Overview
The backend exposes 17 HTTP routers. They split into four families:
- Public REST —
api.py,cards.py,network.py,memory.py,payments.py,developer.py,features.py - Agent protocols —
a2a_public.py,agent_self.py,plugin_bridge.py - Venue ops —
crm.py,dashboard.py,venue_webhook.py - System / webhooks —
health.py,internal.py,webhook.py,stripe_webhook.py
Router list
| File | Prefix | Purpose | Auth |
|---|---|---|---|
api.py | /api | Main REST API. 60+ endpoints covering auth, venues, bookings, social, commerce, B2B, user memory, CRM, lists. | JWT (get_current_user_id) |
a2a_public.py | /a2a/v1 | Public A2A protocol endpoint. Receives AGPEnvelope messages from external agents (NemoClaw, Hermes, OpenClaw). | ApiKey Bearer token |
agent_self.py | /api/agent | Consumer agent self-management: view DNA, edit preferences, read memory, wipe session. | JWT |
cards.py | /api/cards | Shareable interaction cards. Generate and fetch card state for public URLs at /p/[id]. | JWT (generate) / public (view) |
crm.py | /api/crm | Venue CRM: contacts, deals, notes, activities. Used by the venue admin dashboard. | JWT + venue owner check |
dashboard.py | /api/dashboard | Venue admin dashboard data feeds: today's bookings, inbound queue, revenue sparklines. | JWT + venue owner check |
developer.py | /api/developer | Developer portal: API key management, usage metrics, webhook subscriptions. | JWT |
features.py | /api/features | Feature-flagged endpoints. Currently hosts the business scan engine. | JWT |
health.py | /health, /metrics, /admin | Liveness, readiness, Prometheus metrics, and admin debug endpoints (circuit breaker state, scheduler jobs, queue depth). | None (health) / INTERNAL_API_TOKEN (admin) |
internal.py | /internal | Server-to-server: user registration, channel activation, platform bridge. | INTERNAL_API_TOKEN |
memory.py | /api/memory | User memory CRUD: save, recall, tag, wipe. Backed by pgvector embeddings. | JWT |
network.py | /api/network | Network graph queries: follow agents, taste similarity, feed generation. | JWT |
payments.py | /api/payments | Stripe checkout sessions, customer portal, subscription state. | JWT |
plugin_bridge.py | /api/plugin | Plugin bridge for external tool integrations (Claude Code, Codex, MCP). | JWT or ApiKey |
stripe_webhook.py | /webhooks/stripe | Stripe event handlers: checkout.completed, customer.subscription.*, charge.refunded, charge.dispute.*. | Stripe signature (STRIPE_WEBHOOK_SECRET) |
venue_webhook.py | /webhooks/venue | Outbound webhook delivery for venue owners subscribing to booking events. | Per-subscription secret |
webhook.py | /webhooks | Inbound messaging webhooks: Telegram, WhatsApp Cloud (360dialog), Instagram. | Per-platform HMAC signature |
Mount pattern
Routers are mounted in app/main.py using the standard FastAPI pattern. Each router file exports a module-level router = APIRouter(tags=[...]), and main.py attaches it with app.include_router(router, prefix=...).
pythonapp/main.py (abbreviated)
from app.routers import api, a2a_public, webhook, stripe_webhook, health, ...
app = FastAPI(lifespan=lifespan)
app.include_router(api.router, prefix="/api")
app.include_router(a2a_public.router, prefix="/a2a")
app.include_router(webhook.router, prefix="/webhooks")
app.include_router(stripe_webhook.router, prefix="/webhooks/stripe")
app.include_router(health.router)
# ... and so onAuth model
Three authentication strategies cover everything:
- JWT Bearer token for human users. Resolved by
get_current_user_iddependency. HS256, secret fromJWT_SECRET. - API key Bearer token for external developer agents. Resolved by
verify_agent_keyinmiddleware/agent_auth.py, backed by theapi_keystable with a tier column. - Shared secret signature for webhooks. Each provider has its own secret env var:
META_APP_SECRET,TELEGRAM_WEBHOOK_SECRET,STRIPE_WEBHOOK_SECRET. Missing any of these is a hard-fail on startup.
Related
- A2A protocol— the envelope schema
a2a_public.pydispatches - Database & models— every SQLAlchemy model these routers touch