871 B
871 B
API Contract (Auth-enabled)
All endpoints are JSON. Most routes require the HttpOnly cookie player, which is issued after successful register/login. Legacy player rows are given legacy-xxxxxxxx usernames during migration; they must register/login to get a valid auth cookie.
Auth
POST /api/auth/register
POST /api/auth/login
POST /api/auth/logout
State
GET /api/state (public)
Player (requires auth)
GET /api/me
POST /api/me/name
Suggestions (requires auth + phase gating)
GET /api/suggestions/mine
POST /api/suggestions
DELETE /api/suggestions/{id}
GET /api/suggestions/all
Votes (requires auth + phase gating)
GET /api/votes/mine
POST /api/votes
Results (requires auth + phase gating)
GET /api/results
Admin (admin key header/query required)
POST /api/admin/phase
POST /api/admin/reset
POST /api/admin/factory-reset