API-only mode

Today: add support for api only.

Lookout has a web UI and an ingest API living in the same Laravel app. That's convenient until a request to an API endpoint trips a web-app reflex — a 302 redirect to the login page, an HTML error page, a CSRF rejection. An SDK doesn't want any of that. It wants a status code and JSON.

So I added an API-only mode: a way for ingest and API routes to opt out of the web behaviors and always answer like an API.

What "API-only" actually means

• JSON errors, always. A validation failure returns 422 with a JSON body, not an HTML error page. A missing record returns a JSON 404. An SDK can branch on the status code and move on.
• No redirects. An unauthenticated API request gets 401, never a redirect to /login. Redirects are death for a non-browser client — it follows the redirect, gets HTML, and reports a confusing parse error instead of "your key is wrong."
• No CSRF for token-authed routes. The API authenticates with a project key, not a session cookie, so the CSRF middleware has no business there.

Why it matters for an SDK author

I'm going to write SDKs for PHP, JavaScript, Python, Ruby, Go — eventually Swift and Kotlin. Every one of them needs the server to behave predictably. The single best gift I can give future-me-writing-SDKs is an endpoint that returns the same shape every time: 2xx with {accepted: true, id}, or 4xx with {message, errors}. Nothing else.

This is the kind of thing you don't notice when it works and curse for hours when it doesn't. Tomorrow's already-related task: making the SDK package install cleanly via Composer.