API Documentation

The PawVault REST API is organized around resource-oriented URLs and returns JSON. Most write endpoints require an authenticated session (marked

auth
).

Authentication

POST/api/auth/register

Create an account with email, username, and password. Sends a verification email.

{
  "email": "buyer@email.com",
  "username": "buyer",
  "password": "s3cret!",
  "confirmPassword": "s3cret!"
}
POST/api/auth/forgot-password

Send a password-reset token to the user's email.

POST/api/auth/reset-password

Complete a password reset using the emailed token.

GET/api/auth/verify-email?token=...

Verify an email address from the link sent during registration.

POST/api/auth/logout

End the current session and clear the auth cookie.

GET/api/auth/session

Return the current session (NextAuth). Used by the client to know if a user is signed in.

Users & Profile

GET/api/user/profile
auth

Get the authenticated user's profile.

PUT/api/user/profile
auth

Update display name, bio, social links, and privacy settings.

GET/api/user/wishlist
auth

List the user's wishlisted products.

POST/api/user/wishlist
auth

Add a product to the wishlist. Body: { productId }.

DELETE/api/user/wishlist?productId=...
auth

Remove a product from the wishlist.

Products

GET/api/products

List published products with filters. Query: category, search, sort, page, limit, priceMin, priceMax, rating, tags, free, onSale, creator.

GET /api/products?category=avatars&sort=price-asc&page=1&limit=24
{
  "products": [ { "id": "cld...", "title": "Neon Fox", "price": 12.0, "rating": 4.7 } ],
  "pagination": { "page": 1, "limit": 24, "total": 318, "totalPages": 14 }
}
GET/api/products/[slug]

Get full product details including media, files, reviews, and creator.

POST/api/products
auth

Create a product (creator only). Handles slug generation and tag upserts.

GET/api/products/featured

Admin-curated featured products for the homepage.

GET/api/products/[slug]/reviews

Paginated, verified reviews for a product with average rating.

Uploads & Media

POST/api/media/upload
auth

Upload images/videos. Returns a CDN URL and generates a thumbnail.

POST/api/products/files
auth

Attach downloadable files to a product (drag-and-drop, resumable).

DELETE/api/media/[id]
auth

Delete a media asset.

Cart & Checkout

GET/api/cart

Get the current cart (user or guest session).

POST/api/cart

Add a product to the cart. Body: { productId, quantity }.

PUT/api/cart/items/[id]

Update an item's quantity (min 1, max 100).

DELETE/api/cart/items/[id]

Remove an item from the cart.

POST/api/cart/coupon

Apply a coupon code. Body: { code }.

POST/api/checkout

Create a Stripe Checkout session for the cart. Returns orderId and Stripe URL.

POST /api/checkout
{ "cartId": "cld...", "couponCode": "SUMMER10" }
→ { "orderId": "ord...", "url": "https://checkout.stripe.com/..." }

Orders & Refunds

GET/api/orders
auth

List the user's orders with items, payments, and licenses.

POST/api/orders/[id]/refund
auth

Request a refund. Body: { reason, items? }. Creates a PENDING refund and notifies the buyer.

Licenses

GET/api/licenses
auth

List the user's (or, for admins, all) license keys with product info.

POST/api/licenses/generate
auth

Generate a license for a completed order. Body: { productId, orderId, userId?, expiresAt? }.

GET/api/licenses/validate?key=XXX

Public validation. Checks existence, revocation, and expiry. Rate-limited to 100 req/min.

GET /api/licenses/validate?key=PV-AB12-CD34-EF56
{
  "valid": true,
  "license": { "key": "PV-AB12-CD34-EF56", "status": "ACTIVE", "product": { "slug": "neon-fox" } }
}

Reviews

POST/api/reviews
auth

Create a review. Verified flag is set if the user owns the product. Body: { productId, rating, title?, content? }.

PUT/api/reviews/[id]
auth

Edit your review (within 30 days).

DELETE/api/reviews/[id]
auth

Delete your review (within 30 days).

Notifications

GET/api/notifications
auth

List the user's notifications plus an unreadCount. Add ?unread=true to filter.

PUT/api/notifications/[id]/read
auth

Mark a notification as read.

DELETE/api/notifications/[id]
auth

Delete a notification.

Rate limiting

Public endpoints are rate-limited per IP (e.g. license validation at 100 req/min). Authenticated requests include X-RateLimit-Remaining headers.