API Endpoints (Haven 2026)
Haven uses a high-performance Next.js API Routes layer that is heavily optimized with an Auth Proxy to avoid redundant database calls.
🛡️ Internal Auth Proxy
Every protected API route is proxied through middleware.ts, which injects specific headers for identity.
x-user-id: The UUID of the verified user.x-middleware-verified: A signature that allows internal APIs to trust thex-user-idheader without re-verifying with Supabase Auth.
📍 Key Endpoints
GET /api/verification/status
Returns the current age and email verification status.
- Access: Private (Authenticated).
- Logic: Returns live status from Supabase (bypasses
v_cache).
GET /api/livekit/token
Generates a LiveKit JWT for accessing a specific room.
- Access: Private (Authenticated).
- Parameters:
roomName(string). - Security: Performs RLS-level room access checks before issuing the token.
POST /api/matching/join (Legacy Fallback)
Enters the user into the database-level matching queue.
- Note: The primary matchmaking now happens over WebSockets (
matchmaking-server/). This endpoint is maintained for legacy transitions and recovery.
POST /api/reports/submit
Logs a user report for moderation.
- Access: Private (Authenticated).
- Body:
reportedUserId,reason,sessionId.
GET /api/public/stats
Returns current global user count and active room stats.
- Access: Public.
- Note: This endpoint is not tracked by Global Rate Limiting (whitelist).
🚦 Rate Limiting (Upstash Redis)
All API routes (except Public Stats) follow a strict Global Rate Limit of 60 requests per minute per IP.
X-RateLimit-Limit: 60
X-RateLimit-Remaining: (Remaining requests)
X-RateLimit-Reset: (In seconds)
[!TIP] API Development: If you are building a new feature, always use
req.headers.get('x-user-id')to get the current identity instead of callingsupabase.auth.getUser(). This is ~40% faster.
Created by the Antigravity API Team.