Any file named route.ts in the /apps/web/app/api is an API Route.

Here’s an example of an API Route that perform a Hello World:

export async function GET() {
  return NextResponse.json({
    message: 'Hello World'
  })
}

​
Protected API Route

To create a protected api route, you need to decorate the example above with the withSession helper:

export const GET = withSession(async ({ session }) => {
  return NextResponse.json({
    message: `Hello World from ${session.user.name}`
  })
})

​
Project-based Protected API Route

To create an api route that refers to a given project and not the authenticated user, use the withAuth helper:

export const GET = withAuth(async ({ project, req, session }) => {
  return NextResponse.json({
    message: `
      Hello World from ${session.user.name}, 
      member of ${project.name} project
    `
  }) 
})

​
Role Protection

withAuth accepts a second optional argument with the following structure:

{
  requiredRole: ['owner']
}

We can add it to an api route to make it available only to the owner of the project:

export const GET = withAuth(async ({ project, req, session }) => {
  return NextResponse.json({
    message: `
      Hello World from ${session.user.name}, 
      member of ${project.name} project
    `
  }) 
}, { requiredRole: ['owner'] })