Skip to main content

How to read this reference

RLink implements route handlers under app/api/ in the Next.js App Router. The REST API reference groups endpoints by domain (CMS, CRM, IAM). Use that page as the primary narrative for routes. Confirm behavior in source—paths and payloads can change between releases; the RLink repository is authoritative.

Authentication model

Most routes expect an authenticated session. The app uses Better Auth with cookie-based sessions for browser traffic. API clients must send the same cookies the browser would receive after sign-in, unless a route documents a different scheme (for example a webhook secret or cron bearer token).
Do not assume Bearer tokens for dashboard APIs unless a route explicitly documents them. Scripts and tools should use a documented flow or the same session rules as the web app.

Public vs protected routes

Some routes are intentionally public (for example health checks or documented webhooks). If you receive 401 Unauthorized or 403 Forbidden, verify session cookies, environment URLs, and CORS. See Authentication issues in troubleshooting.

Cross-origin and CORS

Browser calls from another origin require ALLOWED_ORIGIN (and related headers) to align with your deployment. Misaligned origins produce failed preflight or blocked cookies. See Deployment for environment alignment.

OpenAPI and generated clients

The api-reference/openapi.json file in this documentation repo may be a placeholder for Mintlify tooling. It does not necessarily describe production RLink routes. Generate or maintain your own OpenAPI spec from the app if you need contract-tested clients.

Next steps

REST API reference

Browse endpoints by module

Authentication

Better Auth, sessions, and security practices