API Routes
API route handlers expose health, auth, analytics, billing, contact, waitlist, webhooks, cron, scheduler, and admin operations.
On this page
API route map
| Category | Endpoints | Auth requirement |
|---|---|---|
| Health | GET /api/health | None. |
| Auth | GET /api/auth/me | Session required. |
| Analytics | GET /api/analytics/platform/range, GET /api/analytics/revenue/range | Session and dashboard access required. |
| Billing | POST /api/billing/checkout, POST /api/billing/portal, GET /api/billing/status | Session required. |
| Billing admin | /api/system/billing/* | Super admin role required. |
| Contact | POST /api/contact | Public, validated, rate-limited, and Turnstile-aware when configured. |
| Waitlist | POST /api/waitlist/signup, GET /api/waitlist/confirm, GET /api/waitlist/export | Signup and confirm are public; export is admin-only. |
| Webhooks | POST /api/webhooks/stripe/billing, POST /api/webhooks/lemonsqueezy, POST /api/notifications/webhooks/resend | Provider signature verification. |
| Cron jobs | GET /api/cron/data-retention, GET /api/cron/notification-outbox | CRON_SECRET bearer token. |
| Scheduler | POST /api/scheduler/publish | CRON_SECRET bearer token. |
- 1
Add a new API route
Create a route.ts file under src/app/api/<name>/ and delegate validation, auth, and business behavior to lib or feature-owned server modules.
- 2
Add a webhook endpoint
Create the route under src/app/api/webhooks/<provider>/, validate the provider signature, and make writes idempotent for duplicate delivery.
- 3
Add a cron job
Create the route under src/app/api/cron/<name>/, protect it with CRON_SECRET, and document it in docs/CRON_JOBS.md.
API route rules
- Authenticate before processing protected requests.
- Validate request payloads at the route or service boundary.
- Validate webhook signatures before touching database records.
- Make external event handlers safe for retries and duplicate delivery.
- Protect cron endpoints with the CRON_SECRET bearer token.
- Keep route handlers thin and preserve structured request context in logs.
- Rate-limit public and hot-path endpoints.