All Innova endpoints are REST + JSON. The API is deployed serverlessly on AWS Lambda and fronted by API Gateway at https://api.superprofes.app. Every request and response body isDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/vruizz22/innova-backend-serverless/llms.txt
Use this file to discover all available pages before exploring further.
application/json. The full interactive OpenAPI specification is available at /docs on the running server.
Base URLs
| Environment | URL |
|---|---|
| Production | https://api.superprofes.app |
| Local dev | http://localhost:3000 |
| Swagger UI | http://localhost:3000/docs |
Response Envelope
Every successful response is wrapped in a standard envelope by theResponseInterceptor. The data field contains the controller’s return value; timestamp, path, and traceId are top-level envelope fields for observability and debugging. The statusCode field is always 200 for success responses — use the HTTP response status line for non-200 codes.
The
traceId field maps directly to the x-trace-id request header (see Trace IDs). It is null when no trace ID could be resolved — this should not happen in normal operation.HTTP Status Codes
| Code | Meaning |
|---|---|
200 | OK — request succeeded |
201 | Created — resource created successfully |
202 | Accepted — work enqueued asynchronously (e.g. LLM classification, guide ingest) |
400 | Validation error — class-validator rejected one or more fields |
401 | Missing or invalid JWT — attach a valid Supabase token in the Authorization header |
403 | Authenticated but wrong role — your JWT role does not satisfy the required @Roles() guard |
404 | Resource not found |
500 | Internal server error — check logs with the traceId |
Error Format
Errors are handled byAllExceptionsFilter, which catches HttpException, DomainException, Prisma known errors, and unhandled exceptions. Every error response shares the same shape:
| Field | Type | Description |
|---|---|---|
statusCode | number | HTTP status code mirrored in the body |
timestamp | string | ISO 8601 UTC timestamp of when the error occurred |
path | string | Request URL (may include query string) |
traceId | string | null | Trace ID for log correlation; matches the x-trace-id response header |
code | string | Machine-readable error code (e.g. P2002 for Prisma unique constraint, RESOURCE_NOT_FOUND for domain errors) |
message | string | Human-readable description, safe to surface in developer tooling |
For
400 validation errors, message contains the concatenated class-validator constraint messages (e.g. "email must be an email", "password must be longer than or equal to 8 characters").Trace IDs
Every inbound request passes throughTraceIdMiddleware, which:
- Reads the
x-trace-idheader from the incoming request. - If present, reuses that value; if absent, generates a new
randomUUID(). - Attaches the trace ID to the request object (
req.traceId) and echoes it back in thex-trace-idresponse header.
- The
traceIdfield of every success response envelope. - The
traceIdfield of every error response. - Every structured log line emitted by
LoggingInterceptorandAllExceptionsFilter.
Authentication
All endpoints require a valid Supabase JWT in theAuthorization: Bearer <token> header — except:
GET /(root healthcheck) — decorated with@Public()- All
/auth/*endpoints (register, login, refresh, forgot-password, confirm-forgot-password) — decorated with@Public()
SupabaseAuthGuard checks for the @Public() decorator first; if present, JWT validation is skipped entirely. Otherwise the Supabase JWKS strategy validates the token against https://<project>.supabase.co/auth/v1/.well-known/jwks.json.
See the Authentication page for the full token flow, role descriptions, and integration details.
Validation
All request bodies are validated withclass-validator and transformed with class-transformer via NestJS’s global ValidationPipe. Key behaviors:
- Unknown properties are stripped (whitelist mode).
- Constraint violations throw a
400 Bad Requestwithmessagecontaining per-field error strings. - Type coercion is applied (e.g. a numeric string in a numeric field is accepted).
- Required fields missing entirely produce
"<field> should not be empty"or similar messages.
Explore the API
Authentication
Register, log in, refresh tokens, and pass JWTs to every request. Role-based access control with Supabase RS256.
Attempts
Submit student work, trigger the rule engine and BKT mastery update, poll async classification status.
Mastery
Retrieve per-student, per-topic BKT mastery state, trend data, and teacher alert summaries.
Guides
Upload teacher worksheets, review extracted questions and LLM-generated solution keys, manage guide submissions.