API

High-level reference of endpoints detected in the codebase.

Scope

This section describes endpoints used by the application. It does not imply a supported public API.

Authentication

Authentication is based on Supabase Auth; protected routes require a valid session.
Some internal routes may rely on middleware-injected headers (defense-in-depth).

Endpoints (discovered)

> Note: internal-only endpoints (e.g. admin routes) are omitted from the public documentation.

/api/cron/*

GET /api/cron/feedback/auto-close

/api/documents

GET /api/documents/[fileId]/download

/api/onboarding

GET /api/onboarding/domain-status
POST /api/onboarding/join
POST /api/onboarding/register

/api/session

GET /api/session

/api/v1/*

GET, POST /api/v1/employees
GET, PATCH, DELETE /api/v1/employees/[employeeId]
PATCH /api/v1/employees/[employeeId]/compensation
POST /api/v1/employees/[employeeId]/roles
DELETE /api/v1/employees/[employeeId]/roles/[roleHistoryId]
PATCH /api/v1/employees/[employeeId]/status
GET /api/v1/me
GET, POST /api/v1/roles
GET, POST /api/v1/teams
GET, POST /api/v1/tenants
GET, PATCH, DELETE /api/v1/tenants/[tenantId]

Errors & rate limits

Errors are returned as standard HTTP responses; avoid relying on error messages for business logic.
Rate limits: TBD.