API reference
All HTTP endpoints exposed by the Windcraft API.
All endpoints return JSON in the standardized envelope. Errors:
{ "error": { "code": "WC_*", "message": "...", "details": {} } }
Session-authed endpoints accept the better-auth cookie; the sync
endpoints accept Authorization: Bearer wc_live_….
| Method | Path | Purpose |
|---|
| POST | /auth/sign-up/email | Create user (email + password) |
| POST | /auth/sign-in/email | Sign in (sets session cookie) |
| POST | /auth/sign-out | Clear session cookie |
| GET | /auth/get-session | Returns the active session bundle or null |
| POST | /auth/magic-link | Send a one-time sign-in link by email |
| POST | /auth/sign-in/social | Start a social provider OAuth flow |
| POST | /auth/forget-password | Send password reset email |
| POST | /auth/reset-password | Submit new password with reset token |
| DELETE | /auth/account | GDPR — soft-delete user, cascade to projects, drop sessions |
| Method | Path | Purpose |
|---|
| POST | /auth/two-factor/enable | Start setup, returns TOTP URI + backup codes |
| POST | /auth/two-factor/verify-totp | Verify a 6-digit code (also flips twoFactorEnabled true on first verify) |
| POST | /auth/two-factor/verify-backup-code | Use a single-use backup code |
| POST | /auth/two-factor/disable | Password-gated removal |
| POST | /auth/two-factor/generate-backup-codes | Rotate the backup-code list |
| Method | Path | Purpose |
|---|
| GET | /projects | List the user's active projects |
| POST | /projects | Create project; returns first API key (one time) |
| GET | /projects/:id | Get project |
| PATCH | /projects/:id | Update name / platforms / outputs |
| DELETE | /projects/:id | Soft delete |
| GET | /projects/:id/health | Returns 0–100 score from sync events |
| GET | /projects/:id/api-keys | List keys (no plaintext) |
| POST | /projects/:id/api-keys | Generate new key (one-time plaintext) |
| DELETE | /projects/:id/api-keys/:keyId | Revoke |
| Method | Path | Purpose |
|---|
| GET | /projects/:id/tokens | Latest version |
| PUT | /projects/:id/tokens | Replace; new version |
| PATCH | /projects/:id/tokens | Deep merge; new version |
| GET | /projects/:id/tokens/versions | Paginated history |
| GET | /projects/:id/tokens/versions/:from/diff/:to | Diff added / removed / changed |
| POST | /projects/:id/tokens/versions/:versionId/restore | Copy old version forward |
| GET | /projects/:id/contracts | List 77 contracts |
| GET | /projects/:id/contracts/:name | Get one |
| PATCH | /projects/:id/contracts/:name | Update contract / toggle enabled |
| GET | /projects/:id/rules | List 9 rule configs |
| PATCH | /projects/:id/rules/:ruleId | Update severity / exceptions |
| Method | Path | Purpose |
|---|
| POST | /projects/:id/mirror | Translate JSX between web ↔ mobile using project tokens |
| Method | Path | Purpose |
|---|
| GET | /projects/:id/sync/manifest | Manifest with the 4 generated outputs + hashes |
| POST | /projects/:id/sync/pull | Telemetry — log a pull event |
| Method | Path | Purpose |
|---|
| GET | /projects/:id/github/repos | Repos the user can push to |
| GET | /projects/:id/github/repo | Connected repo state |
| POST | /projects/:id/github/connect | Connect a repo, install webhook |
| DELETE | /projects/:id/github/connect | Disconnect, remove webhook |
| POST | /projects/:id/github/push | Open / refresh a sync PR |
| Method | Path | Purpose |
|---|
| POST | /webhooks/github | GitHub events (HMAC-SHA256 signed, per-repo secret) |
| POST | /webhooks/lemonsqueezy | Lemon Squeezy lifecycle (HMAC-SHA256) |
| Method | Path | Purpose |
|---|
| GET | /billing/plan | Returns subscription state — hasSubscription / status / blocked |
| POST | /billing/checkout | Lemon Squeezy checkout URL (body: plan = monthly or yearly) |
| POST | /billing/portal | Customer portal URL |
| GET | /billing/invoices | Invoice history (LS-backed) |
| Method | Path | Purpose |
|---|
| GET | /cli-auth/poll/:code | CLI polls — 202 pending / 200 authorized |
| POST | /cli-auth/authorize | Web app authorizes a code for a project |