API Reference

Routes & Auth

Base URL#

Environment	URL
Local dev (Wrangler)	http://localhost:8788
Production	Set by NEXT_PUBLIC_API_URL env var

Authentication#

Every request to the API must include a Clerk session token in the Authorization header:

http

Authorization: Bearer <clerk-session-token>

A global Hono middleware verifies the JWT using jose and extracts auth context:

typescript

// Accessible in every route handler
const { userId, orgId, role, permissions } = c.get('auth');

All database queries are automatically scoped to orgId. A user from Org A cannot read or modify data belonging to Org B regardless of the URL they request.

Local dev bypass#

Set AUTH_DEV_BYPASS=true in the API .dev.vars file to bypass Clerk JWT verification. Use DEV_AUTH_ROLE and DEV_AUTH_TENANT_ID to simulate a specific user context.

Error response format#

json

{
  "error": {
    "code": "VALIDATION_ERROR",
    "message": "Request body failed validation",
    "details": {
      "fieldErrors": {
        "name": ["String must contain at least 1 character(s)"]
      }
    }
  }
}

HTTP status	When
400 Bad Request	Malformed request (e.g. invalid JSON).
401 Unauthorized	Missing or invalid Authorization header.
403 Forbidden	Valid token but insufficient permissions for this operation.
404 Not Found	Resource does not exist within the authenticated org.
422 Unprocessable Entity	Zod schema validation failed. Includes field-level errors.
500 Internal Server Error	Unexpected server error.

Zod validation#

Every route that accepts a request body uses @hono/zod-validator. A request body that fails schema validation returns a 422 with field-level error details before the route handler is ever called.

Route groups#

All routes are under /api/ prefix. Routes are grouped by module and mounted in apps/api/src/index.ts.

Geographic Setup#

Path	Methods	Notes
`/api/orgs`	`GET, PATCH`	Org config read and update.
`/api/regions`	`GET, POST, PATCH, DELETE`
`/api/districts`	`GET, POST, PATCH, DELETE`
`/api/communities`	`GET, POST, PATCH, DELETE`
`/api/nodes`	`GET, POST, PATCH`	Generic hierarchy node operations.
`/api/hierarchy`	`GET`	Full hierarchy tree read.
`/api/hierarchy-levels`	`GET, POST, PATCH`	Configurable label names per level.
`/api/buying-stations`	`GET, POST, PATCH, DELETE`
`/api/import`	`POST`	Bulk CSV import.

Farmer Registry#

Path	Methods	Notes
`/api/farmers`	`GET, POST, PATCH`	Includes search, pagination, status transitions.
`/api/farmers/:id`	`GET, PATCH`
`/api/farmers/:id/audit`	`GET`	Farmer audit trail.
`/api/farmers/bulk-import`	`POST`	CSV farmer bulk import.

Farm Mapping#

Path	Methods	Notes
`/api/farms`	`GET, POST, PATCH, DELETE`
`/api/plots`	`GET, POST, PATCH, DELETE`	Includes GeoJSON geometry and export.

Deforestation Risk#

Path	Methods	Notes
`/api/assessments`	`GET, POST`	Request and read assessments.
`/api/remediations`	`GET, POST, PATCH`
`/api/risk-overrides`	`GET, POST`	Apply and view overrides.
`/api/risk-summary`	`GET`	Aggregate risk stats by geography.
`/api/notifications`	`GET, PATCH`	Risk alert notifications.

Sustainability Programs#

Path	Methods	Notes
`/api/program-types`	`GET, POST, PATCH`
`/api/programs`	`GET, POST, PATCH, DELETE`
`/api/activities`	`GET, POST, PATCH, DELETE`
`/api/attendance`	`GET, POST`	Bulk attendance recording.
`/api/input-distributions`	`GET, POST`
`/api/coverage`	`GET`	Program coverage aggregates.
`/api/evidence`	`POST`	Generate presigned R2 upload URL.

Surveys#

Path	Methods	Notes
`/api/surveys`	`GET, POST, PATCH`
`/api/survey-versions`	`GET, POST, PATCH`	Draft, publish, archive.
`/api/survey-questions`	`GET, POST, PATCH, DELETE`
`/api/survey-assignments`	`GET, POST, PATCH`
`/api/survey-responses`	`GET, POST`	Submit and retrieve responses.
`/api/survey-analytics`	`GET`	Response aggregate stats.
`/api/survey-export`	`GET`	CSV export of responses.
`/api/survey-photos`	`POST`	Presigned R2 URL for photo upload.

EUDR Compliance#

Path	Methods	Notes
`/api/compliance`	`GET, POST`	Read records and trigger recompute.
`/api/audit-log`	`GET`	Read audit entries by org, farmer, event.

Dashboard#

Path	Methods	Notes
`/api/dashboard`	`GET`	Summary response scoped to org + optional geographic filters.

Source of truth

The authoritative route list is in apps/api/src/index.ts. This page reflects the intended route structure — always verify against the actual source if there is any discrepancy.