# Jai Ambe Bags — HTTP API

Base URL is the same as the storefront origin. JSON request bodies use `Content-Type: application/json`.

## Public (no auth)

| Method | Path | Description |
|--------|------|-------------|
| GET | `/api/health` | Liveness probe; returns `{ "status": "ok" }`. |
| GET | `/api/products` | List all products. |
| GET | `/api/products/:id` | Single product by id. |
| GET | `/api/collection-wholesale-tiers` | Map of collection category → wholesale quantity tiers. |
| POST | `/api/orders` | Place an order (guest checkout). Body matches the app’s order schema (items, delivery details, etc.). |

## Authenticated (Firebase ID token)

Send header: `Authorization: Bearer <Firebase ID Token>` (phone sign-in in the SPA).

| Method | Path | Description |
|--------|------|-------------|
| POST | `/api/auth/sync-user` | Ensure backend user row exists for the signed-in phone user. |
| GET | `/api/auth/me` | Current user profile. |
| PUT | `/api/auth/profile` | Update name / email. |
| GET | `/api/addresses` | List saved addresses. |
| POST | `/api/addresses` | Create address. |
| PUT | `/api/addresses/:id` | Update address. |
| DELETE | `/api/addresses/:id` | Delete address. |

Admin-only routes under `/api/admin/*` require a custom `admin` claim on the Firebase token.

## Machine-readable

- OpenAPI: [`/api/openapi.json`](/api/openapi.json)
- API catalog (RFC 9727 linkset): [`/.well-known/api-catalog`](/.well-known/api-catalog)