docs(social): authenticated Scraper Results polling + scrape persistence note (chat#1840)#262
docs(social): authenticated Scraper Results polling + scrape persistence note (chat#1840)#262sweetmantech wants to merge 2 commits into
Conversation
…e note (chat#1840)
GET /api/apify/runs/{runId} is moving from admin-only to owner-or-admin:
the account that started the run via POST /api/socials/{id}/scrape can
poll it. Document the new 403 (foreign run, non-admin) and 404 (no
recorded owner, non-admin) responses and the ownership rules in the
description. Runs with no recorded owner (pre-tracking, or started from
other endpoints) stay admin-only.
Also note on Social Scrape that completed runs persist profile stats,
and post URLs on Instagram/TikTok/X — surfaced via Get Artist Posts.
Contract for recoupable/chat#1840 (both items); api PRs follow.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Preview deployment for your docs. Learn more about Mintlify Previews.
💡 Tip: Enable Workflows to automatically generate PRs for you. |
📝 WalkthroughWalkthroughUpdated OpenAPI documentation descriptions for two Social endpoints in social.json: clarified authentication requirements for polling run status, and detailed post-completion persistence and visibility behavior for scraped profile stats and post URLs. ChangesSocial API Documentation
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…ision) Design decision 2026-07-03: scrape datasets are public social content and Apify run ids are unguessable, so possession of a runId plus any valid API key / Bearer token is sufficient — no ownership scoping. Drops the 403/404 responses; keeps the authentication requirement and the scrape persistence note. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
There was a problem hiding this comment.
1 issue found across 1 file (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="api-reference/openapi/social.json">
<violation number="1" location="api-reference/openapi/social.json:485">
P1: The GET /api/apify/runs/{runId} endpoint description says "Requires authentication: any valid API key or Bearer token can poll any run id" but the endpoint has no `security` field. Other authenticated endpoints in this file (e.g., GET /api/artists/{id}/posts, GET /api/connectors) explicitly declare `security: [{ "apiKeyAuth": [] }, { "bearerAuth": [] }]`. Without a `security` declaration, the OpenAPI spec tells consumers that this endpoint accepts unauthenticated requests, contradicting both the description and the new contract.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| "/api/apify/runs/{runId}": { | ||
| "get": { | ||
| "description": "Check the status and retrieve results from Apify scraper runs. This endpoint uses the Apify API Client to fetch the current status of a scraper run and its results if available. Use the runId returned from endpoints like Instagram Comments, Instagram Profiles, Social Scrape, or Artist Socials Scrape to poll for results.", | ||
| "description": "Check the status and retrieve results from Apify scraper runs. This endpoint uses the Apify API Client to fetch the current status of a scraper run and its results if available. Use the runId returned from endpoints like Instagram Comments, Instagram Profiles, Social Scrape, or Artist Socials Scrape to poll for results. Requires authentication: any valid API key or Bearer token can poll any run id — scrape results are public social content and run ids are unguessable, so possession of a runId plus a valid credential is sufficient.", |
There was a problem hiding this comment.
P1: The GET /api/apify/runs/{runId} endpoint description says "Requires authentication: any valid API key or Bearer token can poll any run id" but the endpoint has no security field. Other authenticated endpoints in this file (e.g., GET /api/artists/{id}/posts, GET /api/connectors) explicitly declare security: [{ "apiKeyAuth": [] }, { "bearerAuth": [] }]. Without a security declaration, the OpenAPI spec tells consumers that this endpoint accepts unauthenticated requests, contradicting both the description and the new contract.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At api-reference/openapi/social.json, line 485:
<comment>The GET /api/apify/runs/{runId} endpoint description says "Requires authentication: any valid API key or Bearer token can poll any run id" but the endpoint has no `security` field. Other authenticated endpoints in this file (e.g., GET /api/artists/{id}/posts, GET /api/connectors) explicitly declare `security: [{ "apiKeyAuth": [] }, { "bearerAuth": [] }]`. Without a `security` declaration, the OpenAPI spec tells consumers that this endpoint accepts unauthenticated requests, contradicting both the description and the new contract.</comment>
<file context>
@@ -482,7 +482,7 @@
"/api/apify/runs/{runId}": {
"get": {
- "description": "Check the status and retrieve results from Apify scraper runs. This endpoint uses the Apify API Client to fetch the current status of a scraper run and its results if available. Use the runId returned from endpoints like Instagram Comments, Instagram Profiles, Social Scrape, or Artist Socials Scrape to poll for results. Authorization is account-scoped: the account that started the run via the [Social Scrape](/api-reference/social/scrape) endpoint (or an admin) can poll it. Runs started by other accounts return 403; run ids with no recorded owner — including runs started before ownership tracking existed and runs started from other endpoints — return 404 for non-admin callers.",
+ "description": "Check the status and retrieve results from Apify scraper runs. This endpoint uses the Apify API Client to fetch the current status of a scraper run and its results if available. Use the runId returned from endpoints like Instagram Comments, Instagram Profiles, Social Scrape, or Artist Socials Scrape to poll for results. Requires authentication: any valid API key or Bearer token can poll any run id — scrape results are public social content and run ids are unguessable, so possession of a runId plus a valid credential is sufficient.",
"parameters": [
{
</file context>
|
Closing unmerged — after the chat#1840 design flip to the capability model (any valid key can poll any run), this PR no longer fixes any contract drift: the existing page never documented the admin gate, and api#752 makes the code match what the docs already imply (poll with your key, 200/400/500). The one-sentence Social Scrape persistence note is a nice-to-have that can ride along the next time that page is touched. |
Contract-first PR for recoupable/chat#1840 — both items. The api PRs implementing this follow and link back here. Merge order: this docs PR → api PRs.
GET /api/apify/runs/{runId} — auth contract (item 1)
Today the endpoint is admin-only, while these docs, the
recoup-platform-api-accessskill, and customer task prompts all tell account-key agents to poll it (the can-start/can't-read asymmetry in the issue). New contract (decision 2026-07-03, superseding the earlier owner-or-admin draft): any valid API key or Bearer token can poll any run id. Scrape results are public social content and run ids are unguessable; authentication still gates the endpoint so anonymous callers can't use it as a free Apify proxy. No new response codes — 200/400/500 unchanged.POST /api/socials/{id}/scrape — persistence note (item 2)
One sentence documenting what completed runs persist: profile stats to the social row, and on Instagram/TikTok/X the scraped post URLs (surfaced via Get Artist Posts). TikTok/X post persistence is api#753.
JSON re-validated; targeted edits only.
🤖 Generated with Claude Code
Summary by CodeRabbit