Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/juadariasmar/inventory_project/llms.txt

Use this file to discover all available pages before exploring further.

All API routes in Inventory System are implemented as Next.js App Router route handlers mounted under /api/*. Every route returns JSON, requires an authenticated Neon Auth session cookie, and automatically scopes all data to the tenant of the signed-in user. There are no public endpoints — every request must carry a valid session.

Base URL

https://your-domain.com/api
During local development, replace the domain with http://localhost:3000.
The base URL is also available at runtime via the NEXT_PUBLIC_BASE_URL environment variable, which is set in .env and exposed to both server and client code.

Content type

All requests and responses use application/json. When sending a request body, include the header:
Content-Type: application/json
Requests that send a body without this header will receive a 400 Bad Request response.

Authentication

Authentication is handled exclusively through the session cookie issued by Neon Auth after a successful sign-in. The API does not accept Authorization: Bearer tokens. Every protected route handler calls obtenerSesion() internally to validate the cookie and retrieve the current user.
This is a browser-session-based API. For server-to-server integrations where a browser session is not available, you must forward the session cookie from a prior sign-in response or implement a separate token mechanism at the application layer.
See the Authentication guide for full details on session handling, the validarAccesoEmpresa() guard, and code examples.

Rate limiting

Mutation endpoints (those that accept POST requests) are protected by a sliding-window rate limiter applied per IP address.

Limit

5 POST requests per minute per IP address

Backend

Upstash Redis (sliding window) with an in-memory fallback when Redis is not configured
When the limit is exceeded the API returns 429 Too Many Requests with a JSON body that includes how many seconds to wait before retrying:
{
  "error": "Demasiados intentos de inicio de sesión. Espera 42 segundos."
}
Rate-limited endpoints include /api/auth/*, /api/productos, /api/ventas, /api/movimientos, /api/cotizaciones, /api/ordenes-compra, /api/categorias, /api/proveedores, /api/usuarios, /api/invitaciones, /api/invitaciones/aceptar, /api/empresas, and /api/admin/restablecer.
Set UPSTASH_REDIS_REST_URL and UPSTASH_REDIS_REST_TOKEN in your environment for durable, distributed rate limiting across Vercel serverless function instances. Without these variables the middleware falls back to a per-process in-memory counter, which resets on every cold start.

Error format

All errors — regardless of origin — are returned as a JSON object with a single error key:
{
  "error": "Descriptive error message here."
}
Errors originating from AppError carry a developer-supplied message and an explicit HTTP status code. Unexpected runtime exceptions fall through to a generic 500 response.

HTTP status codes

CodeMeaningWhen it occurs
400Bad RequestInvalid or missing input in the request body
401UnauthorizedNo valid session cookie present
403ForbiddenAuthenticated but insufficient role or permission, or user is inactive
404Not FoundResource does not exist within the authenticated user’s tenant
429Too Many RequestsRate limit exceeded on a mutation endpoint
500Internal Server ErrorUnexpected server-side error

Tenant scoping

Inventory System is a multi-tenant application. Every authenticated user belongs to exactly one Empresa (company). All API routes read empresaId from the session and scope every database query to that tenant automatically — there is no way to read or write another tenant’s data through the API.
The first time a new Neon Auth user calls any protected API route, the system automatically provisions a new Empresa record and an ADMIN Usuario record for that user if no existing record is found. This fallback handles edge cases where the Neon Auth webhook did not arrive in time.

Available resources

The following resources are exposed through the API. All paths are relative to the base URL.
ResourceBase pathDescription
Products/api/productosProduct catalog CRUD + bulk import
Categories/api/categoriasCategory management
Movements/api/movimientosInventory entries and exits
Sales/api/ventasSale records
Quotes/api/cotizacionesQuotations with stock reservation
Purchase Orders/api/ordenes-compraPurchase orders + PDF generation
Suppliers/api/proveedoresSupplier management
Customers/api/clientesCustomer records
Users/api/usuariosUser management (ADMIN only)
Invitations/api/invitacionesUser invitation tokens
Analytics/api/analisisDashboard metrics
Notifications/api/notificacionesIn-app notifications
Company Config/api/empresa/configuracionCompany settings
Audit Log/api/auditoria/exportarAudit log export
Webhooks/api/webhooks/neonNeon Auth webhook receiver

Build docs developers (and LLMs) love