API Reference

Overview

Howfar uses the Next.js App Router. API routes live under src/app/api/** and are deployed as serverless functions (or edge functions where configured).

API structure

• /api/auth/* — authentication (register/login/logout/refresh, WebAuthn)
• /api/developer/apps, /api/developer/keys — developer app registration and one-time key issuance for signed-in owners
• /api/developer/verify, /api/agents/chat — bearer-key developer access and platform invocation
• /api/wallets, /api/transactions — finance primitives
• /api/payments/* — payment providers + webhooks
• /api/admin/* — privileged admin operations

Health endpoints

• GET /api/health — liveness
• GET /api/ready — readiness (checks dependencies where configured)
• GET /api/metrics — Prometheus metrics

API contracts

OpenAPI specs are maintained in the repository (see openapi.next.yaml and openapi.yaml). You can validate them locally using npm run openapi:next:check and npm run openapi:v2:check.

Developer key flow

1. Sign in with a normal browser session.
2. Create a developer app at POST /api/developer/apps.
3. Create a one-time bearer key at POST /api/developer/keys.
4. Verify the key at GET /api/developer/verify.
5. Call POST /api/agents/chat with the same bearer key and the agents:chat scope.

Authentication

Browser-managed routes use the session cookie. Developer-platform routes support a bearer API key on explicitly approved endpoints only; keys are not a blanket bypass for every protected route.

Proof surfaces

• Developer platform proof artifact
• Marketplace inventory proof artifact
• Trust Center

For access questions, operational review, or enterprise usage, contact Support.