Valcraven Docs
Reference

API endpoints

A reference of the built-in API routes, grouped by area, with method, path, purpose, and auth requirement.

Every built-in API route lives under apps/web/app/api/ as a route.ts file. This page inventories them by area. It is a map, not an exhaustive contract — open the route file for exact request/response shapes.

Auth conventions

Routes fall into a few auth buckets:

AuthHow it's enforced
PublicNo session required.
Sessionauth.api.getSession({ headers }) — a signed-in user is required.
Session or API keyauthenticateRequest() — accepts a session cookie or a Bearer sk_... / x-api-key developer key (when API keys are enabled).
AdminrequirePermission(req, PERMISSIONS.*) from lib/rbac — an admin session with the relevant permission.
Webhook signatureVerified against a provider signing secret (e.g. Stripe).
InternalServer-to-server only, authorized by CRON_SECRET or AGENTS_INTERNAL_SECRET — never called from a browser.

Every data route scopes its queries to the session's user id — never a hardcoded id. See Building → Add an API route.

Auth & session

MethodPathPurposeAuth
GET POST/api/auth/[...all]Better Auth catch-all: sign-in/up, session, OAuth callbacks, password reset, 2FA. Rate-limited.Public (auth flows)
GET/api/auth/permissionsThe current user's resolved RBAC permissions.Session

Items (example resource)

The items resource is the worked example of a CRUD API, opted into API-key auth. See API keys.

MethodPathPurposeAuth
GET POST/api/itemsList / create items for the current user.Session or API key
PATCH DELETE/api/items/[id]Update / delete one item.Session or API key
GET/api/searchFull-text search across the user's items.Session

Developer API keys

MethodPathPurposeAuth
GET POST/api/api-keysList / create per-user API keys.Session
PATCH DELETE/api/api-keys/[id]Rename / revoke a key.Session

Settings

MethodPathPurposeAuth
GET/api/settings/accountAccount metadata (provider, email-verified, created).Session
GET/api/settings/activityRecent account activity.Session
POST/api/settings/avatarPersist the user's avatar URL.Session
GET/api/settings/exportExport all of the user's data as JSON.Session
POST/api/settings/delete-accountPermanently delete the account and its data.Session
GET PUT/api/settings/model-preferenceGet / set the user's preferred chat model.Session

Chat & conversations

MethodPathPurposeAuth
GET/api/chat/active-modelThe catalog model the chat should run against now, after precedence resolution.Session
GET POST/api/conversationsList / create chat conversations.Session
GET DELETE/api/conversations/[id]Fetch / delete one conversation.Session
GET POST/api/conversations/[id]/messagesList / append messages in a conversation.Session

The chat message stream itself is not an API route — it runs over a WebSocket to the realtime Worker (apps/realtime). These routes manage conversation history. See AI chat.

Notifications & push

MethodPathPurposeAuth
GET/api/notificationsList the user's notifications.Session
POST/api/notifications/[id]/readMark one notification read.Session
POST/api/notifications/read-allMark all read.Session
POST DELETE/api/push-tokensRegister / unregister an Expo push token (mobile).Session

Files & images

MethodPathPurposeAuth
GET POST/api/filesList / upload files (to R2, local, or an external backend).Session
GET DELETE/api/files/[key]Fetch / delete a stored file.Session
POST/api/imagesUpload a generated image.Session
GET/api/images/[...key]Serve a stored image.Session

Voice

MethodPathPurposeAuth
POST/api/voice/speakElevenLabs text-to-speech proxy (API key stays server-side).Session

Billing (Stripe)

MethodPathPurposeAuth
POST/api/stripe/create-checkoutStart a Stripe Checkout session.Session
GET/api/stripe/portalGet a Stripe customer-portal URL.Session
GET/api/stripe/statusCurrent plan / subscription status.Session
POST/api/stripe/webhookStripe event webhook (syncs subscription state).Webhook signature

Realtime

MethodPathPurposeAuth
POST/api/realtime-demo/pingPublish a single event to the user's realtime channel (demo).Session

Feature flags

MethodPathPurposeAuth
GET/api/flagsEvaluate feature flags with the user's context. Unauthenticated requests get global defaults.Public / Session-aware

