GET /healthzGET /schema/swaggerPOST /auth/loginPOST /auth/refreshPOST /auth/logout
Protected routes use server-managed HttpOnly cookies. The browser never reads the Supabase access token directly.
- access_token: 15m lifetime.
- refresh_token: 7d lifetime.
Validates credentials against Supabase and issues secure cookies.
Body: { "email": "...", "password": "..." }
Rotates the session using the refresh_token cookie.
Revokes the session and clears cookies.
Returns paginated media. Supports type (book, movie, anime, job) filter.
Creates a entry.
- Sanitization: All strings are stripped of
<script>and<iframe>tags. - Validation: Rating must be 1-5. Status must match the specific media type pipeline.
Updates an entry. Triggers a Realtime event to other connected clients.
Deletes an entry.
Consumes shared AI quota. Returns a suggested title + reasoning.
Returns user chat history.
Starts a new session. Category determines the UI accent color.
Deletes the session and all associated messages.
Sends a message. Sanitized history is sent to Gemini. Response is encrypted at rest if TAKEAWAY_ENCRYPTION_KEY is set.
Returns a list of available CSS patterns and image presets. (Currently hardcoded in settingsStore.js and managed via LocalStorage for speed).
Persists the user's preferred theme and wallpaper ID to the database for cross-device synchronization. (Currently state is localized to the browser).