Update Cove TODO: Add comprehensive Postman testing instructions

Replaced curl examples with detailed Postman testing guide:
- Step-by-step Postman setup instructions
- Two authentication methods to test (Bearer Token vs X-API-Key)
- Multiple base URLs to try (api.backup.management, backup.management)
- Expected response codes and what they mean (200, 401, 403, 404)
- Endpoint discovery list (accounts, customers, devices, jobs)
- Tips for finding API documentation

Added Postman best practices:
- Create Cove API collection
- Use environment variables (cove_token, cove_base_url)
- Save response examples
- Check rate limit headers
- Export collection to JSON

Added structured template for documenting test results:
- Working configuration (base URL, auth method)
- Available endpoints table
- Key response fields mapping to Backupchecks
- Pagination and rate limiting details
- Location to save Postman collection export

Ready for immediate API testing with Postman!

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

TODO-cove-data-protection.md

@@ -276,47 +276,161 @@ Other backup systems that use APIs:
 - Search Cove knowledge base for "API documentation"
 - Try common API base URLs with `/docs` or `/swagger` endpoints
 
-**2. Quick API Test** (can be done now with token!)
+**2. Quick API Test with Postman** (can be done now with token!)
-Try these curl commands to test authentication:
 
-```bash
+### Postman Setup Instructions
-# Replace YOUR_TOKEN with actual token from https://backup.management/#/api-users
-# Try different authentication methods and endpoints:
 
-# Test 1: Bearer token + accounts endpoint
+**Step 1: Create New Request**
-curl -v -H "Authorization: Bearer YOUR_TOKEN" \
+1. Open Postman
-  https://api.backup.management/api/accounts
+2. Click "New" → "HTTP Request"
+3. Name it "Cove API - Test Authentication"
 
-# Test 2: API Key header
+**Step 2: Configure Request**
-curl -v -H "X-API-Key: YOUR_TOKEN" \
+- **Method:** GET
-  https://api.backup.management/api/accounts
+- **URL:** Try these in order:
+  1. `https://api.backup.management/api/accounts`
+  2. `https://backup.management/api/accounts`
+  3. `https://api.backup.management/api/customers`
 
-# Test 3: Alternative base URL
+**Step 3: Add Authentication (try both methods)**
-curl -v -H "Authorization: Bearer YOUR_TOKEN" \
-  https://backup.management/api/accounts
 
-# Test 4: Check for API documentation
+**Option A: Bearer Token**
-curl https://api.backup.management/swagger
+- Go to "Authorization" tab
-curl https://api.backup.management/docs
+- Type: "Bearer Token"
-curl https://backup.management/api/docs
+- Token: `YOUR_TOKEN` (paste token from backup.management)
 
-# Test 5: Try common endpoints
+**Option B: API Key in Header**
-curl -v -H "Authorization: Bearer YOUR_TOKEN" \
+- Go to "Headers" tab
-  https://api.backup.management/api/customers
+- Add header:
+  - Key: `X-API-Key`
+  - Value: `YOUR_TOKEN`
 
-curl -v -H "Authorization: Bearer YOUR_TOKEN" \
+**Step 4: Send Request and Analyze Response**
-  https://api.backup.management/api/devices
 
