API Overview

Base URL

https://api.sassmaker.com

All endpoints are prefixed with /v1/.

Authentication

Two methods are supported. See Authentication for details.

Method	Header	Use case
API Key	X-Project-Key: pk_...	SDK, widgets, public endpoints
Session Token	Authorization: Bearer <token>	Dashboard, CLI, admin operations

Request format

All request bodies must be JSON with Content-Type: application/json.

Response format

All responses return JSON. Successful responses return the resource or a list:

{ "data": [...], "total": 42, "page": 1, "limit": 20 }

Or for single-resource operations:

{ "ok": true }

Error format

Errors return a JSON object with an error field and an appropriate HTTP status code:

{ "error": "Title is required" }

Common status codes:

Code	Meaning
400	Bad request (missing or invalid fields)
403	Forbidden (not the project owner)
404	Resource not found
409	Conflict (duplicate entry)
413	Payload too large

CORS

The API allows cross-origin requests from a fleet allowlist (sassmaker.com, app.sassmaker.com, *.pages.dev, *.workers.dev, localhost). Other origins fall back to https://app.sassmaker.com.

Health check

GET /health

Returns { "status": "ok" } if the API is running. No authentication required.

Rate limits

• API-key routes: per-project sliding-window limit (rate_limit_rpm, default 60/min) enforced in-memory per Worker isolate.
• Public unauthenticated routes (testimonials submit, roadmap submit/vote): D1-backed sliding-window limit per IP via @saas-maker/shield.

Exceeding either limit returns HTTP 429.

Endpoints by service

Service	Prefix	Docs
Projects	/v1/projects	Projects
Feedback	/v1/feedback	Feedback
Roadmap	/v1/roadmap	Roadmap
Waitlist	/v1/waitlist	Waitlist
Testimonials	/v1/testimonials	Testimonials
Changelog	/v1/changelog	Changelog
Analytics	/v1/analytics	Analytics
Standards	/v1/standards	Fleet standards (CLI-driven)
Tasks	/v1/tasks	Cockpit tasks
Jobs	/v1/jobs	Cockpit jobs
Secrets	/v1/secrets	Project secrets
Auth	/v1/auth / /v1/cli	Sessions and CLI auth