Newsletter & waitlist

MethodPathPurposeAuth
POST/api/subscribeNewsletter signup. Rate-limited.Public
GET POST/api/unsubscribeUnsubscribe via a signed token.Public
POST/api/waitlist/joinJoin the waitlist. Rate-limited.Public
GET/api/waitlist/statusWaitlist mode / position status.Public
GET/api/waitlist/validate-inviteValidate an invite code.Public
POST/api/waitlist/redeem-inviteRedeem an invite code.Session

Email tracking

MethodPathPurposeAuth
GET/api/email/openOpen-tracking pixel.Public (signed token)
GET/api/email/clickClick-tracking redirect.Public (signed token)

Analytics & health

MethodPathPurposeAuth
POST/api/analytics/trackRecord an analytics event.Session
GET/api/healthStructured health snapshot (200 ok/degraded, 503 down) for external monitors.Public
MethodPathPurposeAuth
GET/api/docs-searchFull-text search over the customer docs.Public
GET/api/wiki-searchFull-text search over the admin dev wiki.Admin

Outbound webhooks

Manage endpoints that Valcraven calls when events fire. See Webhooks.

MethodPathPurposeAuth
GET POST/api/webhooksList / create outbound webhook endpoints.Session
GET PATCH DELETE/api/webhooks/[id]Manage one endpoint.Session
GET/api/webhooks/[id]/deliveriesDelivery history for an endpoint.Session
POST/api/webhooks/[id]/testSend a test event to an endpoint.Session

Cron & internal

Server-to-server only — not called from a browser.

MethodPathPurposeAuth
GET/api/cronEnqueue and process due scheduled jobs.CRON_SECRET
POST/api/internal/campaign-batchDrain one campaign send batch (queue consumer).CRON_SECRET
POST/api/internal/cache-purgePurge cached public pages by tag.CRON_SECRET
POST/api/internal/conversation-messagePersist an agent-generated chat message.AGENTS_INTERNAL_SECRET
POST/api/internal/notificationsCreate a notification from the realtime Worker.AGENTS_INTERNAL_SECRET
POST/api/internal/docs-searchFTS5 search over the docs corpus (customer docs + dev wiki) for AI-chat retrieval.AGENTS_INTERNAL_SECRET
POST/api/internal/docs-index/rebuildRebuild the docs FTS5 index from the current MDX.AGENTS_INTERNAL_SECRET or CRON_SECRET

Admin

All admin routes live under /api/admin/* and require an admin session with the matching permission (requirePermission). They power the admin console. See Admin.

AreaRepresentative routesPurpose
UsersGET /api/admin/users, GET /api/admin/users/[id], PATCH …/status, PATCH DELETE …/plan, GET PUT DELETE …/role, POST …/email, POST …/reset-pwBrowse and manage users, plans, status, roles, email, and password resets.
Roles (RBAC)GET POST /api/admin/roles, GET PATCH DELETE /api/admin/roles/[id]Manage roles and their permissions.
AnalyticsGET /api/admin/analytics, …/growth, …/product, …/revenueDashboards: overview, growth, product, revenue.
AI modelsGET PUT /api/admin/ai-models, PUT DELETE /api/admin/ai-models/keys, GET /api/admin/ai-usageConfigure the model catalog, provider keys, and view usage/cost.
CampaignsGET POST /api/admin/campaigns, GET PATCH DELETE …/[id], POST …/send, …/schedule, …/cancel, …/resend, …/preview, GET …/analytics, POST …/audience-count, POST …/sync-deliveryCreate, schedule, send, and analyze email campaigns.
SubscribersGET PATCH POST DELETE /api/admin/subscribers, GET …/[email]/events, GET …/tagsManage newsletter subscribers, tags, and per-subscriber events.
BlogGET POST /api/admin/blog, GET PATCH DELETE /api/admin/blog/[id], POST …/previewAuthor and manage blog posts.
Database browserGET /api/admin/database/tables, GET PATCH DELETE /api/admin/database/[table]Browse and edit database tables.
WaitlistGET /api/admin/waitlist, POST …/inviteReview the waitlist and issue invites.
OpsGET /api/admin/health, GET POST /api/admin/jobs, GET /api/admin/logs, GET /api/admin/audit-logHealth, scheduled jobs, logs, and the audit trail.

On this page