-# Note: Use -v flag to see full HTTP response including headers
+**Expected Results:**
-# Look for authentication errors vs 404 errors to determine correct URL/auth
+- ✅ **200 OK** → Success! API works, save this configuration
+  - Copy the JSON response → we'll analyze structure
+  - Note which URL and auth method worked
+  - Check for pagination info in response
+
+- ❌ **401 Unauthorized** → Wrong auth method
+  - Try other authentication option (Bearer vs X-API-Key)
+  - Check if token was copied correctly
+
+- ❌ **404 Not Found** → Wrong endpoint URL
+  - Try alternative base URL (api.backup.management vs backup.management)
+  - Try different endpoint (/api/customers, /api/devices)
+
+- ❌ **403 Forbidden** → Token works but insufficient permissions
+  - Verify API user has SuperUser role
+  - Check customer scope selection
+
+**Step 5: Discover Available Endpoints**
+
+Once authentication works, try these endpoints:
+```
+GET /api/accounts
+GET /api/customers
+GET /api/devices
+GET /api/jobs
+GET /api/statistics
+GET /api/sessions
 ```
 
+For each successful endpoint, save:
+- The request in Postman collection
+- Example response in TODO or separate file
+- Note any query parameters (page, limit, filter, etc.)
+
+**Step 6: Look for API Documentation**
+
+Try these URLs in browser or Postman:
+- `https://api.backup.management/swagger`
+- `https://api.backup.management/docs`
+- `https://api.backup.management/api-docs`
+- `https://backup.management/api/documentation`
+
+**Step 7: Document Findings**
+
+After successful testing, document in this TODO:
+- ✅ Working API base URL
+- ✅ Correct authentication method (Bearer vs header)
+- ✅ List of available endpoints discovered
+- ✅ JSON response structure examples
+- ✅ Any pagination/filtering patterns
+- ✅ Rate limits (check response headers: X-RateLimit-*)
+
+### Postman Tips for This Project
+
+**Save Everything:**
+- Create a "Cove API" collection in Postman
+- Save all working requests
+- Export collection to JSON for documentation
+
+**Use Variables:**
+- Create Postman environment "Cove Production"
+- Add variable: `cove_token` = your token
+- Add variable: `cove_base_url` = working base URL
+- Use `{{cove_token}}` and `{{cove_base_url}}` in requests
+
+**Check Response Headers:**
+- Look for `X-RateLimit-Limit` (API call limits)
+- Look for `X-RateLimit-Remaining` (calls left)
+- Look for `Link` header (pagination)
+
+**Save Response Examples:**
+- For each endpoint, save example response
+- Use Postman's "Save Response" feature
+- Or copy JSON to separate file for reference
+
 **3. Document Findings**
-After successful API call, document in this file:
+
-- Working API base URL
+**After successful Postman testing, update this TODO with:**
-- Correct authentication header format
+
-- Available endpoints discovered
+```markdown
-- Example response format
+## ✅ API Testing Results (Add after testing)
+
+### Working Configuration
+- **Base URL:** [fill in]
+- **Authentication:** Bearer Token / X-API-Key header (circle one)
+- **Token Location:** Authorization header / X-API-Key header (circle one)
+
+### Available Endpoints Discovered
+| Endpoint | Method | Purpose | Response Fields |
+|----------|--------|---------|-----------------|
+| /api/accounts | GET | List accounts | [list key fields] |
+| /api/customers | GET | List customers | [list key fields] |
+| /api/devices | GET | List backup devices | [list key fields] |
+| /api/jobs | GET | List backup jobs | [list key fields] |
+
+### Key Response Fields for Backupchecks Integration
+From backup job/session endpoint:
+- Job ID: `[field name]`
+- Job Name: `[field name]`
+- Status: `[field name]` (values: success/warning/failed)
+- Start Time: `[field name]`
+- End Time: `[field name]`
+- Customer/Device: `[field name]`
+- Error Messages: `[field name]`
+- Backup Objects: `[field name or nested path]`
+
+### Pagination
+- Method: [Link headers / page parameter / cursor / none]
+- Page size: [default and max]
+- Total count: [available in response?]
+
+### Rate Limiting
+- Limit: [X requests per Y time]
+- Headers: [X-RateLimit-* header names]
+
+### API Documentation URL
+- [URL if found, or "Not found" if unavailable]
+```
+
+**Save Postman Collection:**
+- Export collection as JSON
+- Save to: `/docker/develop/backupchecks/docs/cove-api-postman-collection.json`
+- Or share Postman workspace link in this TODO
 
 **4. Create POC Script**
 Once API works, create standalone Python test script: