Favorites API

The Favorites API enables cross-device favorites synchronization using passwordless magic link authentication. For architectural details, see the Favorites Architecture explanation.

Endpoints

Request Magic Link

POST /api/v1/favorites/magic-link

Sends a magic link email to the specified address.

Request

{
  "email": "user@example.com"
}

Headers:

• Content-Type: application/json
• X-Session-ID: {session_id} (optional, for session linking)

Response

{
  "success": true,
  "message": "Check your email for a magic link to sync your favorites!"
}

Errors

Status	Detail
400	Brokerage not found
429	Too many magic link requests. Please check your email or wait 15 minutes.

Rate Limiting: Maximum 3 pending magic links per email within 15 minutes.

---

Verify Magic Link

GET /api/v1/favorites/verify/{token}

Verifies a magic link token and returns authentication credentials.

Response

{
  "success": true,
  "client_id": 123,
  "auth_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "favorites": ["98970014", "98970015", "98970171"],
  "email": "user@example.com"
}

Errors

Status	Detail
400	This magic link has already been used. Request a new one.
400	This magic link has expired. Request a new one.
400	Brokerage not found
404	Magic link not found

Token Behavior:

• Expires after 15 minutes
• Can only be used once
• Links anonymous session to client if X-Session-ID was provided

---

Get Favorites

GET /api/v1/favorites

Returns the authenticated user’s synced favorites.

Request

Headers:

Authorization: Bearer {auth_token}

Response

{
  "favorites": ["98970014", "98970015", "98970171"]
}

Errors

Status	Detail
401	Invalid or expired auth token. Request a new magic link.

---

Sync Favorites

POST /api/v1/favorites/sync

Syncs localStorage favorites to the server using a union merge strategy.

Request

Headers:

Authorization: Bearer {auth_token}
Content-Type: application/json

Body:

{
  "favorites": ["98970014", "98970015", "98970171", "98970200"]
}

Response

{
  "favorites": ["98970014", "98970015", "98970171", "98970200"]
}

Returns the merged set (server + request favorites combined).

Errors

Status	Detail
401	Invalid or expired auth token. Request a new magic link.

Tip

The union merge strategy means favorites are only ever added, never removed during sync. Use DELETE to remove specific favorites.

---

Remove Favorite

DELETE /api/v1/favorites/{listing_id}

Removes a specific favorite from the user’s synced list.

Request

Headers:

Authorization: Bearer {auth_token}

Response

{
  "success": true,
  "message": "Favorite removed"
}

Errors

Status	Detail
401	Invalid or expired auth token. Request a new magic link.

---

Auth Token Structure

The auth_token is a signed JWT with the following claims:

{
  "client_id": 123,
  "brokerage_id": 1,
  "email": "user@example.com",
  "exp": 1735689600,
  "iat": 1727913600,
  "type": "favorites_auth"
}

Claim	Description
client_id	Internal client/lead ID
brokerage_id	Associated brokerage
email	Verified email address
exp	Expiration (90 days from issue)
iat	Issued at timestamp
type	Always "favorites_auth"

Caution

This token is only valid for favorites API endpoints. It cannot be used for admin, agent, or other protected resources.

---

Data Models

MagicLink

Column	Type	Description
id	SERIAL	Primary key
brokerage_id	INTEGER	Associated brokerage (FK)
email	VARCHAR(255)	Recipient email
token	VARCHAR(64)	Unique secure token
session_id	VARCHAR(36)	Optional session to link
expires_at	TIMESTAMPTZ	Token expiration time
used_at	TIMESTAMPTZ	When token was used (null if unused)
client_id	INTEGER	Client created on verification (FK)

ClientFavorite

Column	Type	Description
id	SERIAL	Primary key
client_id	INTEGER	Associated client (FK)
listing_id	VARCHAR(50)	MLS listing ID
created_at	TIMESTAMPTZ	When favorite was added

Unique Constraint: (client_id, listing_id) — prevents duplicates.

---

Related

• Favorites Architecture — How the system works
• Frontend Integration Guide — Implementation tutorial
• Properties API — Get property details for favorites