API reference · v0.4
Every endpoint.
One row per endpoint, grouped by domain. Auth tags tell you what you need to call it. Status badges show what's live vs. planned.
✓ 48 shipped⏱ 13 on roadmap61 total
Auth & session
Email/password signup with scrypt hashing, httpOnly cookie sessions, 30-day expiry.
POST/api/auth/signup
Create account + auto-login
body: email, password, name, handle, role
POST/api/auth/login
Verify password, set session cookie
body: email, password
POST/api/auth/logout
Invalidate session row + clear cookie
GET/api/me
Return current signed-in user (no passwordHash)
PATCH/api/me/update
Update name / bio / avatarUrl
body: name?, bio?, avatarUrl?
POST/api/auth/forgot
Send password-reset email via Resend (no enumeration)
body: email
POST/api/auth/reset
Verify token, set new password, auto-login
body: token, password
Wallet (Solana)
Phantom wallet connect via signed nonce challenge. Server verifies ed25519 signature.
POST/api/wallet/link/nonce
Issue a one-time nonce to sign
POST/api/wallet/link
Verify signature + bind walletAddr to user
body: walletAddr, signature, nonce
DELETE/api/wallet/link
Unlink wallet from account
Gigs (KOL services)
KOL-listed promotional services. POST creates a gig, orders are tracked separately.
GET/api/gigs
List open gigs (filterable)
query: q?, niche?, seller?, limit?
POST/api/gigs
Create a gig
body: title, description, priceCents, deliveryDays, niche?
GET/api/gigs/[id]
Get gig + seller + recent orders
PATCH/api/gigs/[id]
Update fields (own gig only)
DELETE/api/gigs/[id]
Soft-cancel (with orders) or hard-delete (no orders)
Orders & escrow
Project places order → mock USDC lock → KOL delivers → project releases. State machine enforced server-side.
GET/api/orders
List orders for the signed-in user
query: as=buyer|seller
POST/api/orders
Place order, lock mock USDC escrow, notify seller
body: gigId
GET/api/orders/[id]
Get one order (buyer/seller/admin only)
PATCH/api/orders/[id]
Transition: DELIVERED / RELEASED / DISPUTED / CANCELED with role checks
body: status, deliveryUrl?
POST/api/escrow/fund
Real Solana SPL token transfer to escrow PDA
POST/api/escrow/release
Release on-chain escrow to seller
Signals (trading ideas)
LONG/SHORT signals with TP/SL. Auto-settled by Pyth Hermes on cron.
GET/api/signals
List signals
query: status?, side?, author?, q?
POST/api/signals
Publish signal (validates R:R direction)
body: asset, side, entry, takeProfit, stopLoss, rationale?
GET/api/signals/[id]
Get signal + author
PATCH/api/signals/[id]
Owner can edit rationale or status
POST/api/signals/[id]/settle
Manual settle (owner/admin only)
body: outcome: TP_HIT|SL_HIT|EXPIRED
POST/api/cron/settle-signals
Auto-settle ACTIVE signals via Pyth Hermes
Hubs (paid communities)
KOL-run subscription Hubs with up to 3 tiers. Tier-gated post feed.
GET/api/hubs
List hubs ordered by member count
query: q?, niche?, limit?
POST/api/hubs
Create a Hub with tier prices
body: slug, name, tagline?, description?, niches[], tier1Price?, tier2Price?, tier3Price?
GET/api/hubs/[slug]
Get hub + owner
PATCH/api/hubs/[slug]
Update hub (owner only)
POST/api/hubs/[slug]/subscribe
Subscribe at tier (mock USDC). Upgrade/downgrade re-uses row.
body: tier: T1|T2|T3
DELETE/api/hubs/[slug]/subscribe
Cancel subscription (decrements memberCount)
GET/api/hubs/[slug]/posts
List posts visible at viewer's tier
POST/api/hubs/[slug]/posts
Owner posts to feed (with minTier gate)
body: body, minTier?
Campaigns (multi-KOL)
Project-led campaigns with N slots. Each slot is its own escrow.
GET/api/campaigns
List OPEN/IN_PROGRESS campaigns
query: owner?
POST/api/campaigns
Create campaign + slots in one transaction
body: title, description, slots: [{title, niche?, priceCents, deliveryDays?}, ...]
GET/api/campaigns/[id]
Get campaign + slots + applicants
PATCH/api/campaigns/[id]
Owner: edit fields or close/cancel
POST/api/campaigns/[id]/slots/[slotId]
Slot state machine: apply/accept/reject/deliver/release/cancel
body: action: apply|accept|reject|deliver|release|cancel, deliveryUrl? (deliver)
Chat & messages
1:1 conversations with 4-second polling. SSE upgrade planned.
GET/api/conversations
List threads with last message + other party
POST/api/conversations
Get-or-create 1:1 with another user
body: handle
GET/api/conversations/[id]/messages
Fetch thread, marks read for me
query: since?
POST/api/conversations/[id]/messages
Send message (coalesces notifs to recipient at 60s)
body: body
GET/api/conversations/[id]/stream
Server-Sent Events for live messages
Reviews
Reviews are gated to users with at least one RELEASED order between them.
POST/api/reviews
Leave 1–5★ review on a counterparty
body: handle, rating, body?
GET/api/reviews
List reviews for a user
query: handle, kind=received|left
Notifications
In-app bell, polled every 30s. Auto-fired by every transactional event.
GET/api/notifications
Last 30 + unread count
POST/api/notifications
Mark all read
POST/api/notifications/email
Cron: send digest email for unread > 24h
Admin
ADMIN-only platform overrides + reporting.
PATCH/api/admin/users/[id]
Verify/unverify user, change role
body: verified?, role?
POST/api/admin/orders/[id]/force
Force-resolve disputed order
GET/api/admin/stats
Platform KPIs JSON for dashboard
POST/api/admin/users/[id]/ban
Ban a user (revokes sessions)
Search & discovery
Cross-entity search across users, gigs, hubs, signals, campaigns.
GET/api/search
Aggregated search across the platform
query: q, kinds?
Telegram bot (@kolhubwatcherbot)
Posts every gig, signal, campaign, order, subscription, and signal-settlement event to a Telegram group. Bot token + chat IDs set via Railway env vars.
POST/api/dev/telegram-test
Send a test message from the dev console
body: channel?: 'public'|'admin', text?: string
Spec & health
Self-describing API spec + uptime check.
GET/api/openapi
API_GROUPS as JSON for tooling
GET/api/health
DB ping + email/pyth status (for uptime monitors)
Calling from JavaScript
Sessions are httpOnly cookies — `fetch` from the same origin includes them automatically. From a different origin set `credentials: 'include'`.
// Login (cookie set automatically)
await fetch("/api/auth/login", {
method: "POST",
headers: { "content-type": "application/x-www-form-urlencoded" },
body: new URLSearchParams({ email, password }),
});
// Create a gig as a KOL
await fetch("/api/gigs", {
method: "POST",
headers: { "content-type": "application/json" },
body: JSON.stringify({
title: "Threaded breakdown",
description: "12-tweet thread, 24h delivery.",
priceCents: 30000, deliveryDays: 3, niche: "DeFi",
}),
});
// Place an order as a project
await fetch("/api/orders", {
method: "POST",
headers: { "content-type": "application/json" },
body: JSON.stringify({ gigId }),
});
// Auto-settle signals (cron)
await fetch("/api/cron/settle-signals", {
method: "POST",
headers: { "x-cron-secret": process.env.CRON_SECRET },
});