API Reference
Complete API documentation and reference
All API routes live under /api. JSON responses use standard HTTP status codes. Session-protected routes require a valid session cookie (set by sign-in).
Endpoints
- GET
/api/todosList todos
Returns all todos for the signed-in manager. The `userId` field on each row is the manager id. Requires a valid session cookie.
- Auth
- Session (signed-in manager)
- Response
- Array of todo objects: `{ id, userId, description, createdAt, updatedAt }` (`userId` = manager id)
- Errors
- 401 — Not signed in
- 500 — Server error
- POST
/api/todosCreate a todo
Creates a new todo for the current manager. Body must include a description (2–255 characters).
- Auth
- Session (signed-in manager)
- Request
- JSON: `{ "description": "string" }`description: string, min 2, max 255
- Response
- The created todo object.
- Errors
- 400 — Invalid or missing description
- 401 — Not signed in
- 500 — Server error
- GET
/api/corporatesList corporates
Returns a list of corporates (id and name). Legacy endpoint; was used for corporate sign-in dropdown.
- Auth
- Public
- Response
- Array of `{ id, name }`. On error returns `[]` with status 200.
- GET
/api/confirm-emailConfirm manager email (signup & invitations)
Validates the token, marks the manager as email-confirmed, creates a manager session (managerId, corpId, corpName), and redirects to `/dashboard` (sole proprietor) or `/dashboard/corporate` (invited manager). On failure redirects to sign-in with an error query param.
- Auth
- Query token (from email link)
- Request
- Query: `?token=...`
- Response
- Redirect to `/dashboard` or `/signin?error=...`
- Errors
- invalid_token — Missing or empty token
- invalid_or_expired — Token not found or expired
- confirm_failed — DB update failed
- GET
/api/confirm-manager-emailConfirm manager email
Validates the manager’s confirmation token, marks the manager as confirmed, creates a manager session, and redirects to the corporate dashboard.
- Auth
- Query token (from email link)
- Request
- Query: `?token=...`
- Response
- Redirect to `/dashboard/corporate` or `/signin?error=...`
- Errors
- invalid_token, invalid_or_expired, confirm_failed
- GET
/api/confirm-corp-user-emailConfirm corporate user email
Validates the corporate user’s confirmation token, marks them as confirmed, creates a session, and redirects to the issues dashboard.
- Auth
- Query token (from email link)
- Request
- Query: `?token=...`
- Response
- Redirect to `/dashboard/issues` or `/signin?error=...`
- Errors
- invalid_token, invalid_or_expired, confirm_failed
- GET
/api/validate-manager-tokenValidate manager invitation token
Checks whether a manager invitation token is valid. Used by the invitation/registration flow to show manager email and corporate name before sign-up.
- Auth
- Public (token in query)
- Request
- Query: `?token=...`
- Response
- `{ valid: boolean, email?: string, corpName?: string, error?: string }`
- Errors
- valid: false with error "Missing token" or "This invitation link is invalid or has expired." or "Corporate not found."
- GET
/api/validate-corp-user-tokenValidate corporate user invitation token
Checks whether a corporate user (team member) invitation token is valid. Used to show email and corporate name before sign-up.
- Auth
- Public (token in query)
- Request
- Query: `?token=...`
- Response
- `{ valid: boolean, email?: string, corpName?: string, error?: string }`
- Errors
- valid: false with error "Missing token" or "This invitation link is invalid or has expired." or "Corporate not found."
- GET
/api/teams/[id]/usersList team users
Returns the list of corporate users (team members) in the given team. Only the manager who owns the team can access it.
- Auth
- Manager session
- Request
- Path: `id` — team ID (integer).
- Response
- `{ users: Array<{ id, email }> }`
- Errors
- 400 — Invalid team ID
- 401 — Not signed in as manager
- 403 — Team does not belong to current manager
- 404 — Team not found
- POST
/api/clean-users-tableClean unconfirmed managers (cron, legacy path name)
Deletes managers who never confirmed and were created more than 24 hours ago (sole: full workspace teardown; invited: manager row only). Path name kept for existing cron URLs after removing the users table. In development, no secret is required.
- Auth
- Bearer CRON_SECRET (or dev only)
- Request
- Header: `Authorization: Bearer <CRON_SECRET>`
- Response
- `{ success: boolean, deleted: number, message: string }` or `{ success: false, error }`
- Errors
- 401 — Invalid or missing CRON_SECRET
- 500 — Cleanup failed
- POST
/api/clean-managers-tableClean unconfirmed managers (cron)
Deletes managers who never confirmed their email and were created more than 24 hours ago. For use by a daily cron job.
- Auth
- Bearer CRON_SECRET (or dev only)
- Request
- Header: `Authorization: Bearer <CRON_SECRET>`
- Response
- `{ success: boolean, deleted: number, message: string }` or `{ success: false, error }`
- Errors
- 401 — Invalid or missing CRON_SECRET
- 500 — Cleanup failed
- POST
/api/clean-corp-users-tableClean unconfirmed corporate users (cron)
Deletes corporate users who never confirmed their email and were created more than 24 hours ago. For use by a daily cron job.
- Auth
- Bearer CRON_SECRET (or dev only)
- Request
- Header: `Authorization: Bearer <CRON_SECRET>`
- Response
- `{ success: boolean, deleted: number, message: string }` or `{ success: false, error }`
- Errors
- 401 — Invalid or missing CRON_SECRET
- 500 — Cleanup failed