Platform
Hosted API
The Next.js control plane that owns experiment lifecycle, auth, manifests, audit events, aggregate queries, and org API keys.
apps/api is the hosted control plane. It is currently designed for Vercel/Node deployment.
Public API groups
/api/auth/*— Better Auth./api/v1/tenants/me— current organization/member context./api/v1/organizations/generate-slug— authenticated org slug generation for onboarding./api/v1/organizations/resolve— authenticated org slug resolution for Studio URL-scoped routes./api/v1/orgs/{orgId}/experiments/*— experiments and actions./api/v1/orgs/{orgId}/manifests/*— keys and publishing./api/v1/orgs/{orgId}/audit— audit events./api/v1/orgs/{orgId}/api-keys— org API key list/create./api/v1/orgs/{orgId}/api-keys/{keyId}— org API key revoke./.well-known/jwks/{orgId}— manifest verification keys.
Internal API groups
/internal/audit-export/*— Cloudflare audit export worker./internal/audit-forward/*— Harness audit-forward consumer./internal/retention/prune— retention worker.
Authentication
Handlers are generated around endpoint definitions from packages/api-protocol. Each route gets auth resolution, org role checks, zod validation, and consistent JSON errors.
Supported auth modes:
- Browser sessions from Better Auth cookies for Studio.
- Org API keys using
Authorization: Bearer fx_key_...for CLI and automation.
API keys are created in Studio under /app/{orgSlug}/settings. The key is shown once, stored hashed in Postgres, and can be revoked from Studio. Successful API key usage updates lastUsedAt.