All API routes in Inventory System are implemented as Next.js App Router route handlers mounted underDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/juadariasmar/inventory_project/llms.txt
Use this file to discover all available pages before exploring further.
/api/*. Every route returns JSON, requires an authenticated Neon Auth session cookie, and automatically scopes all data to the tenant of the signed-in user. There are no public endpoints — every request must carry a valid session.
Base URL
http://localhost:3000.
The base URL is also available at runtime via the
NEXT_PUBLIC_BASE_URL environment variable, which is set in .env and exposed to both server and client code.Content type
All requests and responses useapplication/json. When sending a request body, include the header:
400 Bad Request response.
Authentication
Authentication is handled exclusively through the session cookie issued by Neon Auth after a successful sign-in. The API does not acceptAuthorization: Bearer tokens. Every protected route handler calls obtenerSesion() internally to validate the cookie and retrieve the current user.
See the Authentication guide for full details on session handling, the validarAccesoEmpresa() guard, and code examples.
Rate limiting
Mutation endpoints (those that acceptPOST requests) are protected by a sliding-window rate limiter applied per IP address.
Limit
5 POST requests per minute per IP address
Backend
Upstash Redis (sliding window) with an in-memory fallback when Redis is not configured
429 Too Many Requests with a JSON body that includes how many seconds to wait before retrying:
/api/auth/*, /api/productos, /api/ventas, /api/movimientos, /api/cotizaciones, /api/ordenes-compra, /api/categorias, /api/proveedores, /api/usuarios, /api/invitaciones, /api/invitaciones/aceptar, /api/empresas, and /api/admin/restablecer.
Error format
All errors — regardless of origin — are returned as a JSON object with a singleerror key:
AppError carry a developer-supplied message and an explicit HTTP status code. Unexpected runtime exceptions fall through to a generic 500 response.
HTTP status codes
| Code | Meaning | When it occurs |
|---|---|---|
400 | Bad Request | Invalid or missing input in the request body |
401 | Unauthorized | No valid session cookie present |
403 | Forbidden | Authenticated but insufficient role or permission, or user is inactive |
404 | Not Found | Resource does not exist within the authenticated user’s tenant |
429 | Too Many Requests | Rate limit exceeded on a mutation endpoint |
500 | Internal Server Error | Unexpected server-side error |
Tenant scoping
Inventory System is a multi-tenant application. Every authenticated user belongs to exactly oneEmpresa (company). All API routes read empresaId from the session and scope every database query to that tenant automatically — there is no way to read or write another tenant’s data through the API.
The first time a new Neon Auth user calls any protected API route, the system automatically provisions a new
Empresa record and an ADMIN Usuario record for that user if no existing record is found. This fallback handles edge cases where the Neon Auth webhook did not arrive in time.Available resources
The following resources are exposed through the API. All paths are relative to the base URL.| Resource | Base path | Description |
|---|---|---|
| Products | /api/productos | Product catalog CRUD + bulk import |
| Categories | /api/categorias | Category management |
| Movements | /api/movimientos | Inventory entries and exits |
| Sales | /api/ventas | Sale records |
| Quotes | /api/cotizaciones | Quotations with stock reservation |
| Purchase Orders | /api/ordenes-compra | Purchase orders + PDF generation |
| Suppliers | /api/proveedores | Supplier management |
| Customers | /api/clientes | Customer records |
| Users | /api/usuarios | User management (ADMIN only) |
| Invitations | /api/invitaciones | User invitation tokens |
| Analytics | /api/analisis | Dashboard metrics |
| Notifications | /api/notificaciones | In-app notifications |
| Company Config | /api/empresa/configuracion | Company settings |
| Audit Log | /api/auditoria/exportar | Audit log export |
| Webhooks | /api/webhooks/neon | Neon Auth webhook receiver |