API Worker
workers/api/ in the platform repo, deployed at https://api.freedocstore.online/. It backs the creator console: sign-in, per-user workspace storage, BYOK secrets, and an authenticated proxy to GitHub and OpenAI. It serves no KB content — published pages come from Cloudflare Pages.
Sessions are cookie-based (HttpOnly, Secure), stored in FDS_API_KV with a 30-day TTL. CORS is restricted to the console origins and local dev hosts.
Endpoints
Service
| Method |
Path |
Description |
| GET |
/ |
Service info: name, public and editor base URLs |
| GET |
/api/health |
Health check |
| GET |
/api/me |
Current session: { authenticated, user } |
| GET |
/api/billing |
Static free-plan descriptor (billingEnabled: false) |
Auth
| Method |
Path |
Description |
| GET |
/auth/github/start |
Redirect to GitHub OAuth (read:user scope). ?next= returns the user to the console after sign-in |
| GET |
/auth/github/callback |
Exchanges the code, creates the session. The GitHub access token is kept in the session for the proxy |
| GET |
/auth/google/start |
Redirect to Google OAuth (openid email profile) |
| GET |
/auth/google/callback |
Exchanges the code, creates the session |
| POST |
/api/logout |
Delete the session, clear the cookie |
| DELETE |
/api/account |
Delete the user's workspace keys, stored secrets, and session |
Workspace KV
Per-user key-value storage; keys are namespaced per user (user_kv:<userId>:<key>), so users only ever see their own data. The console stores its workspace here: fds:config:v1 (settings), fds:kbs:v1 (KB drafts), fds:active-kb:v1 (active KB id). The MCP worker reads the same keys, which is why MCP workspace_summary matches what the console shows.
| Method |
Path |
Description |
| GET |
/api/kv/<key> |
Read a value: { key, value } |
| PUT |
/api/kv/<key> |
Write { value } |
| DELETE |
/api/kv/<key> |
Delete the key |
Secrets (BYOK)
Bring-your-own-key secrets are envelope-encrypted (AES-GCM) before landing in KV; reads return a redacted label, never the value.
| Method |
Path |
Description |
| GET |
/api/secrets |
Which secrets are configured (redacted labels) |
| PUT |
/api/secrets/openai |
Store the user's OpenAI API key |
| DELETE |
/api/secrets/openai |
Remove it |
Proxy
| Method |
Path |
Description |
| ANY |
/api/proxy?target=<url> |
Authenticated pass-through. Allowed targets: api.github.com (platform GITHUB_TOKEN or the session's GitHub token) and api.openai.com (the user's decrypted BYOK key). Anything else is 403 |
The proxy is what lets the console's AI editing flow call OpenAI with the user's own key, and read/propose against GitHub, without shipping any secret to the browser.
Bindings and secrets
| Name |
Kind |
Purpose |
FDS_API_KV |
KV namespace |
Sessions, per-user workspace, encrypted secrets |
GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET |
secret |
Console GitHub OAuth app |
GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET |
secret |
Console Google OAuth app |
GITHUB_TOKEN |
secret (optional) |
Org token for GitHub proxy calls; falls back to the session token |
PUBLIC_BASE_URL, EDITOR_BASE_URL |
var |
Site and console origins |