{
  "info": {
    "_postman_id": "easysecret-dev-api-v1",
    "name": "easysecret.dev API",
    "description": "API REST para guardar y compartir secretos cifrados de extremo a extremo.\n\nConfigura las variables `base_url` y `api_key` antes de empezar.",
    "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
  },
  "variable": [
    { "key": "base_url",   "value": "https://easysecret.dev",    "type": "string" },
    { "key": "api_key",    "value": "es_live_YOUR_KEY_HERE",     "type": "string" },
    { "key": "secret_id",  "value": "",                          "type": "string" }
  ],
  "item": [
    {
      "name": "POST /api/signup",
      "request": {
        "method": "POST",
        "url": { "raw": "{{base_url}}/api/signup", "host": ["{{base_url}}"], "path": ["api","signup"] },
        "header": [{ "key": "Content-Type", "value": "application/json" }],
        "body": {
          "mode": "raw",
          "raw": "{\n  \"email\": \"tu@ejemplo.com\"\n}",
          "options": { "raw": { "language": "json" } }
        },
        "description": "Crea una cuenta y obtiene la API key.\nLa key se muestra una sola vez — guárdala en la variable `api_key`.\nRate limit: 5 intentos por hora por IP."
      },
      "response": []
    },
    {
      "name": "GET /api/account",
      "request": {
        "method": "GET",
        "url": { "raw": "{{base_url}}/api/account", "host": ["{{base_url}}"], "path": ["api","account"] },
        "header": [{ "key": "Authorization", "value": "Bearer {{api_key}}" }],
        "description": "Devuelve el perfil del usuario: plan, uso mensual, límite y estado de suscripción."
      },
      "response": []
    },
    {
      "name": "POST /api/secret",
      "event": [
        {
          "listen": "test",
          "script": {
            "exec": [
              "if (pm.response.code === 200) {",
              "  pm.collectionVariables.set('secret_id', pm.response.json().id);",
              "}"
            ],
            "type": "text/javascript"
          }
        }
      ],
      "request": {
        "method": "POST",
        "url": { "raw": "{{base_url}}/api/secret", "host": ["{{base_url}}"], "path": ["api","secret"] },
        "header": [
          { "key": "Authorization", "value": "Bearer {{api_key}}" },
          { "key": "Content-Type",   "value": "application/json" }
        ],
        "body": {
          "mode": "raw",
          "raw": "{\n  \"ivBase64\":     \"BASE64_DEL_IV_12_BYTES\",\n  \"cipherBase64\": \"BASE64_DEL_TEXTO_CIFRADO\",\n  \"ttl\":          3600,\n  \"max_reads\":    1,\n  \"password\":     \"\",\n  \"notifyEmail\":  \"\",\n  \"lang\":         \"es\"\n}",
          "options": { "raw": { "language": "json" } }
        },
        "description": "Almacena un secreto ya cifrado (AES-GCM 256-bit).\nEl servidor guarda ivBase64 + cipherBase64 — nunca la clave de descifrado.\n\nCampos opcionales:\n- ttl:         segundos de vida (max 86400 free, 2592000 pro)\n- max_reads:   lecturas antes de destruir (max 5 free/basic, 100 pro)\n- password:    contraseña adicional (hash SHA-256 en servidor)\n- webhook_url: URL para notificación POST al leer (solo Pro), payload {id,read_at,reads_remaining}\n- notifyEmail: email del creador para notificar cuando se lea el secreto\n- lang:        idioma del email de notificación (es,en,pt,fr,it,de,ca,gl,eu)\n\nLa clave de descifrado va en el fragmento # de la URL y NUNCA llega al servidor."
      },
      "response": []
    },
    {
      "name": "GET /api/secret/:id",
      "request": {
        "method": "GET",
        "url": { "raw": "{{base_url}}/api/secret/{{secret_id}}", "host": ["{{base_url}}"], "path": ["api","secret","{{secret_id}}"] },
        "header": [
          { "key": "Authorization",     "value": "Bearer {{api_key}}" },
          { "key": "X-Secret-Password", "value": "", "description": "Solo si el secreto tiene contraseña" }
        ],
        "description": "Lee y destruye atómicamente el secreto.\nTras esta llamada el secreto desaparece — no se puede volver a leer.\n\nSi el secreto tiene contraseña:\n- Sin header X-Secret-Password → 401 {requires_password: true}\n- Contraseña incorrecta → 403 (sin consumir la lectura)\n- Contraseña correcta → 200 con {ivBase64, cipherBase64}\n\nEl descifrado ocurre en el cliente con la clave del fragmento # de la URL."
      },
      "response": []
    },
    {
      "name": "GET /health",
      "request": {
        "method": "GET",
        "url": { "raw": "{{base_url}}/health", "host": ["{{base_url}}"], "path": ["health"] },
        "description": "Health check del servidor. Devuelve estado de Redis.\n200 = ok, 503 = degraded (Redis no disponible)."
      },
      "response": []
    }
  ]
}
