The reference is derived from the Hono route mounts and route modules in `services/api-gateway/src`. It lists the real route families, auth model, pagination conventions, errors, and query-cost rate limits currently implemented.
The Hono worker mounts its public and protected surface under `/v1`, with `/health` outside the API version.
services/api-gateway/src/index.tsGET /health/v1/auth/v1/storefront/v1/stores/v1/products/v1/orders/v1/payments/v1/themes/v1/app-store/v1/operationsMerchant identity endpoints include signup, signin, OTP, password reset/update, custom session validation, and identity-platform helpers.
services/api-gateway/src/routes/auth.tsPOST /v1/auth/signupPOST /v1/auth/signinPOST /v1/auth/signin/otpPOST /v1/auth/signin/otp/verifyPOST /v1/auth/signoutPOST /v1/auth/password/resetPOST /v1/auth/password/updateGET /v1/auth/custom/sessionStore-scoped merchant APIs cover products, collections, gift cards, orders, refunds, fulfillment, customers, addresses, reviews, coupons, inventory, media, and forms.
services/api-gateway/src/routes/products.ts, orders.ts, customers.tsGET|POST /v1/productsGET|POST /v1/products/collectionsGET|POST /v1/products/gift-cardsGET|POST /v1/ordersPOST /v1/orders/:id/fulfillPOST /v1/orders/:id/refundGET /v1/customersGET|POST /v1/inventory/locationsGET /v1/form-submissionsPublic storefront APIs resolve stores, products, categories, navigation, policies, persisted carts, checkout order creation, provider payment operations, customer accounts, wishlist, addresses, and reviews.
services/api-gateway/src/routes/storefront.tsGET /v1/storefront/lookupGET /v1/storefront/:subdomainGET /v1/storefront/:subdomain/productsGET|POST|PATCH|DELETE /v1/storefront/:subdomain/cartPOST /v1/storefront/:subdomain/ordersPOST /v1/storefront/:subdomain/payments/razorpay/orderPOST /v1/storefront/customer/loginGET|POST|PATCH|DELETE /v1/storefront/customer/addressesAdmin and Storefront GraphQL endpoints are mounted behind the gateway with query-cost limiting. Storefront cart reads delegate to the persisted cart-token REST contract; writes remain on REST.
services/api-gateway/src/graphql/schema.ts, storefront.ts, admin.tsGET|POST /v1/admin/graphqlGET|POST /v1/graphql/adminGET|POST /v1/storefront/graphqlGET|POST /v1/graphql/storefrontStorefrontQuery.cart -> persisted cart tokenAdmin bulk operations -> Cloudflare R2 JSONLTheme APIs cover marketplace catalog, JSON-contract package upload, Liquid/JSON rendering assets, install, multi-template editor state, draft save/delete, preview tokens, release history, rollback, purchase, and payment verification.
services/api-gateway/src/routes/themes.tsGET /v1/themesGET /v1/themes/:slug/schemaGET /v1/themes/:slug/editorPUT /v1/themes/:slug/editor/draftPOST /v1/themes/:slug/preview-sessionPOST /v1/themes/packages/uploadPOST /v1/themes/:slug/installPOST /v1/themes/:slug/purchase/verifyApp marketplace APIs include catalog, reviews, installation, extension/function lifecycle registry, app bridge fetch, OAuth authorization code, token exchange, developer profile, developer app submissions, and partner dashboard aggregates.
services/api-gateway/src/routes/app-store.tsGET /v1/app-store/appsPOST /v1/app-store/apps/:id/installGET /v1/app-store/installations/:id/extensionsPATCH /v1/app-store/installations/:id/extensions/:registrationIdPATCH /v1/app-store/installations/:id/functions/:registrationIdPOST /v1/app-store/apps/:id/oauth/authorizePOST /v1/app-store/oauth/tokenPOST /v1/app-store/oauth/token-exchangePOST /v1/app-store/bridge/fetchGET|POST /v1/app-store/developers/registerGET /v1/app-store/partners/dashboardOperational APIs expose outbox, webhook deliveries/subscriptions, runtime queues, replays, incidents, failover drills, load tests, certification reports, and SRE evidence.
services/api-gateway/src/routes/operations.tsGET /v1/operations/webhook-deliveriesGET|POST /v1/operations/webhook-subscriptionsGET /v1/operations/runtime/overviewGET|POST /v1/operations/runtime/replaysGET|POST /v1/operations/runtime/incidentsPOST /v1/operations/runtime/failover-drillsProtected routes use gateway auth middleware. Merchant routes accept Supabase bearer tokens or signed internal LetBuyy session headers; app OAuth routes mint scoped app tokens through app-engine/auth-core contracts.
Known errors use structured bodies with `error.code` and `error.message`. List endpoints use page/limit or route-local query schemas and return paginated payloads where the route calls the shared pagination helper.
The gateway uses a leaky-bucket query-cost limiter in non-local runtimes. The model is implemented in `services/api-gateway/src/middleware/rateLimit.ts`.
Query-cost limiting is skipped in local/development runtimes.
Default query-cost bucket: capacity 200, leak rate 20 points per second.
GET and HEAD start at cost 1; POST, PUT, and PATCH start at cost 5; DELETE starts at cost 8.
limit/page_size/first values above 50 add cost; each include or expand item adds 2.
Analytics/export add 15, operations add 10, AI adds 20, and internal routes add 10.
Responses include X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Cost, and X-RateLimit-Policy.