> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arcuserp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# List attachments

> Returns a page of attachments scoped to the API key's entity. Filter
by `parent_type` + `parent_id` to scope to a single resource (order,
account, ap_bill, etc.). Requires the `attachments:read` scope.




## OpenAPI

````yaml /openapi.yaml get /attachments
openapi: 3.1.0
info:
  title: Arcus ERP Public API
  version: 1.0.0
  description: >
    Arcus ERP public REST API. Designed for external integrations and data
    migration.


    **Authentication.** Bearer token (API key) via the `Authorization` header.

    Format: `Authorization: Bearer ark_live_ent_<code>_<random>` (or
    `ark_test_*` for sandbox).

    API keys are issued per-entity in **Settings > Developers > API Keys**.


    **Entity scoping.** The entity is encoded in the API key prefix; routes are
    flat

    (e.g. `/v1/accounts`, `/v1/orders`, `/v1/products`). A small set of platform
    endpoints

    (migration, reconciliation, events, webhook endpoints, API keys) use the

    `/v1/entities/{entity_id}/...` form -- those are noted in their tags.


    **Key capabilities.**
      - Related-resource hydration via `?expand[]=` (see `x-arcus-expand` on each resource).
      - Cursor-based pagination (`starting_after` / `ending_before` / `limit`).
      - Idempotency via the `Idempotency-Key` header.
      - Webhook events for asynchronous notification.
      - Conditional requests / ETag for cache validation.
servers:
  - url: https://api.arcuserp.com/v1
    description: Arcus ERP API (accepts both live `ark_live_*` and test `ark_test_*` keys)
  - url: https://dev-api.arcuserp.com/v1
    description: >-
      Dev sandbox API (test-only data, accepts `ark_test_*` keys against dev
      RDS)
security: []
paths:
  /attachments:
    get:
      tags:
        - Attachments
      summary: List attachments
      description: |
        Returns a page of attachments scoped to the API key's entity. Filter
        by `parent_type` + `parent_id` to scope to a single resource (order,
        account, ap_bill, etc.). Requires the `attachments:read` scope.
      operationId: listAttachmentsV1
      parameters:
        - name: parent_type
          in: query
          schema:
            type: string
        - name: parent_id
          in: query
          schema:
            type: string
            format: uuid
        - $ref: '#/components/parameters/Limit'
        - $ref: '#/components/parameters/StartingAfter'
        - $ref: '#/components/parameters/EndingBefore'
      responses:
        '200':
          description: Paginated attachment list
          content:
            application/json:
              schema:
                type: object
                properties:
                  object:
                    type: string
                    example: list
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/Attachment'
                  has_more:
                    type: boolean
        '401':
          $ref: '#/components/responses/Error'
      security:
        - ApiKeyAuth:
            - attachments:read
components:
  parameters:
    Limit:
      name: limit
      in: query
      required: false
      description: |
        Maximum number of records to return per page. Default 25, max 500.
        Use together with starting_after for cursor pagination. For larger
        bulk extraction workflows prefer the migration endpoints.
      schema:
        type: integer
        minimum: 1
        maximum: 500
        default: 25
    StartingAfter:
      name: starting_after
      in: query
      required: false
      description: |
        Cursor for pagination. Pass the id of the last record from the
        previous page to fetch the next page. Mutually exclusive with
        ending_before.
      schema:
        type: string
        maxLength: 200
    EndingBefore:
      name: ending_before
      in: query
      required: false
      description: |
        Cursor for reverse pagination. Pass the id of the first record from
        the previous page to fetch the prior page. Mutually exclusive with
        starting_after.
      schema:
        type: string
        maxLength: 200
  schemas:
    Attachment:
      type: object
      description: >
        A file attached to a parent resource via `parent_type` + `parent_id`.
        The two-step upload flow (`POST /attachments/upload-url` then `POST
        /attachments`) persists bytes in S3 and the row in `public.attachments`.
        `s3_bucket` and `s3_key` are operator-internal; clients fetch the file
        by minting a fresh presigned URL via `POST
        /attachments/{id}/download-url`. Soft-delete clears `deleted_at` but
        does NOT delete the S3 object; an out-of-band sweeper sets
        `s3_deleted_at` once bytes are purged. Scope: attachments:read /
