API reference

API overview

rustplus-api — Fastify + Postgres + Prisma backend. The public HTTP and WebSocket surface.

rustplus-api is the heart of the platform. Node 20+, TypeScript ESM, Fastify 4, Prisma, Postgres. Every route is wired up in src/server.ts.

Base URLs

Session — encrypted rp_sess cookie, set by /auth/steam/callback. httpOnly, secure in prod, sameSite=lax. Required for all dashboard endpoints.
Device bearer token — 48 bytes, returned by /pairing/device/activate. Sent as Authorization: Bearer <token> from the Credentials Helper and overlay.
Relay JWT — minted by /relay/token. Short-lived (~5 min). The only thing the relay WebSocket accepts.
Internal HMAC — X-Internal-Signature between API ↔ FCM listener worker.

Group	Prefix	Auth
Auth	`/auth/*`	none (Steam OpenID)
Me	`/me`	session
Pairing	`/pairing/*`	session OR bearer
Credentials	`/credentials/*`	bearer
Paired servers	`/paired-servers/*`	session
Intel	`/intel/*`	session
Overlay	`/api/overlay/*`	bearer (overlay)
Billing	`/billing/*`	session + Stripe webhook signature
Admin	`/admin/*`	session + Steam ID on `ADMIN_STEAM_IDS`
Discord	`/discord-integration/`, `/discord-interactions/`	OAuth / webhook
Tools	`/api/tools/*`	none (read-only public)
Health	`/health`, `/health/db`	none
Relay	`/relay/token`, WS `/v1`	session, then JWT

Postgres + Prisma. Schema at prisma/schema.prisma. Migrations in prisma/migrations. Highlights:

User — Steam-anchored user.
Subscription — Stripe sub status.
BetaTester — admin-granted free tier.
PairedServer — one row per Rust+ pairing.
FcmCredential — encrypted FCM blob.
DiscordIntegration — per-user Discord guild routing.
DashboardGuestAccess — guest invites.
MapNote, SmartDevice, TrackedShopItem, PlayerIntelNote, PlayerSteamLink, etc.

See Data model for the full table.

Two long-running processes outside the API HTTP server:

Both communicate back to the API over signed internal HTTP.