LCS API Endpoints

This is an endpoint-by-endpoint listing of the LCS API with the parameters, details, and kinks written out.

Don't read this unless you have a specific question. Read the more general docs for a higher-level overview. The general ideas include something like a table of contents.

The error messages below are imprecise on dev (the dev and prod are slightly mismatched). The status codes are accurate and should be the only thing you use to check for an error condition - messages are intended for programmers, not the code.


Method: POST.

Data: JSON.

Example JSON:

    "email": "",
    "password": "the plain text password"


Situation Value HTTP Code Type
Email or password not present in JSON. Invalid Request 400 Text/plain
No user with that email and password. invalid email,hash combo 403 Text/plain
The user is present, but used MLH. Please use MLH to log in. 403 Text/plain
The user is present, but the password does not match. invalid email,hash combo 403 Text/plain
Successful login {"auth": { "token": "some token", "valid_until": "ISO date for 3 days from now", "email": "the email passed in"}} 200 Application/JSON

Notes: The password is hashed in the processing - plain text is not in the DB. For security, however, you must use HTTPS so that user passwords cannot be intercepted.


Method: POST.

Data: JSON.

Example JSON:


    "email": "",
    "password": "the plain text password"

With a magic link:

    "email": "",
    "link": "bibaty bobity boo",
    "password": "the plain text password"


    "email": "",
    "password": "the plain text password"
    "github": "Their github",
    "major": "Their major",
    "short_answer": "Their short answer",
    "shirt_size": "Their shirt size",
    "first_name": "Their first name",
    "last_name": "Their last name",
    "dietary_restrictions": "Their dietary restrictions",
    "special_needs": "Their special needs",
    "date_of_birth": "Their date of birth",
    "school": "Their school",
    "grad_year": "Their grad year",
    "gender": "Their gender",
    "registration_status": "Their registration status",
    "level_of_study": "Their level of study"


Situation Value HTTP Code Type
Registration is closed Registration is closed 400 Text/plain
The email is invalid An error message explaining the email troubles. 400 Text/plain
No email No email provided! 400 Text/plain
No password provided. No password provided 400 Text/plain
The email is already in the DB Duplicate user! 400 Text/plain
Successful login {"auth": { "token": "some token", "valid_until": "ISO date for 3 days from now", "email": "the email passed in"}} 200 Application/JSON

The magic link can be optimally provided to consume a link on creation. This is convenient for some magiclinks. See the consume endpoint which is wholly subsumed by this.


Method: GET.

Data: URL query parameters

Example Uses: You do not call this endpoint - unless you're MLH and MLH calls it correctly because MLH works. You call it by calling MLH.

In general you need:

<a href="<your client ID here>&redirect_uri=https://<your AWS API URL>/mlhcallback&response_type=code&scope=email+education+birthday"></a>

See the deployment instructions for how to get the client id. The redirect_uri's very end has some freedom:

  • /mlhcallback?redir=<URL> makes it so that we redirect to you at the URL you pass in.

Ah, the illusion of choice... but that URL can be as complex as you need.


If you're not redirected to, either the code itself or MLH did not behave themselves. This means you have to fix your deploy.

If you get redirected to, one of two things are in the query parameters:

  • authdata={"auth": { "token": "some token", "valid_until": "ISO date for 3 days from now", "email": "the email passed in"}} if everything worked.
  • error=Could not log you in. Be sure you signed up with MLH, not us. if something went wrong. Note that this is the only possible error: if MLH gave us back some sort of trash it's since the user didn't use MLH in the first place: they used LCS.


Method: POST

Data: JSON

Example JSON:

    "email": "",
    "token": "the authentication token string"


Situation Value HTTP Code Type
Invalid data submission Data not submitted 400 Text/plain
User email not found Email not found 400 Text/plain
User token expired Authentication token is invalid 400 Text/plain
Success The data submitted 200 Application/JSON


Method: POST

Data: JSON

Example JSON:

  updates : {'$set': {'grad_year': 2020}},
  user_email: "somehacker@email_server.thing",
  auth_email: "somehacker@email_server.thing",
  auth: "the auth token"

This changes the Graduation year of the hacker (with email to 2020 (assuming the auth token is valid).

  updates : {'$set': {'registration_status': 'checked-in'}},
  user_email: "somehacker@email_server.thing",
  auth_email: "",
  auth: "the auth token"

