# Flexslot V2 ## Docs - [Resolve card identifiers](https://docs.flexslot.gg/api-reference/cards/resolve-card-identifiers.md): Resolves a list of partner-supplied card identifiers to canonical Flexslot cards. Used by partners to validate references before submitting deck imports. Strict mode (``?strict=true`` query string OR ``"strict": true`` body flag) returns 422 if any identifiers are unresolved. - [Create or replace a deck's strategy guide](https://docs.flexslot.gg/api-reference/deck-guides/create-or-replace-a-decks-strategy-guide.md): Owner-only create-or-replace. First call against a guideless deck returns 201; subsequent calls overwrite and return 200. Non-owners receive ``404 FLEXSLOT_NOT_FOUND`` so existence is not leaked. Pure-partner HMAC callers are rejected because the write contract requires per-user attribution to the d… - [Delete a deck's strategy guide](https://docs.flexslot.gg/api-reference/deck-guides/delete-a-decks-strategy-guide.md): Owner-only delete. Non-owners and missing-guide cases both return ``404 FLEXSLOT_NOT_FOUND`` so existence is not leaked. Returns 204 on success. - [Get a deck's strategy guide](https://docs.flexslot.gg/api-reference/deck-guides/get-a-decks-strategy-guide.md): Returns the strategy guide attached to a deck, or ``null`` if the deck has no guide. Premium guides are truncated to a 200-char preview for non-owner callers without content access; the ``is_truncated`` flag signals the response shape. - [Create a deck](https://docs.flexslot.gg/api-reference/decks/create-a-deck.md): Creates a deck owned by the authenticated user (PAT) or the partner's ``created_by`` user (partner-only HMAC). Provenance fields are optional but, when provided, the combination of ``source_provider`` + ``source_external_id`` + ``source_external_version`` must be unique per user -- duplicates return… - [Delete a deck](https://docs.flexslot.gg/api-reference/decks/delete-a-deck.md): Deletes a deck. Owner-only -- non-owners and unknown ids alike receive ``404 FLEXSLOT_NOT_FOUND``. Returns 204 on success. - [Get a single deck](https://docs.flexslot.gg/api-reference/decks/get-a-single-deck.md): Returns a deck with author, format, featured cards, and notes. Pass ``expand=cards`` to also receive the per-section card inventory under ``expanded_cards``. Anonymous callers receive 404 for non-Public decks (existence is not leaked). - [Get a single historical version of a deck](https://docs.flexslot.gg/api-reference/decks/get-a-single-historical-version-of-a-deck.md): Returns the nth-oldest historical record. Position 1 is the create event. Out-of-range ``n`` returns 404 NOT_FOUND. Visibility rules of the underlying deck are respected. - [List historical versions of a deck](https://docs.flexslot.gg/api-reference/decks/list-historical-versions-of-a-deck.md): Returns the deck's full edit history as ``HistoricalDeck`` records, oldest first. Position 1 is the create event; the final entry is the most recent revision. Visibility rules of the underlying deck are respected — anonymous callers receive 404 for non-Public decks. - [List public decks for a game](https://docs.flexslot.gg/api-reference/decks/list-public-decks-for-a-game.md): Returns the visible decks for a game. Anonymous callers see only Public decks. Authenticated callers also see their own private/unlisted decks. Archived decks are excluded. - [List the caller's own decks](https://docs.flexslot.gg/api-reference/decks/list-the-callers-own-decks.md): Returns the authenticated user's decks for a game across all visibilities, excluding archived. Requires PAT auth — partner-only callers receive 401 because there is no user to scope to. - [Register a pageview for a deck](https://docs.flexslot.gg/api-reference/decks/register-a-pageview-for-a-deck.md): Increments ``Deck.pageviews`` with a per-visitor 1-hour dedupe window. The visitor key is the caller's ``firebase_id`` if authenticated, otherwise the request IP. Returns 200 in both the increment and the dedupe-skip cases -- no information is leaked about whether the counter actually advanced. - [Roll a deck back to a historical version](https://docs.flexslot.gg/api-reference/decks/roll-a-deck-back-to-a-historical-version.md): Restores the deck's field state from the historical version at the given 1-based ``version_number`` (matching the order returned by ``GET /decks//versions``). The rollback is a forward-saving event -- the historical chain GROWS by one