# API Contract: View Attendee List (011)

**Date**: 2026-03-08

## New Endpoint

### `GET /events/{token}/attendees`

Retrieves the list of attendees for an event. Restricted to the event organizer.

**Path Parameters**:

| Parameter | Type | Description |
|-----------|------|-------------|
| token | string (UUID) | Event token |

**Query Parameters**:

| Parameter | Type | Required | Description |
|-----------|------|----------|-------------|
| organizerToken | string (UUID) | Yes | Organizer token for authorization |

**Responses**:

#### 200 OK

Organizer token is valid. Returns the attendee list.

```json
{
  "attendees": [
    { "name": "Alice" },
    { "name": "Bob" },
    { "name": "Charlie" }
  ]
}
```

#### 200 OK (empty list)

No RSVPs yet.

```json
{
  "attendees": []
}
```

#### 403 Forbidden

Organizer token is missing, invalid, or does not match the event.

```json
{
  "type": "about:blank",
  "title": "Forbidden",
  "status": 403,
  "detail": "Invalid organizer token."
}
```

#### 404 Not Found

Event token does not exist.

```json
{
  "type": "about:blank",
  "title": "Not Found",
  "status": 404,
  "detail": "Event not found."
}
```

## OpenAPI Schema Addition

```yaml
/events/{token}/attendees:
  get:
    operationId: getAttendees
    summary: Get attendee list for an event (organizer only)
    parameters:
      - name: token
        in: path
        required: true
        schema:
          type: string
          format: uuid
      - name: organizerToken
        in: query
        required: true
        schema:
          type: string
          format: uuid
    responses:
      '200':
        description: Attendee list
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/GetAttendeesResponse'
      '403':
        description: Invalid organizer token
      '404':
        description: Event not found

GetAttendeesResponse:
  type: object
  required:
    - attendees
  properties:
    attendees:
      type: array
      items:
        $ref: '#/components/schemas/Attendee'
      example:
        - name: "Alice"
        - name: "Bob"

Attendee:
  type: object
  required:
    - name
  properties:
    name:
      type: string
      minLength: 1
      maxLength: 100
      example: "Alice"
```

## Existing Endpoints (unchanged)

- `POST /events` — no changes
- `GET /events/{token}` — no changes (still returns `attendeeCount` publicly)
- `POST /events/{token}/rsvps` — no changes