Monza Motors handles all server-side logic through Next.js Route Handlers located inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Jason-AML/MonzaSport-Nextjs/llms.txt
Use this file to discover all available pages before exploring further.
src/app/api/. There are two routes — both accept POST requests and both require an authenticated Supabase session before performing any work. These handlers are invoked exclusively by the Monza Motors frontend; they are not a public API surface.
POST /api/chat
AI-powered vehicle catalog assistant powered by Groq’s LLaMA-3.3-70b model. Accepts a user message, fetches catalog context, and persists the AI reply to Supabase.
POST /api/checkout
Creates a Stripe Checkout session for a vehicle purchase. Validates the authenticated user, loads vehicle data, and returns the Stripe session for client-side redirect.
Authentication
Both routes enforce authentication before any business logic executes./api/chat— The route trusts theuser_idsent in the request body to scope message history. It instantiates a Supabase client withSUPABASE_SERVICE_ROLE_KEY, which grants privileged database access for reading themessagestable and inserting AI replies without being gated by Row Level Security./api/checkout— The route callsgetUser()using the server-side Supabase client, which reads the session from the request cookie. If no valid session is found, the route immediately returns a401 Unauthorizedresponse before touching Stripe or the database.
Error Handling
Both routes wrap their entire logic in atry/catch block and return a consistent JSON error shape on failure.
| Status | Body | Trigger |
|---|---|---|
401 Unauthorized | { "error": "Unauthorized" } | /api/checkout only — user not signed in |
500 Internal Server Error | { "error": "<message>" } | Any unhandled exception in either route |
console.error for observability in Vercel Function logs.
These are internal routes — they are not a public API. They are called only by the Monza Motors frontend and rely on shared environment variables (
SUPABASE_SERVICE_ROLE_KEY, NEXT_STRIPE_SECRET_KEY) that are never exposed to the browser. Do not call these endpoints from third-party services or external scripts.