Skip to main content

Introduction

The Finanzapp API provides a comprehensive set of endpoints for managing personal finance operations, including user authentication, account management, and data synchronization. The API is built using PHP and follows RESTful principles with JSON-based communication.

Base URL

https://pro.finanzapp.es

Architecture

Finanzapp uses a traditional server-rendered PHP architecture with AJAX-based API endpoints for dynamic operations.

Key Components

Authentication

Session-based authentication with support for traditional login and Google OAuth integration

Data Management

JSON-based data exchange with server-side validation and storage

Security

CSRF protection, XHR validation, and reCAPTCHA integration

Notifications

Email notifications for password resets and account updates

Request Format

All API requests must include specific headers and follow the JSON format for data exchange.

Required Headers

X-Requested-With
string
required
Must be set to XMLHttpRequest to prevent direct access
Content-Type
string
required
Should be application/x-www-form-urlencoded for form data or application/json for JSON payloads

Example Request

const xhr = new XMLHttpRequest();
const formData = new FormData();
formData.append('email', '[email protected]');
formData.append('password', 'SecurePass123');

xhr.open('POST', 'https://pro.finanzapp.es/app/auth/sendLogin.php', true);
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');

xhr.onreadystatechange = function () {
  if (xhr.readyState === 4 && xhr.status === 200) {
    const data = JSON.parse(xhr.responseText);
    console.log(data);
  }
};

xhr.send(formData);

Response Format

All API endpoints return JSON responses with a consistent structure.

Success Response

{
  "success": true,
  "message": "Operation completed successfully",
  "data": {
    // Additional response data
  }
}

Error Response

{
  "success": false,
  "message": "Error description",
  "error": "Error code or additional details"
}

HTTP Status Codes

The API uses standard HTTP status codes to indicate the success or failure of requests.
Status CodeDescription
200Success - Request completed successfully
403Forbidden - Invalid XHR request or unauthorized access
404Not Found - Endpoint does not exist
405Method Not Allowed - Invalid HTTP method
500Internal Server Error - Server-side error occurred

Authentication Flow

Finanzapp supports two authentication methods:

1. Traditional Email/Password Authentication

2. Google OAuth Integration

Data Validation

All API endpoints implement server-side validation for:
  • Email validation: RFC-compliant email format
  • Password strength: Minimum 8 characters, at least one uppercase letter and one number
  • XHR verification: All requests must include X-Requested-With: XMLHttpRequest header
  • Session validation: Protected endpoints verify active user sessions
The frontend implements additional client-side validation using JavaScript for immediate user feedback before submission.

Rate Limiting

While not explicitly implemented in the current API, consider implementing rate limiting for production deployments to prevent abuse.

Security Features

CSRF Protection

All API endpoints validate that requests originate from AJAX calls by checking the X-Requested-With header. 
if (!isset($_SERVER['HTTP_X_REQUESTED_WITH']) || 
    strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) != 'xmlhttprequest') {
    header('HTTP/1.1 403 Forbidden');
    echo json_encode(['success' => false, 'message' => 'Access denied']);
    exit;
}

Session Management

User sessions are managed server-side with PHP sessions. Sessions include:
user.id
integer
Unique user identifier
user.email
string
User’s email address
user.name
string
User’s full name
user.url_image
string
URL to user’s avatar image
user.accept_news
integer
Newsletter subscription status (0 or 1)

Environment Configuration

The API automatically detects the environment based on the host: 
$host = $_SERVER['HTTP_HOST'] ?? '';

if ($host === 'localhost') {
    define('BASE_URL', '/FinanzApp');
} else {
    define('BASE_URL', '');
}

Next Steps

Authentication

Learn about authentication methods and session management

Endpoints

Explore all available API endpoints with examples

Build docs developers (and LLMs) love

Get started for freeTalk to us