Authentication
- Most endpoints require a Supabase session cookie (validated server-side).
- Admin-only endpoints additionally require
profiles.role === "ADMIN"in the database.
Error format
Content types
- Requests:
application/jsonunless otherwise noted. - Responses:
application/jsonunless otherwise noted (OG route returns an image).
Groups
- Public:
/api/documentation,/api/release-notes - Authenticated:
/api/notifications,/api/tasks,/api/routine-tasks - Support:
/api/support/* - Admin:
/api/admin/* - OAuth:
/api/google/oauth/start - Development:
/api/dev/settings - Media:
/api/og

