Data model

Candidates

A person in the hiring funnel. Carries identity (name, email, phone), source, location, links (LinkedIn / portfolio), tags, skills, GDPR consent + retention. One candidate can have multiple applications across different jobs.

Model name: candidate

Endpoints: 5

Max page size: 200

Fields

Per-field validation rules. Values that violate any constraint are rejected with 400 before they reach the database.

Field	Type	Constraints
city	`string`	max length`120`
name	`string`	max length`200`
tags	`tags`	-
color	`string`	max length`24`
email	`string`	max length`320`
phone	`string`	max length`64`
cv_url	`url`	max length`2048`
github	`url`	max length`2048`
skills	`tags`	-
country	`string`	max length`120`
summary	`string`	max length`4000`
currency	`string`	max length`8`
linkedin	`url`	max length`2048`
pronouns	`string`	max length`32`
languages	`tags`	-
last_name	`string`	max length`120`
portfolio	`url`	max length`2048`
source_id	`string`	max length`64`ref →`source`
cv_blob_id	`string`	max length`64`
first_name	`string`	max length`120`
salutation	`enum`	enum`herr \| frau \| divers \| neutral`
pool_status	`enum`	enum`active \| talent_pool \| blocked \| withdrawn`
current_role	`string`	max length`200`
gdpr_consent	`bool`	-
source_label	`string`	max length`200`
available_from	`string`	max length`32`
avatar_blob_id	`string`	max length`64`
current_company	`string`	max length`200`
gdpr_consent_at	`string`	max length`32`
last_touched_at	`string`	max length`32`
preferred_locale	`string`	max length`16`
years_experience	`number`	-
salary_expectation	`number`	-
gdpr_retention_until	`string`	max length`32`

Mutability

Which fields can you send, and when? Anything without a marker is server-managed - sending it isn't an error, it's silently ignored.

Create-only - read from POST body.Patchable - read from PATCH body.Server-managed - ignored on the body.

Field	Type	Create	Patch
city	string
name	string
tags	tags
color	string
email	string
phone	string
cv_url	url
github	url
skills	tags
country	string
summary	string
currency	string
linkedin	url
pronouns	string
languages	tags
last_name	string
portfolio	url
source_id	string
cv_blob_id	string
first_name	string
salutation	enum
pool_status	enum
current_role	string
gdpr_consent	bool
source_label	string
available_from	string
avatar_blob_id	string
current_company	string
gdpr_consent_at	string
last_touched_at	string
preferred_locale	string
years_experience	number
salary_expectation	number
gdpr_retention_until	string

Fields marked create-only but not patchable are immutable after creation. Server-managed fields include id, timestamps, ownership, and status.

Filtering & sorting

Combinable on list endpoints. Repeating a filter key produces an IN clause; prefixing a sort key with - reverses direction. Example: ?status=open&status=blocked&sort=-created_at.

Filter keys

emaildata__email

namedata__name

locationdata__location

countrydata__country

source_iddata__source_id

tagsdata__tags

skillsdata__skills

pool_statusdata__pool_status

gdpr_consentdata__gdpr_consent

statusstatus

is_archivedis_archived

owned_byowned_by

created_bycreated_by

Sort keys

created_atcreated_at

updated_atupdated_at

namedata__name

last_touched_atdata__last_touched_at

Default: created_at

Endpoints

Each endpoint below lists its HTTP method, path, and the PAT scope it needs. Code samples cover curl, JavaScript, TypeScript, Python, Rust, Java, and WebSocket.

GET/xapi2/data/candidatecandidate:list

List objects

Returns a paginated list of objects you can read. Default page size is 20; pass ?limit= to change (capped per type). Use ?after=<id> for keyset pagination on created_at-sorted lists, or ?offset= for offset paging.

curl -H "Authorization: Bearer pat_…" \
     "https://www.ki-bewerber-management.de/xapi2/data/candidate?limit=20"

GET/xapi2/data/candidate/{id}candidate:read

Read one

Returns the object by id. 404 if it does not exist or you cannot read it (the two cases are intentionally conflated).

curl -H "Authorization: Bearer pat_…" \
     https://www.ki-bewerber-management.de/xapi2/data/candidate/OBJECT_ID

POST/xapi2/data/candidatecandidate:create

Create

Creates a new object. Body is a flat JSON dict of field values. Server-side fields (id, timestamps, ownership) are filled automatically; only fields listed below as creatable are read from the body.

curl -H "Authorization: Bearer pat_…" \
     -H "Content-Type: application/json" \
     -X POST https://www.ki-bewerber-management.de/xapi2/data/candidate \
     -d '{"name": "…"}'

PATCH/xapi2/data/candidate/{id}candidate:update

Update

Partial update. Only fields included in the body are touched; everything else is preserved. Same allow-list as create, minus the fields that are immutable post-create.

curl -H "Authorization: Bearer pat_…" \
     -H "Content-Type: application/json" \
     -X PATCH https://www.ki-bewerber-management.de/xapi2/data/candidate/OBJECT_ID \
     -d '{"name": "…"}'

DELETE/xapi2/data/candidate/{id}candidate:delete

Delete

Removes the object. It vanishes from every default list immediately and stops being returned by read / list.

curl -H "Authorization: Bearer pat_…" \
     -X DELETE https://www.ki-bewerber-management.de/xapi2/data/candidate/OBJECT_ID

Use in CLI

The same endpoints are also exposed via the KI BMS CLI. For scripts, CI, and bulk imports it's usually the faster path.

atscli candidate list --limit 5
atscli candidate get <id>
atscli candidate create --name "Hello"
atscli candidate upsert --unique name --csv items.csv
atscli candidate schema   # fields & limits

Full command reference, profiles, CSV import, auto-retry, NDJSON streaming → /docs/cli