TopoloMDM API | Topolo Docs

Documentation Map

Authority

Service IDs:

srv_02eOqAEBBG3F srv_CybRl1xIRoAI srv_Vfp9Yn4yduAV

Repos: apps/system/TopoloProvision

Hosts:

https://mdm.topolo.app https://mdm-api.topolo.app https://mdm.stg.topolo.us https://mdm-api.stg.topolo.us

Dependencies: topolo-auth, applications-packages, topolo-developers

Depends on Topolo Auth: yes

Contract Source

Type: curated

Source: PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx

Source exists: no

Canonical MDM coverage now lives in the docs application, and the console authenticated workspace renders through `TopoloAppShell`, inheriting shared Improve Topolo and TopoloNotify chrome while keeping fleet workflows MDM-owned. The console now routes launcher catalog reads plus tenant bootstrap through same-origin /api/auth/* on the app host. The console browser callback delegates one-time `sso_code` exchange to the shared Auth client instead of carrying MDM-local `/sso/exchange` protocol logic. The API worker validates browser console JWTs by resolving the `topolo-mdm` service slug and keeps API-key validation under the separate `topolo-mdm-api` slug. Device registration and first-poll recovery consume authenticated enrollment-session tokens, then issue device credentials required for subsequent poll, command-status, device realtime, and device FCM-token registration calls. The API worker owns a tenant-scoped `TENANT_EVENTS` Durable Object for operator WebSocket fleet events and device command wakeups, and uses Firebase Cloud Messaging HTTP v1 as a data-only wake channel for enrolled Android devices that have posted an FCM token. TopoloProvision QR/R2 APK builds remain the device-owner enrollment path, while Google Play internal-testing builds are a sales/demo distribution lane that runs without kiosk/device-owner assumptions until Android Enterprise enrollment. Current Android DPC builds call `https://mdm-api.topolo.app`; the Topolo-owned staging mirror uses `https://mdm-api.stg.topolo.us`. The Android package id is `com.topolo.provision` for Firebase, Google Play, and Android Enterprise device-admin payloads. Install-package catalog reads now point at the Developers-owned `https://developers.topolo.app/api/apps` route, where Topolo Feed, Topolo Provision, and the 22 retained Topolo Mobile Android APKs are R2-backed installable rows served from apk.topolo.app, while Topolo MDM Mobile remains Android/iOS metadata until its own mobile release. The mobile scaffold reads only the SDK-managed topolo_access_token key for bearer API requests, subscribes to `/events` for fleet freshness, and resolves `topolo_auth_flutter` from the canonical Auth repo git package path.

API key scopes in Auth catalog: 23

Auth Requirements

No global OpenAPI security scheme is declared.

apps.read
apps.write
commands.invoke
dashboard.read
devices.admin
devices.control
devices.read
devices.write
mdm.admin
policies.manage
policies.read
policies.write
reports.read
analytics.read
commands.read
commands.write
events.read
state.read
state.write
api_keys.write

Runtime and Deployment

Wrangler surfaces: none detected

Environment variables: none derived

Routes: workers.dev or Pages-only delivery

Observability enabled: no explicit signal found

Runtime Surface

Wrangler surfaces: No wrangler file detected in scanned surface

This application does not yet have a source-controlled OpenAPI spec in the docs platform. The current API page is derived from the registered contract source and repository surface.

Failure modes

No wrangler.toml surface was discovered under the registered repo paths.
The registered contract source is missing: PlatformApplications/TopoloDocs/src/content/public/applications/mdm.mdx
Neither OpenAPI nor README-derived interface detail was found.