record. Owners only; non-owners and out-of-range versions ali… - [Toggle the caller's like on a deck](https://docs.flexslot.gg/api-reference/decks/toggle-the-callers-like-on-a-deck.md): Idempotent toggle: first call likes, second call unlikes. Requires per-user attribution (PAT or partner-on-behalf-of-user) -- pure partner HMAC callers receive ``401 FLEXSLOT_AUTHENTICATION_REQUIRED`` because there is no user to attribute the like to. - [Update a deck (partial)](https://docs.flexslot.gg/api-reference/decks/update-a-deck-partial.md): Partial update. Only the deck owner may patch their own deck; non-owners receive ``404 FLEXSLOT_NOT_FOUND`` so existence is not leaked. Each successful save increments the version counter and emits a new history record. - [Export a deck as plain text](https://docs.flexslot.gg/api-reference/exports/export-a-deck-as-plain-text.md): Renders a deck as an MTG Arena / Moxfield-compatible text list. Pass ``deck_id`` to export an existing Flexslot deck (visibility / IDOR rules apply) OR ``deck_payload`` to render an inline deck supplied by the partner. Inline-payload requests surface any card-resolution warnings via the ``X-Flexslot… - [Add an allowed origin to the partner](https://docs.flexslot.gg/api-reference/me/add-an-allowed-origin-to-the-partner.md): Manage the partner's allowed-origins list. - [Read metadata for the calling PAT](https://docs.flexslot.gg/api-reference/me/read-metadata-for-the-calling-pat.md): Returns the metadata of the Personal Access Token used to authenticate this request. Never returns the user's other tokens — this is intentionally narrower than the internal Settings UI list. Never exposes the token hash or plaintext. - [Read the calling user's partner row](https://docs.flexslot.gg/api-reference/me/read-the-calling-users-partner-row.md): Returns the Partner row owned by the user attached to the calling PAT. Never returns the signing-secret hash or the API-key hash. Use this to read scopes, allowed_origins, rate_limit_tier, etc. before deciding whether to issue a rotation or scope-change request. - [Remove an allowed origin from the partner](https://docs.flexslot.gg/api-reference/me/remove-an-allowed-origin-from-the-partner.md): Manage the partner's allowed-origins list. - [Request additional scopes or game-scopes](https://docs.flexslot.gg/api-reference/me/request-additional-scopes-or-game-scopes.md): Submit a scope change request for admin review. Adding scopes is higher-risk than CORS-origin self-service, so requests go through Flexslot admin instead of taking effect immediately. The partner is notified of approval/rejection by email. - [Rotate (or generate) the partner API key](https://docs.flexslot.gg/api-reference/me/rotate-or-generate-the-partner-api-key.md): Rotates the X-API-Key credential for the calling user's partner. If the partner has no existing API key (predates the FSG-582 self-service surface), this mints the first one. Returns the new plaintext ONCE — copy it immediately. - [Rotate the partner signing secret](https://docs.flexslot.gg/api-reference/me/rotate-the-partner-signing-secret.md): Rotates the HMAC signing secret for the calling user's partner. Returns the new plaintext ONCE — copy it immediately; we don't persist plaintext anywhere. The previous secret is invalidated as soon as this request returns 200. - [OAuth 2.0 Token Introspection (RFC 7662)](https://docs.flexslot.gg/api-reference/oauth2/oauth-20-token-introspection-rfc-7662.md): Returns the active state and metadata of a token previously issued by this server. Only the issuing client may introspect its own tokens — all other cases return ``{"active": false}``. - [OAuth 2.0 Token Revocation (RFC 7009)](https://docs.flexslot.gg/api-reference/oauth2/oauth-20-token-revocation-rfc-7009.md): Invalidates a token (access or refresh) previously issued by this server. Always returns HTTP 200 with an empty body — unknown / other-client / already-revoked tokens are silently accepted to avoid leaking existence. - [OAuth2 token endpoint (RFC 6749 §4.1.3 + §6)](https://docs.flexslot.gg/api-reference/oauth2/oauth2-token-endpoint-rfc-6749-§413-+-§6.md): Exchanges an authorization code for an access + refresh token pair (``grant_type=authorization_code``) or rotates an existing refresh token (``grant_type=refresh_token``). Returns the RFC 6749 §5.1 JSON shape on success or the §5.2 error shape on failure. - [Anonymous probe](https://docs.flexslot.gg/api-reference/probes/anonymous-probe.md): Echo