Skip to content
Movmo API

Under review and known gaps

This page exists so partners are not surprised. Honesty over polish.

Endpoints under review

Section titled “Endpoints under review”
  • POST /v1/oauth/code, POST /v1/oauth/token, POST /v1/oauth/register — five commits in the last sixty days (MOVMO-333, 334, 335, 336). Signatures are stabilizing but Dynamic Client Registration session tracking and RFC 8707 resource-parameter enforcement are recent additions. The partner surface uses /v1/oauth/token only; /code is internal to auth.e2e.movmo.io and /register is reserved for autonomous Model Context Protocol (MCP) agents. Safe to integrate today; revisit after the related work lands in production.
  • DELETE /v1/users/{userid} — Postgres-only delete. Does not purge Cognito, bookings, passengers, or payment methods. Out of the public surface until MOVMO-331 defines full user-deletion semantics.

MCP tool test coverage

Section titled “MCP tool test coverage”

The partner-facing MCP tool wrappers ship without unit tests. Their underlying REST endpoints are tested and gated at 85% coverage; the wrapper layer is not. Only REST signatures are protected by regression tests today.

Scopes are not yet enforced

Section titled “Scopes are not yet enforced”

A partner token carries the user’s full RBAC permissions. There is no per-operation narrowing on the partner axis. See the Authentication page for the planned taxonomy. Tracked under MOVMO-346.

Spreedly migration

Section titled “Spreedly migration”

Payments wrap Stripe today. A Spreedly migration is planned and will abstract the customer_id field server-side. See Payments for the partner contract.