Skip to content

API Worker

workers/api/ in the platform repo, deployed at https://api.freedocstore.online/. It backs the creator console: sign-in, per-user workspace storage, BYOK secrets, and an authenticated proxy to GitHub and OpenAI. It serves no KB content — published pages come from Cloudflare Pages.

Sessions are cookie-based (HttpOnly, Secure), stored in FDS_API_KV with a 30-day TTL. CORS is restricted to the console origins and local dev hosts.

Endpoints

Service

Method Path Description
GET / Service info: name, public and editor base URLs
GET /api/health Health check
GET /api/me Current session: { authenticated, user }
GET /api/billing Static free-plan descriptor (billingEnabled: false)

Auth

Method Path Description
GET /auth/github/start Redirect to GitHub OAuth (read:user scope). ?next= returns the user to the console after sign-in
GET /auth/github/callback Exchanges the code, creates the session. The GitHub access token is kept in the session for the proxy
GET /auth/google/start Redirect to Google OAuth (openid email profile)
GET /auth/google/callback Exchanges the code, creates the session
POST /api/logout Delete the session, clear the cookie
DELETE /api/account Delete the user's workspace keys, stored secrets, and session

Workspace KV

Per-user key-value storage; keys are namespaced per user (user_kv:<userId>:<key>), so users only ever see their own data. The console stores its workspace here: fds:config:v1 (settings), fds:kbs:v1 (KB drafts), fds:active-kb:v1 (active KB id). The MCP worker reads the same keys, which is why MCP workspace_summary matches what the console shows.

Method Path Description
GET /api/kv/<key> Read a value: { key, value }
PUT /api/kv/<key> Write { value }
DELETE /api/kv/<key> Delete the key

Secrets (BYOK)

Bring-your-own-key secrets are envelope-encrypted (AES-GCM) before landing in KV; reads return a redacted label, never the value.

Method Path Description
GET /api/secrets Which secrets are configured (redacted labels)
PUT /api/secrets/openai Store the user's OpenAI API key
DELETE /api/secrets/openai Remove it

Proxy

Method Path Description
ANY /api/proxy?target=<url> Authenticated pass-through. Allowed targets: api.github.com (platform GITHUB_TOKEN or the session's GitHub token) and api.openai.com (the user's decrypted BYOK key). Anything else is 403

The proxy is what lets the console's AI editing flow call OpenAI with the user's own key, and read/propose against GitHub, without shipping any secret to the browser.

Bindings and secrets

Name Kind Purpose
FDS_API_KV KV namespace Sessions, per-user workspace, encrypted secrets
GITHUB_CLIENT_ID / GITHUB_CLIENT_SECRET secret Console GitHub OAuth app
GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET secret Console Google OAuth app
GITHUB_TOKEN secret (optional) Org token for GitHub proxy calls; falls back to the session token
PUBLIC_BASE_URL, EDITOR_BASE_URL var Site and console origins