Building for Municipal Scale: API-First Architecture

When we talk to municipal IT departments about switching permitting software, the first question is rarely about features. It’s about integration.

“Can it talk to our finance system?” “Does it connect to ESRI?” “What does the data migration look like?” “What happens to our reporting when we switch?”

These are the right questions. A permitting platform doesn’t exist in isolation — it sits inside a broader municipal technology ecosystem, and the friction of integration has killed more software projects than bad UX ever has.

Why API-First Matters

An API-first architecture means the system’s own frontend is a consumer of the same API available to everyone else. There’s no special internal pathway that third-party integrations can’t access. Every operation the staff application performs, an integration can perform too.

That’s not how legacy municipal software was built. Most of it has a tightly coupled frontend and backend with no real API surface. Integrations are either non-existent or built as one-off export files that need to be manually imported somewhere else.

Civaptic launched with 200+ RESTful API endpoints across 43 controllers. That number isn’t a marketing stat — it reflects a decision made early in the architecture: if the system can do it, the API can do it.

What That Unlocks

Finance system integration. Permit fees calculated in Civaptic can be posted directly to your finance system’s GL codes without manual re-entry.

GIS integration. We built native ESRI support, but because the parcel and property data flows through the API, you can substitute your own GIS infrastructure if ESRI isn’t what you run.

Document management. Submitted documents, issued permits, and inspection reports are all accessible via API, so they can flow into your existing document management system automatically.

Reporting. Rather than being locked into our reporting module, municipalities can pull data into their existing BI tools — Power BI, Tableau, whatever they use — via the API.

Stats Canada reporting. Mandatory survey submissions are generated automatically from permit data, formatted to Stats Canada specifications.

Security Doesn’t Get Compromised for Convenience

An open API surface has to be a secure one. Civaptic uses JWT-based authentication with role-based access control — the same permissions model that governs what staff can do in the UI governs what integrations can do via the API. Multi-tenant data isolation means a call authenticated for Municipality A can never access Municipality B’s data, regardless of what it requests.

The goal is to make Civaptic easy to integrate with, not easy to misuse. Those aren’t the same thing, and in municipal software, the distinction matters.