This changes the registration status of the user if the user (admin - that is director or organizer) is and the token is valid for the admin. We discuss the details of the permissions where we discuss the user object.

  updates : {'$set': {'day_of.checkIn': True, 'registration_status': 'checked-in'}},
  user_email: "somehacker@email_server.thing",
  auth_email: "",
  auth: "the auth token"

Assuming the validity of the auth token and that auth_email is an organizer, this is the update an app should use when scanning a QR code to admit a hacker into the hackathon. $set against the day_of with fields that do not yet exist are simply added in. This is a convenience so that LCS does not need to be updated every time there is a new event that needs to be tracked.

  updates : {'$inc': {'day_of.lunch1': 1}},
  user_email: "somehacker@email_server.thing",
  auth_email: "",
  auth: "the auth token"

This update would be performed when a user is scanned for lunch on Saturday. Lunch is the only meal that occurs twice and tends to be numbered, 1 being the Saturday one and 2 the one on Sunday. $inc increments since the food team may allow hackers to receive multiple servings. If the field is not there, MongoDB will set it to the value given (so, in this case 1, if it's the hacker's first time having lunch on Saturday).

Auth email vs. user email: In order to prevent users from updating their own status or letting any sort of malicious changes to a hacker's data, we distinguish updates between those allowed for admins and those allowed for hackers. The "auth email" is the email of the person performing the updates and the "user email" is the email of the user being updated.

Mongo docs (what $set is about): So this endpoint actually allows for any individual update (uniquely determining who to update by email). So we differ to Mongo to explain the operations you can put.. Most fields are all or nothing: if you can update the field, you can do anything to it. The only exception is the registration status which has its own FSM that determines update permissions.

Silent failures: If the change is not permitted by a validation issue, the endpoint silently does not change the field in question. Every field is considered separately - so if an update is more advanced, it may only partially go through. Check the user object for details on whether the hacker can update the status or if an admin is needed.


Situation Value HTTP Code Type
Email, auth email or token (auth) not given Data not submitted. 400 Text/plain
Auth email is not found Auth email not found. 400 Text/plain
Auth token is not found Authentication token not found. 400 Text/plain
Auth email is not the hacker email and is not that of an admin Permission Denied 403 Text/plain
Hacker email not found User email not found 400 Text/plain
Success Successful Request 200 Text/plain


Method: POST

Data: JSON

Example JSON:

  link: 'the randomly generated magic link',
  email: 'hacker@email.thing',
  token: 'the auth token'

More on the use: Remember to see the general docs for how this interacts with the other endpoints to create its own updating system.


Situation Value HTTP Code Type
link not given No magic link provided 400 Text/plain
link not found Invalid magiclink 400 Text/plain
The user is an MLH user (so we do not have control over their password) Please change your password through MLH 400 Text/plain
The user email is not found We could not find that email 400 Text/plain
A login issue occurred in handling the link (for a role update) Failed to update: please login again. 400 Text/plain
Password has been updated Successfully updated your password 200 Text/plain
Role has been updated Successfully updated your role 200 Text/plain


Method: POST

Data: JSON

Example JSON:

For a forgotten password:

  email: "some@email.thing,
  forgot: true

and to promote users:

  email: "some_director@your.hackathon",
  "token": "the user's token",
  "numLinks": 3,
  "permissions": ["director", "judge", "organizer", "volunteer", "mentor"],
  "emailsTo": ["", "", ""]

The numLinks parameter is optional - 1 by default. The emailsTo is necessary to email the promoted users so that they may be promoted.

More on the use: Remember to see the general docs for how this interacts with the other endpoints to create its own updating system. Also note that admins and hackers have very different uses: hackers may only request a password reset while admins may promote anybody. Additionally, there is no verification of the email being promoted and if that email is already that of a hacker.


Situation Value HTTP Code Type
Valid forgotten password case Forgot password link has been emailed to you 200 Text/plain
The user is an MLH user - we don't have their password Please use MLH to login. 400 Text/plain
The user is not a user - they must create an account Invalid email: please create an account. 400 Text/plain
The admin user did not provide enough information for the link You forgot some params try a again 400 Text/plain
The admin user was not enough of an admin Invalid permissions 400 Text/plain
The admin user could not be logged in Please input a proper auth token 400 Text/plain
Valid director link case List of magic link objects - see below. 200 Application/JSON

The magic link object:

  "permissions": ["director", "judge", "organizer", "volunteer", "mentor"]
  "email": ""
  "forgot": false,
  "link": "a hashy boi",
  "valid_until": "UTC time now + 3 hours"


Method: GET

Data: JSON

Example Uses: Just a plain ol' GET:


You can pass a num_events to influence the number of events shown (defaults to 10).