the caller. Useful for partners verifying that anonymous access works as expected. - [Partner probe (HMAC or API key)](https://docs.flexslot.gg/api-reference/probes/partner-probe-hmac-or-api-key.md): Returns the calling partner's slug, scopes, game scopes, and rate-limit tier. - [Public API liveness check](https://docs.flexslot.gg/api-reference/probes/public-api-liveness-check.md): Returns 200 OK if the public API is reachable. Used by partner monitoring. - [User PAT probe](https://docs.flexslot.gg/api-reference/probes/user-pat-probe.md): Returns the calling user's principal id and scopes. - [Attach a deck to a sideboard guide](https://docs.flexslot.gg/api-reference/sideboard-guides/attach-a-deck-to-a-sideboard-guide.md): Attaches a deck (other than the primary) to the guide via the ``SideboardGuideDeckAttachment`` through-table. The caller must own both the guide and the deck. Cross-game attempts return ``400 FLEXSLOT_VALIDATION_ERROR``. Re-attaching an already-attached deck is a no-op. - [Create a sideboard guide](https://docs.flexslot.gg/api-reference/sideboard-guides/create-a-sideboard-guide.md): Creates a sideboard guide for the authenticated user. The caller must own the deck referenced by ``deck_id``; otherwise the request is rejected with ``403 FLEXSLOT_NOT_DECK_OWNER``. Nested ``matchups`` and ``attached_deck_ids`` arrays are optional. The primary deck attachment is auto-created by the… - [Delete a sideboard guide](https://docs.flexslot.gg/api-reference/sideboard-guides/delete-a-sideboard-guide.md): Deletes a sideboard guide. Owner-only -- non-owners and unknown ids alike receive ``404 FLEXSLOT_NOT_FOUND``. Cascade removes matchups + attachment rows. - [Detach a deck from a sideboard guide](https://docs.flexslot.gg/api-reference/sideboard-guides/detach-a-deck-from-a-sideboard-guide.md): Removes a ``SideboardGuideDeckAttachment`` row. Owner-only. The primary deck cannot be detached -- attempts return ``400 FLEXSLOT_VALIDATION_ERROR``. - [Get a single sideboard guide](https://docs.flexslot.gg/api-reference/sideboard-guides/get-a-single-sideboard-guide.md): Returns a sideboard guide with nested matchups and the m2m deck membership. Non-owners receive 404 for non-Public guides (existence is not leaked). - [List public sideboard guides for a game](https://docs.flexslot.gg/api-reference/sideboard-guides/list-public-sideboard-guides-for-a-game.md): Returns the visible sideboard guides for a game. Anonymous callers are rejected with 401 (the endpoint requires the ``sideboards:read`` scope). Authenticated callers see public guides plus their own private guides. Archived guides are excluded. - [Update a sideboard guide (partial)](https://docs.flexslot.gg/api-reference/sideboard-guides/update-a-sideboard-guide-partial.md): Partial update. Only the guide owner may patch their own guide; non-owners receive ``404 FLEXSLOT_NOT_FOUND``. Omitting a field leaves it untouched. - [Authorization Code Flow with PKCE](https://docs.flexslot.gg/oauth/authorization-code-flow.md): The full end-to-end OAuth flow with sequence diagram and parameter reference - [Code Samples](https://docs.flexslot.gg/oauth/code-samples.md): Production-ready OAuth implementations in Node.js, Python, and curl - [Connected Apps UX](https://docs.flexslot.gg/oauth/connected-apps-ux.md): Build the "Connected to Flexslot" experience users expect - [DPoP — Sender-Constrained Tokens](https://docs.flexslot.gg/oauth/dpop.md): Bind access tokens to your client key so stolen tokens are useless - [Error Reference](https://docs.flexslot.gg/oauth/errors.md): Every OAuth error code, what causes it, and how to fix it - [Migrating from Personal Access Tokens](https://docs.flexslot.gg/oauth/migration-from-pat.md): Add OAuth alongside your existing PAT-based integration - [OAuth 2.0 Overview](https://docs.flexslot.gg/oauth/overview.md): Build third-party integrations that act on behalf of Flexslot users - [OAuth Quickstart](https://docs.flexslot.gg/oauth/quickstart.md): Get your first OAuth integration working in 10 minutes - [Scopes](https://docs.flexslot.gg/oauth/scopes.md): The complete catalog of OAuth scopes and what each grants - [Security Best Practices](https://docs.flexslot.gg/oauth/security.md): The non-negotiables: PKCE, state, redirect URIs, and refresh rotation ## OpenAPI Specs - [openapi](https://docs.flexslot.gg/openapi.yml) ## Optional - [Flexslot.gg](https://flexslot.gg)