Every endpoint the app exposes. public endpoints need no auth (Supabase RLS enforces read-only access). auth endpoints require a Supabase session cookie (signed in via /signin). cron endpoints require the CRON_SECRET bearer token — used by Vercel Cron.
/api/versionBuild + deploy metadata. Surfaces commit info from Vercel env vars, null locally. Useful for Sentry release tags, diffing staging vs prod, spotting stale caches.
{ name, version, commitSha, commitRef, commitMessage, deploymentId, environment, generatedAt }/api/countsAggregate counters for public dashboards: DB row counts + share totals in one round trip. 60s CDN cache + SWR so growth shows up within a minute without hammering the DB.
{ generatedAt, db, shares: { pick, parlay, total } }/api/statusCheap health check for uptime monitors. Default returns { ok, generatedAt, demoMode, integrations } with no DB or external calls. HEAD supported for even lighter pings. Pass ?include=shares,db (comma-separated) to append optional sections.
includequery— Comma-separated extensions. Supported: 'shares' (share-counter totals), 'db' (analyses/matches/outcomes/ratings row counts).{ ok: true, generatedAt, demoMode, integrations, shares?, db? }/api/briefCurated daily brief — top +EV edges, upcoming 24h, recent graded, streaks.
sportquery— football | nba | tennis — optional filterDailyBrief JSON/api/feed.xmlRSS 2.0 feed of current +EV edges ≥ 4%. Subscribable in any reader.
sportquery— Optional sport filterapplication/rss+xml/api/analyses/[sport]/[matchId]Full cached analysis for a single match — probabilities, edges, props, news, line history, retrospective.
sportpath— football | nba | tennismatchIdpath— The sport's external match identifier{ analysis, fresh, lineHistory, retrospective }/api/matches/[sport]Upcoming matches for a sport — sourced from the sport's free data provider.
sportpath— football | nba | tennisleaguequery— Optional league filterlimitquery— Optional result cap (default 40){ matches: MatchMeta[] }/api/searchCross-sport search over teams + leagues. Ranks exact-match first, then startsWith, then alphabetical.
qquery— 2–80 char substring (required)limitquery— 1–30, default 12{ hits: [{ kind, sportId, externalId, name, countryCode }] }/api/teams/searchSearch competitors by name within a sport.
sportquery— football | nba | tennisqquery— Case-insensitive substring (required)limitquery— 1–20, default 8{ teams: [{ externalId, name, countryCode }] }/api/analyzeGenerate or serve a cached analysis for a match. Rate-limited per match + per IP.
sportIdbody— football | nba | tennismatchIdbody— external match idforcebody— bool — regenerate (respects rate limit){ cached: boolean, analysis, demoMode }/api/picks/gradeGrade a batch of saved picks against recorded outcomes. Runs every market through gradeProp().
{ picks: [{ id, result, pnl }] }/api/picks/shareGenerate a signed shareable link for a single pick. Uses PICK_SHARE_SECRET; 503 when unconfigured. Rate-limited 10/IP/10min.
sportIdbody— football | nba | tennisexternalMatchIdbody— Adapter-level match idmatchLabelbody— Human-readable matchupstartsAtbody— ISO kickoff timestampmarketLabelbody— Market + selection labeldecimalOddsbody— Odds takenmodelProbbody— 0..1 model probabilityedgePctbody— Edge at save time{ token, shareUrl }/api/picks/shared/[token]Decode a signed pick token into its SharedPickPayload JSON. 400 { reason } on tamper/format errors.
tokenpath— v1.<body>.<sig> format{ payload: SharedPickPayload }/api/parlays/shareGenerate a signed shareable link for a 2–6 leg parlay. Computes joint prob + combined odds + edge and freezes them into the token. Same rate limiter as pick share.
legsbody— Array of leg objects (sportId, externalMatchId, matchLabel, marketLabel, decimalOdds, modelProb){ token, shareUrl }/api/parlays/shared/[token]Decode a signed parlay token into its SharedParlayPayload JSON. 400 { reason } on tamper/format errors.
tokenpath— pv1.<body>.<sig> format{ payload: SharedParlayPayload }/api/user/picksReturn all cloud-stored picks for the signed-in user. Anonymous callers get 401.
{ picks: StoredPick[] }/api/user/picksUpsert a batch of picks (≤5000) for the signed-in user.
picksbody— Array of StoredPick{ upserted: number }/api/user/picksDelete picks by id for the signed-in user.
idsbody— Array of pick ids (≤1000){ deleted: number }/api/user/picks/exportDownload all cloud-stored picks for the signed-in user as CSV (Content-Disposition: attachment). Same schema as the in-app CSV export.
text/csv/api/user/watchlistCloud-synced watchlist for the signed-in user.
{ refs: WatchRef[] }/api/user/watchlistUpsert watchlist refs (≤500) for the signed-in user.
{ upserted: number }/api/user/watchlistDelete watchlist refs by key for the signed-in user.
{ deleted: number }/api/user/watchlist/exportDownload the signed-in user's cloud-stored watchlist as a JSON backup envelope (version 1). Triggers a file download.
{ version: 1, exportedAt, refs: WatchRef[] }/api/user/prefsRead the signed-in user's notification + staking prefs.
{ prefs: NotificationPrefs | null, updatedAt }/api/user/prefsReplace the signed-in user's prefs.
{ ok: true }/api/user/profileRead the signed-in user's profile (display name, digest opt-in, last digest sent).
{ profile: UserProfile }/api/user/profilePatch profile fields. Currently supports email_digest_opt_in + display_name.
{ ok: true }/api/user/exportDownload the signed-in user's full state (picks + watchlist + prefs + profile) as one JSON envelope. Single-call 'give me everything' export.
{ version: 1, exportedAt, user, picks, watchlist, prefs, profile }/api/user/accountSelf-serve account deletion. Cascades to every user_* row via FK. Irreversible — client should redirect to / and wipe localStorage after.
{ ok: true }/api/cron/ingest-outcomesTrigger outcome ingestion + facts write-back. Protected by CRON_SECRET.
{ ok: true, reports: [{ sport, scanned, graded, skipped, errors }] }/api/cron/digest-weeklySend the weekly email digest to opted-in users via Resend. Guarded by CRON_SECRET and gated on RESEND_API_KEY + EMAIL_FROM.
{ sent, failed, total, weekLabel, results[] }