        attachments:write / attachments:delete.
      properties:
        id:
          type: string
          format: uuid
          readOnly: true
        object:
          type: string
          example: attachment
        entity_id:
          type: string
          format: uuid
          readOnly: true
        parent_type:
          type: string
          description: Parent resource family (order, account, ap_bill, etc.). 1..30 chars.
        parent_id:
          type: string
          format: uuid
        filename:
          type: string
          description: Operator-supplied file name. 1..255 chars.
        mime_type:
          type: string
          description: Content type at upload time. 1..100 chars.
        size_bytes:
          type: integer
          format: int64
          description: File size at upload time in bytes.
        s3_bucket:
          type: string
          readOnly: true
          description: Operator-internal; clients should never need this.
        s3_key:
          type: string
          readOnly: true
          description: Operator-internal; clients should never need this.
        s3_etag:
          type: string
          nullable: true
          readOnly: true
        checksum_sha256:
          type: string
          nullable: true
          readOnly: true
          description: SHA-256 of the bytes if supplied at upload time.
        uploaded_by_user_id:
          type: string
          format: uuid
          nullable: true
          readOnly: true
        uploaded_via:
          type: string
          enum:
            - web
            - api
            - portal
            - migration
          default: web
          description: Origin of the upload. Set automatically; not caller-writable.
        is_public:
          type: boolean
          default: false
          description: If true, exposes via tokenized portal URL.
        expires_at:
          type: string
          format: date-time
          nullable: true
          description: Optional auto-expiry; the sweeper soft-deletes past this date.
        external_source:
          type: string
          nullable: true
          description: Migration provenance (versa, bubble).
        external_id:
          type: string
          nullable: true
        metadata:
          type: object
          description: Free-form caller metadata. Default {}.
        deleted_at:
          type: string
          format: date-time
          nullable: true
          readOnly: true
        s3_deleted_at:
          type: string
          format: date-time
          nullable: true
          readOnly: true
          description: Set once the sweeper purges S3 bytes.
        created_at:
          type: string
          format: date-time
          readOnly: true
    ErrorEnvelope:
      type: object
      description: |
        Canonical error response envelope. All API errors use this shape.
      required:
        - error
        - code
      properties:
        error:
          type: string
          description: Machine-readable error key
          example: not_found
        code:
          type: string
          description: Machine-readable error code (often same as error)
          example: not_found
        type:
          type: string
          enum:
            - validation_error
            - permission_error
            - not_found
            - conflict
            - rate_limit
            - internal
            - expand_error
            - not_implemented
          example: not_found
        hint:
          type: string
          description: Human-readable one-sentence explanation (English)
          example: >-
            The requested order does not exist or does not belong to this
            entity.
        param:
          type: string
          description: The parameter that caused the error, if applicable
          example: expand[0]
        required:
          type: string
          description: The scope required (only on insufficient_scope errors)
          example: accounts:read
        request_id:
          type: string
          description: >-
            Unique request ID for support tracing (maps to CloudWatch log
            stream)
          example: req_abc123
  responses:
    Error:
      description: Error response (400/401/403/404/409/422/429/500)
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/ErrorEnvelope'
  securitySchemes:
    ApiKeyAuth:
      type: http
      scheme: bearer
      description: |
        API key issued per entity via Settings > Developers > API Keys.
        Each key carries scopes (e.g. orders:read, products:write).
        Bearer token format: Authorization: Bearer ark_live_ent_<code>_<random>
        Test keys use ark_test_ent_<code>_<random>. Both are issued per entity
        via Settings > Developers > API Keys.

````