search

API Routes Reference

Internal API endpoints in the Refresh App Web application.

hashtag
Authentication Endpoints

hashtag
POST /auth/signin/google

OAuth sign-in with Google.

Handler: Auth.js Authentication: None (public)

Response: Redirects to Google OAuth consent screen

hashtag
POST /auth/signin/microsoft

OAuth sign-in with Microsoft Entra ID.

Handler: Auth.js Authentication: None (public)

Response: Redirects to Microsoft OAuth consent screen

hashtag
POST /auth/callback/google

OAuth callback from Google.

Handler: Auth.js Authentication: None (public, validated via OAuth state)

Response: Sets session cookie, redirects to /app

hashtag
POST /auth/callback/microsoft

OAuth callback from Microsoft.

Handler: Auth.js Authentication: None (public, validated via OAuth state)

Response: Sets session cookie, redirects to /app

hashtag
POST /auth/signout

Sign out current user.

Handler: Auth.js Authentication: Required

Response: Clears session cookie, redirects to /auth

hashtag
Session Management

hashtag
POST /api/session/set-active-tenant

Switch active tenant for current user.

Location: src/routes/api/session/set-active-tenant/+server.ts

Authentication: Required

Request Body:

Response:

Side Effects:

  • Sets activeTenantId cookie

  • Next request will rebuild session with new tenant context

hashtag
JWKS Endpoint

hashtag
GET /api/jwks_json

Public JWKS endpoint for Neon RLS JWT verification. Returns RSA public key.

Authentication: None (public) Headers: CORS enabled, 1hr cache

See Architecture: Authentication Flow.

hashtag
Image Management

hashtag
GET /api/images

Get presigned URL for image download from R2.

Location: src/routes/api/images/+server.ts

Authentication: Required

Query Parameters:

  • key: Object key in R2 bucket

Response:

hashtag
POST /api/images/upload

Get presigned URL for image upload to R2.

Location: src/routes/api/images/upload/+server.ts

Authentication: Required

Request Body:

Response:

Usage:

hashtag
Error Responses

All API endpoints return consistent error responses:

Common Status Codes:

  • 400 - Bad Request (invalid input)

  • 401 - Unauthorized (not authenticated)

  • 403 - Forbidden (insufficient permissions)

  • 404 - Not Found

  • 500 - Internal Server Error

hashtag
CORS Policy

API Routes: Allow cross-origin requests

Headers:

  • Access-Control-Allow-Origin: *

  • Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, HEAD

  • Access-Control-Allow-Headers: Content-Type, Authorization

Protected Routes: Require authentication regardless of CORS

hashtag
Rate Limiting

Cloudflare Automatic:

  • DDoS protection

  • Suspicious traffic challenges

Application-Level: Not currently implemented

Future Enhancement:

  • Per-user rate limiting

  • API key rate limiting

hashtag
Related Documentation

Last updated: October 2025

PreviousReferenceNextCLI Commands Reference

Last updated