> ## Documentation Index
> Fetch the complete documentation index at: https://docs.parmanasystems.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get the OpenAPI spec

> Serves the bundled, self-contained OpenAPI document (openapi/openapi.bundled.yaml, produced by `npm run bundle:openapi` from openapi/openapi.yaml + schemas/*.json) as a static file, see packages/api/src/routes/openapi.ts. Exempt from caller authentication for the same reason GET /health is: a caller cannot discover how to get a key from a spec it isn't allowed to read. See [Deploy patterns](/guides/deploy-patterns#the-openapi-spec-endpoint) for the tradeoff of exposing this in production versus disabling it.




## OpenAPI

````yaml /openapi.bundled.yaml get /openapi.yaml
openapi: 3.1.0
info:
  title: Parmana API
  version: 1.0.0
  description: >
    Parmana is an Execution Trust Infrastructure that ensures there is no gap
    between what humans decide and what AI systems do. The API enables creation,
    execution, verification, replay, and auditing of Business Transactions
    through cryptographically verifiable Execution Trust Records.


    **Every route requires a caller bearer key, except GET /health.** Send
    `Authorization: Bearer <key>` on every other request. Keys are issued by
    `scripts/generate-api-key.ts` and configured server-side via
    `PARMANA_API_KEYS`; only a hash of each key is ever held by the server,
    verified in constant time. A missing or invalid credential returns 401
    before a Business Transaction is even constructed, independent of Policy
    evaluation and gateway attestation, see
    `packages/api/src/middleware/caller-auth.ts` and
    [Authentication](/api-reference/authentication). Local development may set
    `PARMANA_AUTH_DISABLED=true` to skip this middleware entirely; that flag
    must never be set in a real deployment.
  contact:
    name: Parmana
    email: support@parmana.ai
  license:
    name: Apache-2.0
    identifier: Apache-2.0
servers:
  - url: http://localhost:3000
    description: Local (packages/api, PORT env var, default 3000)
security:
  - bearerAuth: []
tags:
  - name: Execution
    description: >-
      Executes a Business Transaction through the complete Execution Trust
      pipeline
  - name: Transactions
    description: Business Transaction creation and retrieval
  - name: Verification
    description: Deterministic verification of an Execution Trust Record
  - name: Receipts
    description: Cryptographically signed Execution Trust Receipts
  - name: Trust Records
    description: Execution Trust Record retrieval
  - name: Replay
    description: Deterministic replay of a recorded Execution Trust Record
  - name: Policies
    description: Policy existence/readability check
  - name: System
    description: Operational endpoints
paths:
  /openapi.yaml:
    get:
      tags:
        - System
      summary: Get the OpenAPI spec
      description: >
        Serves the bundled, self-contained OpenAPI document
        (openapi/openapi.bundled.yaml, produced by `npm run bundle:openapi` from
        openapi/openapi.yaml + schemas/*.json) as a static file, see
        packages/api/src/routes/openapi.ts. Exempt from caller authentication
        for the same reason GET /health is: a caller cannot discover how to get
        a key from a spec it isn't allowed to read. See [Deploy
        patterns](/guides/deploy-patterns#the-openapi-spec-endpoint) for the
        tradeoff of exposing this in production versus disabling it.
      operationId: getOpenApiSpec
      responses:
        '200':
          description: >-
            The complete OpenAPI 3.1 document, YAML, self-contained (no external
            $ref).
          content:
            application/yaml:
              schema:
                type: string
      security: []
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: >
        Caller API key issued by scripts/generate-api-key.ts. Sent as
        Authorization: Bearer <key>. Verified against a stored SHA-256 hash in
        constant time by packages/api/src/auth/StaticKeyAuthenticator.ts.
        Required on every route except GET /health. See
        /api-reference/authentication.

````