Read-only discovery for the MVP API contracts. Public-preview endpoints expose catalog and commerce intent state; write-capable endpoints stay guarded until live provisioning, legal review, and launch gates clear.
public-preview guarded writesGET /api returns the grouped endpoint contract as JSON.
GET /api/catalogReturn the active artist, release, track, moderation, ledger, SHADOW, and takedown catalog.
Uses Supabase when public read credentials are configured; otherwise returns the seed catalog.
GET /api/artists/:slugReturn one artist contract by slug.
Slug and UUID lookup are both supported by the repository.
GET /api/releases/:slugReturn one release contract by slug.
Release tracks are available through the full catalog until a dedicated child route is needed.
GET /api/tracks/:slugReturn one track contract with rights, AI disclosure, pricing, and gate fields.
The track contract is the canonical read model for listener/player surfaces.
GET /api/stream/:trackIdServe an approved stream object or report why the track is gated.
Requires the BUCKET binding and an enabled track before bytes are returned.
GET /api/download/:trackIdServe an approved download object after a short-lived entitlement token is supplied.
Download access requires rights gates, download gates, BUCKET, and DOWNLOAD_TOKEN_SECRET.
GET /api/support/checkoutCreate or describe a Stripe support Checkout intent for a track.
Creates a real Stripe Checkout Session when Stripe secrets and price IDs are configured.
GET /api/download/checkoutCreate or describe a Stripe download Checkout intent for a track.
Download delivery still requires a later entitlement token before object access opens.
POST /api/credits/purchaseCreate a dynamic Stripe Checkout Session for credit purchases.
Credits remain manually allocated until listener accounts and abuse controls are live.
POST /api/analytics/eventAccept a privacy-filtered allowlist of syntha_* analytics events.
Personal details and sensitive inferred properties are stripped before persistence.
POST /api/stripe/webhookVerify Stripe webhook signatures and compute ledger/support transaction rows.
Persistence requires STRIPE_WEBHOOK_SECRET plus Supabase service-role configuration.
GET /api/admin/readinessReturn provider provisioning readiness groups and missing configuration.
Read-only contract; it does not reveal secret values.
POST /api/admin/audio-upload/intentValidate upload metadata and mint a short-lived private object upload URL.
Requires ADMIN_TOKEN and DOWNLOAD_TOKEN_SECRET; object write also requires BUCKET.
POST /api/admin/moderation/:id/:actionPersist moderation approval, info request, monetization hold, download restriction, or unpublish action.
Supabase service-role configuration persists flags, track gate patches, and audit logs.
POST /api/tracks/:id/rightsPersist rights records and hold stream/download gates until review clears.
Used before public distribution or monetization opens.
POST /api/tracks/:id/ai-disclosurePersist AI disclosure records and hold stream/download gates until review clears.
Supports human, AI-assisted, synthetic, transformed, and hybrid origin disclosure.
POST /api/shadow/import-handoffValidate SHADOW handoff payloads and create draft catalog records when configured.
Drafts remain pending moderation with stream/download gates closed.
POST /api/admin/takedownsIntake DMCA/takedown notices and open review evidence.
Revocation actions live under /api/admin/takedowns/:id/:action.