Forums Bug Reports Thread

API endpoint POST /api/v1/learn/cohorts/grant is undocumented in both the OpenAPI spec and the api-learn wiki article

Patrick Bass · Jun 6 · 15 · 1 Locked
[Major] [High Priority] [Bug Fixed] [Always Reproduces]
Oldest Newest Top
Patrick Bass 🚀 OP Jun 6, 2026 6:45pm

Area: mobieusLearn (audit p8) · Surface: API /api/v1/learn/cohorts/grant (mobieusLearn — org-purchase cohort provisioning) · Dimension: documentation · Severity: major

The only mobieusLearn v1 API endpoint intended for external/third-party integration (provisioning a multi-seat cohort from a paid org purchase, idempotent on source_reference) has zero public documentation. An integrator reading /api/docs or /know/api-learn would never know it exists, despite the in-code docblock describing the full request body (buyer_user_id, course_id, seat_count, source_reference, etc.) and 200/201 idempotency semantics. This is the most integration-critical Learn endpoint and the only undocumented one.

Evidence

Route is real: /home/patrick/mobieus-io/platform/src/routes.php:272 `$router->post('/learn/cohorts/grant', 'Api\V1\LearnController@cohortsGrant');` and the handler exists at /home/patrick/mobieus-io/platform/src/Controllers/Api/V1/LearnController.php:301 `public function cohortsGrant(): void`. It is explicitly designed for external integrations (comment line 283: "safely retried by Stripe webhook handlers + external integrations"). But it is ABSENT from the public OpenAPI spec served at /api/docs: `curl -s https://support.mobieus.io/api/openapi.yaml | grep -c '/api/v1/learn/cohorts/grant'` returns 0 (all 25 other v1 learn paths are present; this is the only one in code-but-not-spec per `comm -23 code-paths spec-paths` → `/learn/cohorts/grant`). It is also absent from the wiki API article: `curl -s https://support.mobieus.io/know/api-learn | grep -c 'cohorts/grant'` returns 0 (that article documents courses, enrollments, certificates, cert-templates, attempts, modules, lessons, activities, SCORM — but not cohort grant).

Suggested fix. Add the `/api/v1/learn/cohorts/grant` path to /api/openapi.yaml under the Learn tag (mirror the docblock at LearnController.php:277-300 for the request body and 200/201 responses + idempotency note), and add a section to the /know/api-learn wiki article.

Filed by the automated tenant-app audit and adversarially evidence-verified. Status: verified. Open — not yet actioned.

Patrick Bass
@mobieus

Patrick Bass 🚀 Jun 7, 2026 5:15am

Resolved — fixed and deployed. Commit e23a8fec596a, shipped dev-first then to all tenants on 2026-06-06.

Added POST /api/v1/learn/cohorts/grant path under the Learn tag, mirroring LearnController::cohortsGrant docblock (lines 277-300): request body (buyer_user_id/course_id/seat_count/source_reference + optional fields), learn:cohorts:grant scope, idempotency note on source_reference, and 200 (idempotent hit)/201 (newly granted)/400 responses.

Status: fixed. Thread closed and locked.

Patrick Bass
@mobieus

Related Discussions

xAPI LRS endpoints and learn/cohorts/grant are live bearer-authed API routes but absent from openapi.yaml
Bug Reports · 1 replies · 18 views
xAPI Learning Record Store API (/api/v1/xapi/*) is undocumented — absent from both OpenAPI spec and mobieusKnow
Bug Reports · 1 replies · 20 views
OpenAPI spec documents 4 /api/v1/learn/live-sessions endpoints that do not exist as routes (phantom docs → 404s)
Bug Reports · 1 replies · 18 views
Course offer convert-to-learn and convert-to-moodle forms always fail CSRF (wrong field name AND wrong session key) — both admin actions unusable
Bug Reports · 1 replies · 26 views
[New] Integration / API: No Idempotency-Key support on any POST endpoint — unsafe retries on writes
Feature Requests · 1 replies · 19 views

Log in or register to reply to this thread.