Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CristianParadaLopez/cv-builder/llms.txt

Use this file to discover all available pages before exploring further.

The Skillara AI REST API does not use API keys or bearer tokens in the current implementation. Access control is enforced entirely through a CORS origin allowlist configured in backend/src/index.ts. Any HTTP client that sends a valid Origin header matching the allowlist — or that sends no Origin header at all — can reach the API.

CORS allowlist

The following origins are permitted out of the box:
OriginEnvironment
http://localhost:5173Local Vite dev server
http://localhost:3000Alternative local frontend port
https://cv-builder-livid-two.vercel.appProduction Vercel deployment
https://cv-builder-skillara.vercel.appProduction Vercel deployment (Skillara brand)
Value of FRONTEND_URL env varSelf-hosted or staging environments
The FRONTEND_URL entry is filtered out if the variable is not set, so no empty-string origin is ever added to the list.

Configuring origins for self-hosted deployments

Set the FRONTEND_URL variable in your backend .env file to your frontend’s exact origin (scheme + host + optional port). Restart the backend after changing .env. 
# backend/.env
FRONTEND_URL=https://your-custom-domain.example.com
Requests from origins not on the allowlist receive a CORS error and the response is blocked by the browser. Server-to-server calls (no Origin header) are unaffected.

Calling the API without a browser

Direct API calls from tools such as Postman, curl, or any server-side HTTP client are permitted because those clients do not send an Origin header, and the CORS middleware explicitly allows requests without an origin: 
if (!origin) return callback(null, true);
This means curl commands shown in this reference work without any additional headers: 
curl -X POST http://localhost:3001/api/cv/generate \
  -H 'Content-Type: application/json' \
  -d '{"formData": {...}, "style": "moderno", "mode": "designed"}'

No token-based authentication

There are no bearer tokens, API keys, or session cookies required in the current build. The Skillara AI backend does not validate an Authorization header for any endpoint. The Authorization header is listed in allowedHeaders to avoid CORS preflight failures from clients that may include it, but it is not read or verified by any middleware. CV data persistence uses Firebase on the client side. The backend does not issue or validate JWTs.
The Prisma schema included in the repository defines a User model with googleId and password fields, which suggests that token-based authentication is planned for a future release. Today, no such check is enforced at the API layer.
In production, never expose the backend URL publicly without additional rate limiting or authentication. Every request to /api/cv/generate, /api/cv/edit, and /api/cv/suggest triggers an AI model call through OpenRouter, which consumes credits. An unauthenticated public backend can be exhausted by a single malicious actor with a script.

Build docs developers (and LLMs) love

Get started for freeTalk to us