> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flexslot.gg/llms.txt
> Use this file to discover all available pages before exploring further.

# Update a deck (partial)

> Partial update. Only the deck owner may patch their own deck; non-owners receive ``404 FLEXSLOT_NOT_FOUND`` so existence is not leaked. Each successful save increments the version counter and emits a new history record.



## OpenAPI

````yaml /openapi.json patch /api/public/v1/games/{game}/decks/{id}
openapi: 3.0.3
info:
  title: Flexslot API
  version: 1.0.0
  description: API documentation for Flexslot decks application
servers:
  - url: https://api.flexslot.gg
    description: Production
  - url: https://api-dev.flexslot.gg
    description: Development
security: []
paths:
  /api/public/v1/games/{game}/decks/{id}:
    patch:
      tags:
        - Decks
      summary: Update a deck (partial)
      description: >-
        Partial update. Only the deck owner may patch their own deck; non-owners
        receive ``404 FLEXSLOT_NOT_FOUND`` so existence is not leaked. Each
        successful save increments the version counter and emits a new history
        record.
      operationId: games_decks_update
      parameters:
        - in: path
          name: game
          schema:
            type: string
          required: true
        - in: path
          name: id
          schema:
            type: string
            format: uuid
          required: true
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/PatchedPublicDeckUpdateRequestRequest'
          application/x-www-form-urlencoded:
            schema:
              $ref: '#/components/schemas/PatchedPublicDeckUpdateRequestRequest'
          multipart/form-data:
            schema:
              $ref: '#/components/schemas/PatchedPublicDeckUpdateRequestRequest'
      responses:
        '200':
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/PublicDeckWriteResponse'
          description: ''
        '400':
          description: No response body
        '401':
          description: No response body
        '403':
          description: No response body
        '404':
          description: No response body
      security:
        - PartnerHmac: []
          PartnerSlug: []
          PersonalAccessToken: []
        - PartnerHmac: []
          PartnerSlug: []
        - ApiKey: []
        - PersonalAccessToken: []
        - OAuth2DPoP: []
          OAuth2DPoPProof: []
        - OAuth2Bearer: []
components:
  schemas:
    PatchedPublicDeckUpdateRequestRequest:
      type: object
      properties:
        name:
          type: string
          minLength: 1
          maxLength: 255
        notes:
          type: string
          nullable: true
          maxLength: 50000
        visibility:
          type: array
          items:
            type: string
            minLength: 1
        format:
          type: string
          format: uuid
          nullable: true
          description: Format UUID for the deck.
        youtube_url:
          type: string
          format: uri
          maxLength: 500
        legal:
          type: boolean
        thumbnail:
          type: string
          maxLength: 255
        is_archived:
          type: boolean
        source_provider:
          $ref: '#/components/schemas/DeckSourceProviderEnum'
        source_external_id:
          type: string
          maxLength: 128
        source_external_version:
          type: string
          maxLength: 32
        source_external_url:
          type: string
          format: uri
    PublicDeckWriteResponse:
      type: object
      properties:
        id:
          type: string
          format: uuid
          readOnly: true
        name:
          type: string
          nullable: true
          readOnly: true
        notes:
          type: string
          nullable: true
          readOnly: true
        visibility:
          type: array
          items:
            type: string
          readOnly: true
        format:
          type: string
          format: uuid
          readOnly: true
          nullable: true
        youtube_url:
          type: string
          format: uri
          readOnly: true
          nullable: true
        thumbnail:
          type: string
          nullable: true
          readOnly: true
        legal:
          type: boolean
          readOnly: true
        is_archived:
          type: boolean
          readOnly: true
        likes:
          type: integer
          readOnly: true
        pageviews:
          type: integer
          readOnly: true
        version:
          type: integer
          readOnly: true
        source_provider:
          type: string
          readOnly: true
        source_external_id:
          type: string
          readOnly: true
        source_external_version:
          type: string
          readOnly: true
        source_external_url:
          type: string
          readOnly: true
        source_imported_at:
          type: string
          format: date-time
          readOnly: true
          nullable: true
        created_at:
          type: string
          format: date-time
          readOnly: true
        updated_at:
          type: string
          format: date-time
          readOnly: true
      required:
        - created_at
        - format
        - id
        - is_archived
        - legal
        - likes
        - name
        - notes
        - pageviews
        - source_external_id
        - source_external_url
        - source_external_version
        - source_imported_at
        - source_provider
        - thumbnail
        - updated_at
        - version
        - visibility
        - youtube_url
    DeckSourceProviderEnum:
      enum:
        - piltover
        - moxfield
        - archidekt
        - cube_cobra
        - mtggoldfish
        - tappedout
        - deckstats
        - edhrec
        - mtg_arena
        - mtgo
        - forge
        - carde_io
        - manual
      type: string
      description: |-
        * `piltover` - Piltover
        * `moxfield` - Moxfield
        * `archidekt` - Archidekt
        * `cube_cobra` - Cube Cobra
        * `mtggoldfish` - MTGGoldfish
        * `tappedout` - TappedOut
        * `deckstats` - Deckstats
        * `edhrec` - EDHREC
        * `mtg_arena` - MTG Arena
        * `mtgo` - MTGO
        * `forge` - Forge
        * `carde_io` - Carde.io
        * `manual` - Manual
      x-enum-varnames:
        - PILTOVER
        - MOXFIELD
        - ARCHIDEKT
        - CUBE_COBRA
        - MTGGOLDFISH
        - TAPPEDOUT
        - DECKSTATS
        - EDHREC
        - MTG_ARENA
        - MTGO
        - FORGE
        - CARDE_IO
        - MANUAL
      x-enum-descriptions:
        - Piltover
        - Moxfield
        - Archidekt
        - Cube Cobra
        - MTGGoldfish
        - TappedOut
        - Deckstats
        - EDHREC
        - MTG Arena
        - MTGO
        - Forge
        - Carde.io
        - Manual
  securitySchemes:
    PartnerHmac:
      type: apiKey
      in: header
      name: X-Signature
      description: >-
        HMAC-SHA256 over canonical request string. Format:
        v1.<unix_seconds>.<hex_hmac_sha256>.
    PartnerSlug:
      type: apiKey
      in: header
      name: X-Partner-Id
      description: Partner identifier slug. Required alongside X-Signature for HMAC auth.
    PersonalAccessToken:
      type: http
      scheme: bearer
      bearerFormat: flx_pat_...
      description: 'User-issued personal access token (format: flx_pat_<token>).'
    ApiKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: >-
        Partner API key (format: ak_<token>). Alternative to HMAC for simpler
        integrations.
    OAuth2DPoP:
      type: http
      scheme: DPoP
      description: >-
        DPoP-bound OAuth2 access token (RFC 9449). Issued by the /oauth/token
        endpoint when the client is registered with
        dpop_bound_access_tokens=true. Each protected request must include a
        fresh DPoP proof JWT in the DPoP header. Token format: flx_at_<token>.
    OAuth2DPoPProof:
      type: apiKey
      in: header
      name: DPoP
      description: >-
        RFC 9449 DPoP proof JWT. Required on every request that presents
        Authorization: DPoP <access_token>. Must carry fresh iat, jti, htm
        matching the request method, htu matching the request URL, and ath
        matching SHA-256 of the access token.
    OAuth2Bearer:
      type: http
      scheme: bearer
      bearerFormat: flx_at_...
      description: >-
        OAuth2 access token issued via the authorization-code + PKCE flow
        (format: flx_at_<token>). Grants the partner user-scoped access to act
        on behalf of the consenting end-user.

````