What authentication methods are available?

Token authentication is recommended for integrations; OAuth2 is supported; sessions can be used where appropriate.

What HTTP status codes indicate issues?

Common codes include 200 for success, 400 for validation, 401 for no authentication, 403 for no permissions, 404 for not found, 417 for server exception, 429 for rate limit exceeded.

How do I handle rate limiting?

Respect server-side rate limits, implement exponential backoff, and consider per-API rate limits and caching to reduce calls.

erpnext-api-patterns

npx machina-cli add skill OpenAEC-Foundation/ERPNext_Anthropic_Claude_Development_Skill_Package/erpnext-api-patterns --openclaw

Files (1)

SKILL.md

4.0 KB

ERPNext API Patterns

API Type Decision Tree

What do you want to achieve?
│
├─► CRUD operations on documents
│   └─► REST API: /api/resource/{doctype}
│
├─► Call custom business logic
│   └─► RPC API: /api/method/{path}
│
├─► Notify external systems on events
│   └─► Configure Webhooks
│
└─► Client-side server calls (JavaScript)
    └─► frappe.call() or frappe.xcall()

Quick Reference

Authentication Headers

# Token Auth (RECOMMENDED for integrations)
headers = {
    'Authorization': 'token api_key:api_secret',
    'Accept': 'application/json',
    'Content-Type': 'application/json'
}

# Bearer Token (OAuth2)
headers = {'Authorization': 'Bearer {access_token}'}

REST API CRUD

Operation	Method	Endpoint
List	`GET`	`/api/resource/{doctype}`
Create	`POST`	`/api/resource/{doctype}`
Read	`GET`	`/api/resource/{doctype}/{name}`
Update	`PUT`	`/api/resource/{doctype}/{name}`
Delete	`DELETE`	`/api/resource/{doctype}/{name}`

Filter Operators

# Basic filters
filters = [["status", "=", "Open"]]
filters = [["amount", ">", 1000]]
filters = [["status", "in", ["Open", "Pending"]]]
filters = [["date", "between", ["2024-01-01", "2024-12-31"]]]
filters = [["reference", "is", "set"]]  # NOT NULL

RPC Method Call

# Server-side: mark with decorator
@frappe.whitelist()
def my_function(param1, param2):
    return {"result": "value"}

# API call
POST /api/method/my_app.api.my_function
{"param1": "value1", "param2": "value2"}

Client-Side Calls (JavaScript)

// Async/await pattern (RECOMMENDED)
const result = await frappe.xcall('my_app.api.my_function', {
    param1: 'value'
});

// Promise pattern
frappe.call({
    method: 'my_app.api.my_function',
    args: {param1: 'value'},
    freeze: true,
    freeze_message: __('Processing...')
}).then(r => console.log(r.message));

Response Structure

REST API Success:

{"data": {...}}

RPC API Success:

{"message": "return_value"}

Error Response:

{
    "exc_type": "ValidationError",
    "_server_messages": "[{\"message\": \"Error details\"}]"
}

HTTP Status Codes

Code	Meaning
`200`	Success
`400`	Validation error
`401`	No authentication
`403`	No permissions
`404`	Document not found
`417`	Server exception
`429`	Rate limit exceeded

Critical Rules

ALWAYS include Accept: application/json header
ALWAYS add permission checks in whitelisted methods
NEVER hardcode credentials - use frappe.conf
NEVER write SQL injection vulnerable queries
GET for read-only, POST for state-changing operations

Reference Files

File	Contents
authentication-methods.md	Token, Session, OAuth2 implementation
rest-api-reference.md	Complete REST API with filters and pagination
rpc-api-reference.md	Whitelisted methods and frappe.call patterns
webhooks-reference.md	Webhook configuration and security
anti-patterns.md	Common mistakes and fixes

Version Notes (v14 vs v15)

Feature	v14	v15
`expand_links` parameter	❌	✅
Server Script rate limiting	❌	✅
PKCE for OAuth2	Limited	✅

Source

git clone https://github.com/OpenAEC-Foundation/ERPNext_Anthropic_Claude_Development_Skill_Package/blob/main/skills/source/core/erpnext-api-patterns/SKILL.md

View on GitHub

Overview

This guide covers ERPNext/Frappe API integrations across v14-v16, including REST API, RPC API, authentication, webhooks, and rate limiting. It helps when code is needed for external API calls to ERPNext, designing endpoints, and secure integration.

How This Skill Works

ERPNext exposes REST endpoints under /api/resource/{doctype} for CRUD, and RPC under /api/method/{path} for custom logic. Clients authenticate with token or OAuth2, and webhooks allow event notifications; the system enforces rate limits and permissions.

When to Use It

You need CRUD operations on ERPNext documents via REST API.
You want to call custom business logic on the server using RPC.
You need to notify external systems when ERPNext events occur via webhooks.
You are building client-side calls from JavaScript using frappe.call or frappe.xcall.
You must design secure integrations with token-based or OAuth2 authentication and rate limiting.

Quick Start

Step 1: Pick the API pattern (REST for CRUD, RPC for server logic, or Webhooks for events).
Step 2: Configure authentication (token or OAuth2) and set Accept and Content-Type headers.
Step 3: Implement endpoints or webhook, then test with sample calls using curl or frappe.call.

Best Practices

ALWAYS include Accept: application/json header
ALWAYS add permission checks in whitelisted methods
NEVER hardcode credentials - use frappe.conf
NEVER write SQL injection vulnerable queries
GET for read-only, POST for state-changing operations

Example Use Cases

Using REST API to list, create, read, update, and delete a Doctype via /api/resource/{doctype}
Calling a server-side function with /api/method/my_app.api.my_function and passing params
Configuring a webhook in ERPNext to send data to an external system on events
Invoking client-side logic with frappe.call or frappe.xcall from JavaScript
Implementing token-based authentication for an external integration with Authorization: token ...

Frequently Asked Questions

Add this skill to your agents