API Reference

Most writes happen through Server Actions; these HTTP routes exist for webhooks, downloads, and anything a browser cannot sign safely.

HTTP routes

Stripe webhook

POST /api/stripe/webhook -- receives Stripe subscription lifecycle events

Events handled: checkout.session.completed, customer.subscription.updated, customer.subscription.deleted

See Stripe Setup for configuration.

Server Actions

Most mutations are implemented as Server Actions. They live near the pages that use them.

Common pattern

Every server action follows this flow:

export async function myAction(workspaceId: string, formData: FormData) {
  const user = await requireUser();                   // 1. Authenticate
  await requireRole(workspaceId, user.id, ["OWNER"]); // 2. Authorize
  const parsed = schema.safeParse({ ... });           // 3. Validate (Zod)
  await supabase.from("table").insert({ ... });       // 4. Write (workspace-scoped)
  await insertAuditLog({ ... });                      // 5. Audit log
  revalidatePath("/w/...");                           // 6. Revalidate
}

Product actions

Location: src/app/(app)/w/[workspaceSlug]/products/actions.ts

Action	Roles	Description
`createProduct`	OWNER, ADMIN, MEMBER	Create a new product (checks plan limits)
`updateProduct`	OWNER, ADMIN, MEMBER	Update name, description, or status
`softDeleteProduct`	OWNER, ADMIN, MEMBER	Move to trash
`permanentDeleteProduct`	OWNER, ADMIN	Permanently remove
`restoreFromTrash`	OWNER, ADMIN, MEMBER	Restore from trash
`archiveProduct`	OWNER, ADMIN, MEMBER	Set status to ARCHIVED
`restoreProduct`	OWNER, ADMIN, MEMBER	Set status to ACTIVE
`bulkSoftDelete`	OWNER, ADMIN, MEMBER	Bulk move to trash
`bulkUpdateStatus`	OWNER, ADMIN, MEMBER	Bulk status change

Settings actions

Location: src/app/(app)/w/[workspaceSlug]/settings/settings-actions.ts

Action	Roles	Description
`updateWorkspaceName`	OWNER	Rename the workspace
`deleteWorkspace`	OWNER	Permanently delete workspace
`transferOwnership`	OWNER	Transfer OWNER role to an ADMIN
`updateProfile`	Any	Update user's full name

Billing actions

Location: src/app/(app)/w/[workspaceSlug]/billing/billing-actions.ts

Action	Roles	Description
`createCheckoutSession`	OWNER	Start Stripe Checkout
`createBillingPortalSession`	OWNER	Open Stripe Customer Portal

Auth actions

Location: src/app/(auth)/actions/auth.ts

Action	Description
`signIn`	Email/password sign-in
`signUp`	Create new account
`signOut`	Sign out and clear session
`resetPassword`	Request password reset email
`updatePassword`	Set new password from reset link

Library modules

Reusable business logic lives in src/lib/. Each module exports server actions and helper functions.

Module	Location	Key functions
Tags	`src/lib/tags/tag-actions.ts`	`createTag`, `deleteTag`, `addTagToRecord`, `removeTagFromRecord`, `getWorkspaceTags`, `getRecordTags`
Comments	`src/lib/comments/comment-actions.ts`	`addComment`, `editComment`, `deleteComment`, `getComments`
Attachments	`src/lib/attachments/attachment-actions.ts`	`createAttachmentRecord`, `deleteAttachment`, `getAttachments`
Custom fields	`src/lib/custom-fields/custom-field-actions.ts`	`createCustomField`, `updateCustomField`, `deleteCustomField`, `getCustomFieldDefinitions`
API keys	`src/lib/api-keys/api-key-actions.ts`	`createApiKey`, `revokeApiKey`, `getApiKeys`
Webhooks	`src/lib/webhooks/webhook-actions.ts`	`createWebhook`, `deleteWebhook`, `getWebhooks`
Bookmarks	`src/lib/bookmarks/`	`toggleBookmark`, `getUserBookmarks`
Saved views	`src/lib/saved-views/`	`createSavedView`, `deleteSavedView`, `getSavedViews`
Notifications	`src/lib/notifications/notification-actions.ts`	`getNotificationPreferences`, `updateNotificationPreferences`
Sessions	`src/lib/sessions/session-actions.ts`	`getLoginHistory`
SSO	`src/lib/sso/sso-actions.ts`	`getSSOConfig`, `updateSSOConfig`
Scheduled actions	`src/lib/scheduled-actions/scheduled-action-actions.ts`	`createScheduledAction`, `getScheduledActions`
IP allowlist	`src/lib/ip-allowlist/ip-allowlist-actions.ts`	`addIPRange`, `removeIPRange`, `getIPAllowlist`
GDPR	`src/lib/gdpr/`	Data export and account deletion
Audit	`src/lib/audit/insert-log.ts`	`insertAuditLog`
Billing	`src/lib/billing/check-limit.ts`	`checkLimit`
Auth	`src/lib/auth/require-user.ts`	`requireUser`
RBAC	`src/lib/rbac/require-membership.ts`	`requireRole`

Database tables

The full schema is documented in Data Model. Key tables:

Core tables

workspaces -- tenant boundary
memberships -- user-to-workspace with role
invitations -- invite tokens with expiry
products -- example entity with soft delete
subscriptions -- Stripe state
audit_logs -- append-only event log

Collaboration tables

tags, record_tags -- colored labels
comments -- threaded comments
attachments -- file records

Developer platform tables

api_keys -- API key management
webhooks, webhook_deliveries -- outgoing webhooks
webhook_events -- incoming webhooks
custom_field_definitions -- dynamic fields

User feature tables

bookmarks -- per-user bookmarks
saved_views -- saved table configurations
notification_preferences -- notification settings
login_history -- sign-in records
scheduled_actions -- scheduled tasks
workspace_ip_allowlist -- IP restrictions

Database functions

Function	Description
`daily_audit_counts(workspace_id, days)`	Daily event counts for the activity chart
`is_workspace_member(workspace_id)`	RLS helper: checks membership
`workspace_role(workspace_id)`	RLS helper: returns user's role
`set_updated_at()`	Trigger function: auto-updates `updated_at`
`handle_new_user()`	Trigger function: creates profile on sign-up