API Reference

The endpoints behind the marketplace. Most are guarded by Supabase auth and Row-Level Security.

These are the application's internal endpoints rather than a public partner API. They assume a signed-in session except where noted. See the docs for how they fit together.

Commerce

  • POST /api/checkoutCreate a Stripe Checkout session. Price is read from the database, never the client. (Public)
  • POST /api/webhooks/stripeSigned Stripe webhook. Verifies payment and unlocks the order (idempotent). (Stripe signature)
  • GET /api/download/[orderId]Mint a short-lived signed link to the master after checks (paid, owner, not expired, under cap). (Owner or token)

Products & assets

  • POST / PATCH /api/productsCreate or update a product. Publishing requires a master file. (Creator)
  • POST /api/uploads/signIssue a signed upload URL with a server-built path. (Creator)
  • POST /api/uploads/completeVerify the uploaded object and record master/preview metadata. (Creator)
  • GET /api/preview/[id]Serve the preview asset via a one-hour signed URL. (Public (published))
  • POST /api/preview/generateDerive a watermarked preview from the master (images, PDFs). (Creator)

AI

  • POST /api/ai/generate-metadataDraft title, summary, category, and tags. (Creator)
  • POST /api/ai/create/image · video · pdf · modelGenerate an asset and store it on the product. (Creator)
  • POST /api/ai/create/editEdit/recreate a supplied image; returns bytes (not stored). (Creator)

Authentication uses Supabase sessions; database access is constrained by RLS so callers can only touch their own rows. Payment-granting logic lives solely in the signed Stripe webhook.