Shipflash logoDocs

API Routes

API route handlers expose health, auth, analytics, billing, contact, waitlist, webhooks, cron, scheduler, and admin operations.

On this page

API route map

CategoryEndpointsAuth requirement
HealthGET /api/healthNone.
AuthGET /api/auth/meSession required.
AnalyticsGET /api/analytics/platform/range, GET /api/analytics/revenue/rangeSession and dashboard access required.
BillingPOST /api/billing/checkout, POST /api/billing/portal, GET /api/billing/statusSession required.
Billing admin/api/system/billing/*Super admin role required.
ContactPOST /api/contactPublic, validated, rate-limited, and Turnstile-aware when configured.
WaitlistPOST /api/waitlist/signup, GET /api/waitlist/confirm, GET /api/waitlist/exportSignup and confirm are public; export is admin-only.
WebhooksPOST /api/webhooks/stripe/billing, POST /api/webhooks/lemonsqueezy, POST /api/notifications/webhooks/resendProvider signature verification.
Cron jobsGET /api/cron/data-retention, GET /api/cron/notification-outboxCRON_SECRET bearer token.
SchedulerPOST /api/scheduler/publishCRON_SECRET bearer token.
  1. 1

    Add a new API route

    Create a route.ts file under src/app/api/<name>/ and delegate validation, auth, and business behavior to lib or feature-owned server modules.

  2. 2

    Add a webhook endpoint

    Create the route under src/app/api/webhooks/<provider>/, validate the provider signature, and make writes idempotent for duplicate delivery.

  3. 3

    Add a cron job

    Create the route under src/app/api/cron/<name>/, protect it with CRON_SECRET, and document it in docs/CRON_JOBS.md.

API route rules

  • Authenticate before processing protected requests.
  • Validate request payloads at the route or service boundary.
  • Validate webhook signatures before touching database records.
  • Make external event handlers safe for retries and duplicate delivery.
  • Protect cron endpoints with the CRON_SECRET bearer token.
  • Keep route handlers thin and preserve structured request context in logs.
  • Rate-limit public and hot-path endpoints.