>"
POST /api/trackables/groups/{trackableGroupId}/watch
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X POST "https://locationnotes.com/api/trackables/groups/3a856446-bd89-4b42-b44d-279d237fb5b7/watch" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/trackables/lookup
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl "https://locationnotes.com/api/trackables/lookup?code=GT-EXAMPLE"
POST /api/trackables/lookup
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X POST "https://locationnotes.com/api/trackables/lookup" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/trackables/mine
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl "https://locationnotes.com/api/trackables/mine" \
-H "Authorization: Bearer <access token>"
GET /api/trackables/public
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl "https://locationnotes.com/api/trackables/public?contentLanguage=en-US"
GET /api/trackables/{trackableId}
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7"
POST /api/trackables/{trackableId}/activate
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X POST "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/activate" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/trackables/{trackableId}/comments
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/comments"
POST /api/trackables/{trackableId}/comments
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X POST "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/comments" \
-H "Content-Type: application/json" \
-d '{}'
DELETE /api/trackables/{trackableId}/comments/{commentId}
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X DELETE "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/comments/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
PUT /api/trackables/{trackableId}/comments/{commentId}
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X PUT "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/comments/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
DELETE /api/trackables/{trackableId}/group
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X DELETE "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/group" \
-H "Authorization: Bearer <access token>"
POST /api/trackables/{trackableId}/group
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X POST "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/group" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
GET /api/trackables/{trackableId}/journey
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/journey"
POST /api/trackables/{trackableId}/journey-stops
Anonymous
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X POST "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/journey-stops" \
-H "Content-Type: application/json" \
-d '{}'
DELETE /api/trackables/{trackableId}/journey-stops/{journeyStopId}
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X DELETE "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/journey-stops/3a856446-bd89-4b42-b44d-279d237fb5b7" \
-H "Authorization: Bearer <access token>"
DELETE /api/trackables/{trackableId}/watch
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X DELETE "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/watch" \
-H "Authorization: Bearer <access token>"
POST /api/trackables/{trackableId}/watch
Bearer
Trackables support public-code browsing, secret-code or scan-only QR access, one-time secret reveal during creation, browser-side active sessions, comments, and grouped inventory workflows.
curl -X POST "https://locationnotes.com/api/trackables/3a856446-bd89-4b42-b44d-279d237fb5b7/watch" \
-H "Authorization: Bearer <access token>" \
-H "Content-Type: application/json" \
-d '{}'
Authenticated clients can permanently delete the current account and synced personal data through the API. Read the Delete Data page first if you need the full retention rules for team-owned data and exports.
Trackable cleanup is not all-or-nothing. The server removes the deleted user's personal trackable activity where it can, but it does not remove shared trackables, team-owned trackables, or other users' history just because one account is deleted. If a team-owned trackable still matters to the team, it remains with that team. If another person's activity is still attached to a trackable, that trackable stays in the system.
DELETE /api/account
Bearer
curl -X DELETE "https://locationnotes.com/api/account" \
-H "Authorization: Bearer <access token>"
{
"deletedAccount": true,
"notesDeleted": 14,
"categoriesDeleted": 6,
"linkedProvidersDeleted": 2
}
Validation, permission, and lookup failures return standard HTTP status codes. Many workspace routes return RFC 7807 style problem-details JSON with a title, detail, and status.
{
"title": "Forbidden",
"code": "trackable_access_code_required",
"detail": "Sign in, keep this trackable active on this browser, or provide this trackable's secret code or QR access code before posting comments or location reports.",
"status": 403
}
400 for validation or business-rule rejection401 for missing or invalid authentication403 for authenticated users who do not have access404 for missing notes, categories, teams, memberships, or invite links
Trackable write routes also add a stable code property so API clients can distinguish cases like
trackable_access_code_required,
trackable_access_code_invalid,
trackable_activation_required,
and
trackable_already_activated
without parsing English text. The full mapping is documented on the
trackable error reference page.
External-link rules, verification, adult-content screening, exit-page behavior, trackable-group defaults, exports, and deletion are documented on the What is an External Link? page.
For request and response examples, including externalLinkUrl, externalLinkDescription, externalLinkAppendPublicTrackableCode, defaultExternalLinkUrl, defaultExternalLinkDescription, defaultExternalLinkAppendPublicTrackableCode, useGroupDefaultExternalLink, and the verify endpoint, see the API documentation.