SansiStore exposes a set of server-side API routes built as Astro server endpoints. These routes are internal to the platform — they are used exclusively by the frontend and are not a public third-party API. All routes live underDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ProcesosAgilesUMSS/sansistore/llms.txt
Use this file to discover all available pages before exploring further.
/api/ and require a valid Firebase ID token to access.
Authentication
Every API request must include a Firebase ID token in theAuthorization header using the Bearer scheme:
src/lib/firebase-admin.ts). After verifying the token, the endpoint fetches the caller’s Firestore user document and checks the roles array to enforce role-based access control.
Firebase Admin Initialization
The Admin SDK is initialized once and exported asadminAuth and adminDb:
FIREBASE_SERVICE_ACCOUNT_KEY— a JSON string of the full service account key.FIREBASE_CLIENT_EMAIL+FIREBASE_PRIVATE_KEY— individual environment variables.FIREBASE_PRIVATE_KEYmust have\nescaped as a literal backslash-n in the.envfile.- Application Default Credentials — used automatically on Google Cloud / Vercel.
- Emulators — when
PUBLIC_APP_ENVis notproduction, the SDK points to the local Firestore (127.0.0.1:8080) and Auth (127.0.0.1:9099) emulators and does not require credentials.
Example Authenticated Request
getIdToken() on a Firebase User object in the browser SDK, or via the Firebase Auth REST API.
Available Endpoints
Admin Endpoints
Order history, orders list, courier sessions, top products, and user management. Requires the
admin role.Seller Endpoints
Pending orders and daily cash collection summaries for the authenticated seller. Requires the
vendedor role.Full Endpoint List
| Method | Path | Role | Description |
|---|---|---|---|
GET | /api/admin/order_history | admin | Full history and timeline for a single order |
GET | /api/admin/orders_list | admin | Paginated list of all orders with optional status filter |
GET | /api/admin/courier_sessions | admin | List of courier shift closures |
PATCH | /api/admin/courier_sessions | admin | Approve or reject a courier shift closure |
GET | /api/admin/top_products | admin | Top-selling active products by soldCount |
GET | /api/users | admin | List all users with optional role/search filters |
POST | /api/users | admin | Create a new UMSS user |
PATCH | /api/users | admin | Update an existing user |
GET | /api/seller/pending-orders | vendedor | Pending orders assigned to the authenticated seller |
GET | /api/seller/daily-collections | vendedor | Daily cash collection summary for the seller |
Error Responses
All endpoints return JSON with a consistent error shape:| Status | Meaning |
|---|---|
401 Unauthorized | No token provided |
403 Forbidden | Token valid but caller lacks the required role |
400 Bad Request | Missing or invalid query parameters |
404 Not Found | Requested resource does not exist |
500 Internal Server Error | Unexpected server-side error |