Public health
GET /healthz/deep returns service health for the Railway auth-server, including payment-mode and backing-service checks safe for public status display.
Account portal
POST /api/account/portal creates a Stripe Customer Portal session for an authenticated user. Return URLs must use https:// and the exact allowlisted app.konduit.gg host.
OTP start
POST /api/auth/start begins an email one-time-code flow. The request should contain the user's email and desired flow context.
OTP verify
POST /api/auth/verify verifies the one-time code and returns the account state needed by the app or web conversion flow.
Not public
Service-role Supabase APIs, Stripe secret-key calls, OAuth client secrets, and platform credential storage are not public API surfaces.