OpenAPI-style summary of all public endpoints. Full live OpenAPI document is planned.
https://nipcode.xyz
All /api/* endpoints accept an API key via the x-nipcode-api-key header. Auth endpoints (/api/auth*) do not require an API key.
Search across source registries.
Query parameters:
| name | type | required | default | notes |
|---|---|---|---|---|
q |
string | yes | , | free-text query |
sources |
string | no | npm,pypi,crates,github |
comma-separated |
limit |
int | no | 5 |
1-20 |
Returns: 200 with candidate list. See search-inspect-install-plan.md for shape.
Search + LLM-ranked recommendation.
Query parameters: same as search.
Returns: 200 with best candidate, full candidate list, and note reminder. See search-inspect-install-plan.md.
Send email OTP code.
Body: { "email": "..." }
Returns:
200 { ok: true, step: "verify", email }when OTP sent400if email invalid429if rate limit exceeded (Supabase 4/hour on built-in SMTP)
Verify the OTP code and create a session.
Body: { "email": "...", "code": "123456" }
Returns:
200 { ok: true, email, apiKey, userId, via }+ setsnipcode_sessioncookie401on invalid or expired code503if Supabase not configured
Clears the session cookie. Returns 303 redirect to /.
{ "error": "machine-readable code" }Common codes: invalid_email, email rate limit exceeded, invalid_code, upstream search failed, supabase_not_configured.
All /api/* endpoints set:
Access-Control-Allow-Origin: *Access-Control-Allow-Methods: GET, POST, OPTIONSAccess-Control-Allow-Headers: Content-Type, x-nipcode-api-key
Public read API is intentionally CORS-open. Auth endpoints rely on session cookies, which are SameSite=Lax and not exposed to cross-origin XHR.
/api/search and /api/decision responses are cached at the Vercel edge for max-age=60, s-maxage=300. Auth endpoints send Cache-Control: no-store.
Beta: 60 requests / minute per API key. The auth send-OTP endpoint is additionally bound by Supabase's built-in SMTP limit (currently 4 emails / hour / project).