REST API

Optional server API for shared tournament hosting. Base URL: /api

Overview

The REST API is an optional feature for shared tournament hosting. It enables tournament sharing, browsing, and management across multiple users when deployed to a PHP-enabled web server.

Optional: The API is not required for core functionality — NewTon DC Tournament Manager works fully offline without it
Graceful degradation: The app detects server availability at startup; API features simply don't appear if the server isn't reachable
Disabled by default on public deployments: Set NEWTON_API_ENABLED=false on demo or public-facing instances

Architecture

Server Requirements

PHP 7.0 or higher (PHP 8.2+ recommended)
Write permissions to the /tournaments directory
Web server (nginx, Apache) configured to execute PHP

Docker Deployment (Recommended)

docker run -d \
  --name newton-tournament \
  -p 8080:2020 \
  -v ./tournaments:/var/www/html/tournaments \
  ghcr.io/skrodahl/newton:latest

The Docker image includes Alpine Linux with nginx + PHP 8.2-FPM, all API endpoints pre-configured, and persistent tournament storage via volume mount. See Docker Quick Start for the full setup guide.

Directory Structure

/var/www/html/
├── api/
│   ├── list-tournaments.php
│   ├── upload-tournament.php
│   └── delete-tournament.php
├── tournaments/
│   └── [tournament JSON files]
└── [application files]

Data Storage

Tournaments stored as JSON files in /tournaments
Filename format: {TournamentName}_{YYYY-MM-DD}.json
Unicode characters in filenames fully supported (å, ä, ö, æ, ø, etc.)
Files created with 0644 permissions; directory requires 0755

Endpoints

1. List Tournaments

GET /api/list-tournaments.php

Returns a list of all tournaments in the /tournaments directory.

Success response (200):

{
  "tournaments": [
    {
      "filename": "Summer_League_2025-08-15.json",
      "name": "Summer League",
      "date": "2025-08-15",
      "players": 16,
      "status": "completed"
    }
  ],
  "count": 1
}

Returns an empty array if no tournaments exist. Skips files that can't be read or have invalid JSON.

2. Upload Tournament

POST /api/upload-tournament.php

Uploads a tournament JSON file to the server.

Request body:

{
  "filename": "MyTournament_2025-10-02.json",
  "data": { ... tournament object ... }
}

Parameters:

Parameter	Type	Required	Description
`filename`	string	Yes	Must end with `.json`
`data`	object	Yes	Tournament data object

Add ?overwrite=true to the URL to replace an existing file. Without it, uploading to an existing filename returns 409 Conflict.

Success response (200):

{
  "success": true,
  "filename": "MyTournament_2025-10-02.json",
  "path": "/tournaments/MyTournament_2025-10-02.json",
  "message": "Tournament uploaded successfully"
}

Error responses:

Status	Error	Cause
400	`Invalid JSON payload`	Request body is not valid JSON
400	`Missing filename or data`	Required fields absent
400	`Filename must end with .json`	Invalid extension
400	`Invalid filename - contains dangerous characters`	Path traversal attempt
409	`Tournament file already exists`	File exists, no overwrite flag
500	`Failed to save tournament file`	Filesystem write error

3. Delete Tournament

POST /api/delete-tournament.php

Deletes a tournament file from the server.

Request body:

{
  "filename": "MyTournament_2025-10-02.json"
}

Success response (200):

{
  "success": true,
  "filename": "MyTournament_2025-10-02.json",
  "message": "Tournament deleted successfully"
}

Error responses:

Status	Error	Cause
400	`Missing filename`	Required field absent
400	`Filename must end with .json`	Invalid extension
400	`Invalid filename - contains dangerous characters`	Path traversal attempt
404	`Tournament file not found`	File doesn't exist
500	`Failed to delete tournament file`	Filesystem error

CORS

All endpoints include CORS headers:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type

For production deployments, restrict Access-Control-Allow-Origin to your specific domain.

Client Integration

Feature Detection

The application detects server availability on page load by calling /api/list-tournaments.php. If the server responds, API features (upload button, shared tournaments list, delete buttons) are shown. If not, they are silently hidden — the app works fully without them.

Conditional UI

"Upload to Server" button — shown when API responds
"Shared Tournaments" section — shown when tournaments exist on the server
Delete buttons — shown on each shared tournament

Import Validation

Any file downloaded from the server must pass the Tournament Manager's import validation before it can be loaded. Files that don't match the expected tournament structure are rejected by the client — they cannot affect your local tournament data.

Data Format

Tournaments are stored as JSON with the following top-level structure:

{
  "id": 1234567890,
  "name": "My Tournament",
  "date": "2025-10-02",
  "created": "2025-10-02T10:30:00.000Z",
  "status": "completed",
  "bracketSize": 16,
  "players": [ ... ],
  "matches": [ ... ],
  "placements": { "1": 1, "2": 2 },
  "exportedAt": "2025-10-02T15:45:00.000Z"
}

Match IDs follow the format FS-1-1 (Frontside Round 1 Match 1) and BS-FINAL (Backside Final). See the export format for the full schema.

Security

Built-in Protections

Filename sanitized with basename() — prevents directory traversal
Rejects filenames containing .., /, \, or null bytes
JSON encoding validated before writing to disk
No authentication built in — access control is the operator's responsibility (see Privacy Architecture for the full data model)

Recommended Practices

Restrict Access-Control-Allow-Origin to your domain in production
Use HTTPS — terminate TLS at your reverse proxy
Don't expose the container directly to the public internet without a reverse proxy or VPN
Consider adding HTTP basic authentication at the nginx/Caddy level for write operations
Back up the /tournaments directory regularly
Disable the API entirely with NEWTON_API_ENABLED=false if you don't need sharing

Troubleshooting

Upload Button Doesn't Appear

Open the browser console and look for [Shared Tournaments] messages
Verify /api/list-tournaments.php returns 200 OK
Check NEWTON_API_ENABLED is set to true
Verify PHP is executing (not returning raw PHP source code)

502 Bad Gateway

PHP-FPM is not running or misconfigured. Check the nginx fastcgi_pass settings and verify PHP-FPM is running inside the container.

Tournaments Not Appearing

Check that /tournaments exists and is readable (755 for directory, 644 for files). Verify the JSON files are valid.

API Returns 403 Forbidden

NEWTON_API_ENABLED is set to false. Restart the container after changing environment variables.

Tournaments Not Persisting After Restart

Verify the volume mount is configured: -v ./tournaments:/var/www/html/tournaments. Check host directory permissions.

View Container Logs

docker compose logs -f

Access Container Shell

docker compose exec newton-tournament sh