# Architecture

## Key conventions

- Versioned API exposed under `/api/v1`
- Stateless JWT authentication
- Main roles: `ROLE_ADMIN`, `ROLE_EMPLOYEE`, `ROLE_CUSTOMER`
- Frontend split between back-office space and client space

## Security

- API routes are private by default (`ROLE_USER`) unless explicitly opened.
- `POST /api/v1/auth/login` stays public for token issuance.
- OpenAPI documentation (`/api/doc`) stays public to simplify local integration work.

## Database

- The schema is managed through Doctrine migrations.
- Minimal startup data is loaded through fixtures.
- In Docker, the API waits for MySQL availability before running migrations to avoid unstable starts.