Situation Value HTTP Code Type
The calendar API is misconfigured Please interactively generate client secret file. 400 Text/plain
The calendar API returned an error Unable to get events. 400 Text/plain
Success Google API events. The events are returned as specified by google. 200 Application/JSON


Method: GET

Data: JSON

Example Uses: Just a plain ol' GET:


You can pass a num_events to influence the number of events shown (defaults to 10).


Situation Value HTTP Code Type
The slack API returned an error Unable to retrieve messages 400 Text/plain
The slack API returned no messages No messages found. 400 Text/plain
Success Slack messages that are not "join" messages. The messages are returned as specified by slack. 200 Application/JSON


Method: POST

Data: JSON

Example JSON:

A user emailing themselves:

  "template": "some sparkpost template",
  "recipients": ["some_email@your.hackathon"],
  "email": "some_email@your.hackathon",
  "token": "some hashy boi"

A user (director) emailing two people:

  "template": "some sparkpost template",
  "recipients": ["some_email@your.hackathon", "some_other_email@your.hackathon"],
  "email": "some_director@your.hackathon",
  "token": "some hashy boi"

A user (director) emailing by a query (are they a judge):

  "template": "some sparkpost template",
  "query": {'role.judge': true}
  "email": "some_director@your.hackathon",
  "token": "some hashy boi"

A user (director) emailing people with personalised links:

  "template": "some sparkpost template",
  "recipients": ["some_email@your.hackathon", "some_other_email@your.hackathon"],
  "links": ["", ""],
  "email": "some_director@your.hackathon",
  "token": "some hashy boi"

Constraints: The query or a list of recipients that is not just the user's email itself can be submitted by directors only. Additionally, links can only be provided with recipients. This is since the number of results in a query cannot be known, so the correct number of links would likely not be provided.

Returns: There are 4 classes of errors and the messages are rather self-explanatory:

  • An issue with the invocation: either missing data or lacking permission. Note that users may only email themselves, directors can email anybody. An empty list of recipients is caught here too.
  • An issue with sparkpost: invalid templates, or any sort of malarchy. The error string will be from sparkpost except in deeply pathological cases.
  • An issue with the query: if the user passes in a query, it might have an issue which will be reported.
  • An issue with personalised links.


Method: POST

Data: JSON

Example JSON:

There could be a user:

  "email": "users_email@your_hackathon",
  "token": "some hashy boi",
  "query": {"email": "their email"}

and then they can aggregate (counting the shirt sizes and genders):

  "email": "users_email@your_hackathon",
  "token": "some hashy boi",
  "query": ["shirt-size", "gender"],
  "aggregate": true

and there may not even be a user:

  "query": ["shirt-size", "gender"],
  "aggregate": true,
  "just_here": true


The old validation rules were clumsy at best. There are three types of queries, explained in decreasing power:

  1. A director query: directors are allowed to run any query. We only ensure that non-serializable Mongo stuff is not included.
  2. A user query: users can get themselves (only). (So the validate endpoint is good enough.) Redacts reimbursement information on hackers who aren't confirmed.
  3. A non-director aggregation: anybody (regardless of relation to LCS) can aggregate by the powerset of these fields: major, shirt_size, dietary_restrictions, school, grad_year, gender, level_of_study, ethnicity. This will create counts of every combination of the field values found in the database. The just_here field is a flag on whether to exclude non-checked in users.


Method: POST

Data: JSON

Example JSON:

  "email": "",
  "token": "hashy boi",
  "day-of": true


Mostly changes the DB to include reimbursement estimates to travelling users. Uses the google distance matrix API and configurable cost-per-mile constants.

The day-of flag is to chose whether to estimate for all registered users and then scale to match the budget or to only update the data on the coming users. When day-of is set to true, only coming or confirmed users are considered "already reimbursed" since they see a dollar amount on the site.

The error messages are generated by the various libraries and APIs: there can be google maps API errors, Mongo query errors, and errors in the JSON sent in. Only directors can call the API. On success, the write operation result and the amount spent are returned in JSON. For example:

{'statusCode': 200, 'mongo_result': 60, 'total': 3000}
