API reference

REST endpoints for integrating IMMO-OFF into locksmith software, body-shop tooling, or your own workflow.

Public API access — not yet open

Direct API keys for third-party software integration aren't self-serve yet — current endpoints are reachable from signed-in sessions on this site, which credit-gates every call. If you want raw API access for testing or shop integration, email us and we'll issue a key on a per-account basis.

Base URL

https://immooff-api.onrender.com

GET/healthAuth: None

Readiness probe. Returns service status, version, environment.

curl https://immooff-api.onrender.com/health
# {"status":"ok","version":"0.2.0","env":"production"}

GET/v1/coverageAuth: None

List all ECU variants currently in the patch registry.

curl https://immooff-api.onrender.com/v1/coverage

POST/v1/identifyAuth: None — free tier

Identify an ECU dump variant from a raw .bin / .hex / .s19. Returns family, variant_id, confidence, and capability flags. No payment required.

curl -X POST https://immooff-api.onrender.com/v1/identify \
  -F "file=@my-ecu-dump.bin"

# Returns:
# {
#   "size_bytes": 524288,
#   "sha256": "...",
#   "family": "bmw-ms43",
#   "variant_id": "bmw-ms43-430056",
#   "display_name": "BMW MS43 (ca430056)",
#   "confidence": 0.94,
#   "immo_off_supported": true,
#   "checksum_supported": false,
#   "notes": [...]
# }

POST/v1/processAuth: X-Worker-Key header (proxy-only, not for direct customer use)

Apply IMMO-OFF patch + checksum repair to a dump. Customers reach this via the /api/process Next.js proxy after sign-in; the proxy adds auth + credit gating. Direct API access available on request — contact us for a key.

# Customer-facing path (recommended):
POST https://immolocksmith.vercel.app/api/process
Cookie: immo_session=...   (set by sign-in)
Body: multipart/form-data { file, variant_id?, download? }

# Underlying worker endpoint (proxy-only):
POST https://immooff-api.onrender.com/v1/process
Headers: X-Worker-Key, (server-side only)
Body: multipart/form-data { file, variant_id?, download?, user_id }

POST/v1/auth/signupAuth: None

Create a new user account. Returns a JWT to set as the session cookie.

curl -X POST https://immooff-api.onrender.com/v1/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email":"shop@example.com","password":"8+chars"}'

POST/v1/auth/signinAuth: None

Validate credentials, return a JWT.

curl -X POST https://immooff-api.onrender.com/v1/auth/signin \
  -H "Content-Type: application/json" \
  -d '{"email":"shop@example.com","password":"8+chars"}'

GET/v1/auth/meAuth: Token query param

Verify a session token and return the user, role, and current credits balance.

curl "https://immooff-api.onrender.com/v1/auth/me?token=eyJ..."

File formats accepted

• .bin — raw binary (most common, output of XPROG / Orange5 / Iprog / Carprog)
• .hex — Intel HEX
• .s19, .s28, .s37 — Motorola S-record

Max upload 8 MB. Files are processed in-memory and deleted after 30 days.