Skip to main content

Core REST API

These routes are the internal application API. They are distinct from the MPP endpoints. Most of them expect an Authorization: Bearer <privy-jwt> header and resolve the caller through Supabase.

Route inventory

MethodRouteAuthPurpose
POST/api/employersBearer tokenCreate an employer record for the signed-in admin
GET/api/employers/[id]/teamBearer token, employer ownerList active employees
POST/api/employers/[id]/teamBearer token, employer ownerCreate an employee under an employer
PATCH/api/employers/[id]/team/[employeeId]Bearer token, employer ownerUpdate salary, pause payroll, remove employee, or record manual review
POST/api/employers/[id]/payrollBearer token, employer ownerBuild payroll calldata after treasury and TIP-403 checks
GET/api/employers/[id]/payroll/runsBearer token, employer ownerPaginated payroll runs
POST/api/employers/[id]/payroll/[runId]/submitBearer token, employer ownerPersist tx hash after Tempo submission
GET/api/employers/[id]/treasuryBearer token, employer ownerReturn available and locked treasury balances
GET/api/employers/[id]/complianceBearer token, employer ownerEmployer compliance summary, employees, and audit log
GET/api/employers/[id]/mpp-sessionsBearer token, employer ownerRecent MPP session history
GET/api/employers/[id]/mpp-receiptsBearer token, employer ownerAggregated MPP receipt and activity feed
POST/api/employers/[id]/agent-keyBearer token, employer ownerGenerate or rotate the one-time agent key
POST/api/employeesBearer token, employer ownerCreate employee record and send invite email
POST/api/employees/bulkBearer token, employer ownerBulk-import employees from mapped CSV rows
PATCH/api/employees/[id]Bearer token, employeeUpdate editable employee profile fields
POST/api/employees/[id]/kycBearer token, employer ownerCreate or refresh a Bridge KYC link
GET/api/employees/[id]/balanceBearer token, employeeRead live employee wallet balance
GET/POST/api/employees/[id]/cardBearer token, employee or employer ownerRead card status or issue a Bridge card
POST/api/employees/[id]/offrampBearer token, employeeInitiate a direct employee bank off-ramp
GET/api/transactionsBearer token, employer ownerPaginated payroll transaction history
GET/api/yieldBearer token, employer ownerEmployer yield summary
GET/api/admin?scope=...Bearer token, platform adminInternal operational data entrypoint
POST/api/ai/parse-csvBearer token, employer ownerAI-assisted CSV column mapping
POST/api/ai/anomaly-detectBearer token, employer ownerPayroll anomaly analysis
POST/api/ai/compliance-explainBearer token, employer ownerHuman-readable compliance explanation
POST/api/demo/run-agentPublicSSE demo agent stream

Important route behavior

POST /api/employers

Creates the first employer record for a Privy-authenticated user. If the user already owns an employer record, the route returns the existing id instead of creating a duplicate.

POST /api/employers/[id]/payroll

This is the main payroll preparation route for the frontend. It:
  1. Parses the payroll items
  2. Converts amounts into 6-decimal token units
  3. Confirms the employer has enough available treasury balance
  4. Runs TIP-403 checks on every recipient when the employer has a policy id
  5. Builds memo bytes
  6. Writes a draft run and payment items into Supabase
  7. Returns unsigned calldata for executeBatchPayroll

POST /api/employees

Creates the employee record and sends an invite email through Resend when RESEND_API_KEY is set. If the employee already exists for the employer and email, the route returns the existing id.

POST /api/employees/[id]/kyc

Creates a Bridge customer when needed, persists bridge_customer_id, then returns a fresh KYC link.

Query parameters

GET /api/transactions

ParameterTypeNotes
pageinteger1-indexed, defaults to 1
limitintegerMax 100, default 25
employeeIdstringFilter by employee id
statusstringFilter by payment status
fromISO timestampLower bound for created_at
toISO timestampUpper bound for created_at

Admin and AI behavior

  • /api/admin is internal-only and used by the admin route tree under /admin.
  • The /api/ai/* routes are server-only and require CLAUDE_API_KEY.
  • The browser app uses first-party employee routes for card and off-ramp actions; the MPP Bridge route is reserved for machine-paid callers.

Master alignment

The internal REST routes listed above now exist in the repository and cover the current employer, employee, admin, and AI surfaces defined by the reconciled master.