Skip to main content

Base URL

The Sabbels Handmade API is hosted at: 
https://your-api-domain.com
All API endpoints are prefixed with /api.

Authentication

Most endpoints require authentication using Supabase Auth. Include the user’s access token in the Authorization header: 
Authorization: Bearer YOUR_ACCESS_TOKEN
The API validates tokens by calling Supabase’s auth.getUser() method. Invalid or missing tokens will result in a 401 Unauthorized response.

Endpoints Requiring Authentication

  • POST /api/checkout - Requires valid user authentication

Public Endpoints

  • POST /api/contact - No authentication required
  • POST /api/stripe/webhook - Webhook endpoint (validates Stripe signature)
  • GET /api/health - Health check endpoint

CORS Configuration

The API uses CORS to control cross-origin access. By default, the following origins are allowed:
  • https://sabbelshandmade.netlify.app (production)
  • http://localhost:5173 (development)
  • http://localhost:3000 (development)
  • Additional origins from CLIENT_ORIGIN environment variable

CORS Behavior

In development mode (NODE_ENV !== 'production'), all origins are allowed. In production, only whitelisted origins can access the API.
Requests without an origin header (e.g., mobile apps, curl, Postman) are always allowed.

CORS Settings

cors({
  origin: function (origin, callback) {
    // Allow requests with no origin
    if (!origin) return callback(null, true)
    if (allowedOrigins.includes(origin)) {
      return callback(null, true)
    }
    // Development: allow all
    if (process.env.NODE_ENV !== 'production') {
      return callback(null, true)
    }
    callback(new Error('Not allowed by CORS'))
  },
  credentials: true
})

Error Handling

The API returns standard HTTP status codes:
Status CodeDescription
200Success
400Bad Request - Invalid parameters or validation errors
401Unauthorized - Missing or invalid authentication token
500Internal Server Error - Server-side error

Error Response Format

All errors return a JSON object with an error field: 
{
  "error": "Error description message"
}

Rate Limiting

Currently, the API does not implement rate limiting. It’s recommended to implement this in production environments.

Request Format

All POST requests should use application/json content type, except:
  • POST /api/stripe/webhook - Expects raw body (application/json)
  • POST /api/contact - Accepts multipart/form-data for file uploads

Response Format

All successful responses return JSON objects with relevant data fields.

Environment Variables

The API requires the following environment variables:
VariableDescriptionRequired
PORTServer port (default: 3000)No
CLIENT_ORIGINComma-separated allowed originsNo
STRIPE_SECRET_KEYStripe API secret keyYes
STRIPE_WEBHOOK_SECRETStripe webhook signing secretYes
SUPABASE_URLSupabase project URLYes
SUPABASE_SERVICE_ROLE_KEYSupabase service role keyYes
RESEND_API_KEYResend email API keyNo
NODE_ENVEnvironment (production/development)No

Health Check

Verify the API is running: 
curl https://your-api-domain.com/api/health
Response: 
{
  "ok": true
}