Skip to main content

Web API Routes

Quick links: FrontendBackend

Backend

All routes live under apps/web/src/app/api.

Billing and Sessions

  • POST /api/create-checkout-session

    • Headers: Authorization: Bearer <Firebase ID token> (email must be verified)
    • Body: { "planId": "starter" | "pro" }
    • Returns: { sessionId }
    • Behavior: validates stored Stripe customer, reuses by email if missing, otherwise creates and links to the user.

  • POST /api/billing/change-plan

    • Headers: Authorization: Bearer <Firebase ID token>
    • Body: { "planId": "starter" | "pro" }
    • Returns: { success, subscription, requiresAction?, paymentIntentClientSecret? }
      • When requiresAction is true, confirm the returned paymentIntentClientSecret via Stripe.js before refreshing claims.

  • POST /api/verify-session

    • Body: { "sessionId": string }
    • Returns: { subscription, customToken, success: true }

  • POST /api/auth/session and DELETE /api/auth/session

    • Create or clear HTTP-only __session cookie from Firebase ID token.

  • POST /api/billing/portal

    • Requires __session cookie; returns { url } for Stripe Billing Portal.

Credits

  • GET /api/credits/balance
    • Requires __session cookie.
    • Returns: { authenticated: true, balance: number, periodStart: ISO | null, periodEnd: ISO | null, planId: string | null, priceId: string | null }

Stripe webhooks are handled by the Firebase Function stripeWebhook (Cloud Functions URL). Configure Stripe Dashboard to call your deployed Functions URL. The handler processes: checkout.session.completed, customer.subscription.*, invoice.payment_* to upsert users/{uid}/subscription/current and temp checkout state.

API Keys & Request Logs

  • GET /api/api-keys — list current keys for the authenticated user via __session.
  • POST /api/api-keys — create a new API key; mirrors hashed key to root apiKeys/{hash} for Functions validation.
  • DELETE /api/api-keys/[id] — revoke a key by id; mirrors revoke to root apiKeys/{hash}.
  • GET /api/api-requests — paginated list of recent Public API requests logged under users/{uid}/apiRequests.

Utilities

  • GET /api/debug-env — environment presence diagnostics (non-sensitive).
  • GET /api/tiktok/callback — local desktop OAuth shim for TikTok.

Middleware

  • src/middleware.js enforces presence of __session cookie on /dashboard and /api/billing/* paths.

Related frontend: see Frontend

Frontend

  • Client pages call these routes for server-only operations (Stripe, cookies, local shims).
  • AuthContext triggers /api/auth/session when Firebase ID token changes.
  • Success page calls /api/verify-session to finalize checkout.

Related backend: see Backend