Référence API

Programmatic access to VIRTUX is delivered through a tRPC API. The full router type is exported from @/server/api/root and is the source of truth for client/server type-safety.

Status

Phase 1 exposes scene CRUD, permissions, rooms (LiveKit token mint), notifications, assets, and feature flags. A public REST surface is planned for Phase 4 alongside Stripe webhooks and OAuth integrations.

Authentication

Every protected procedure requires a valid NextAuth session cookie. Tier and super-admin status are revalidated against the database on every JWT refresh — never trust the JWT for authorisation decisions.

Rate limiting

General API: 100 requests per minute, per user. Auth endpoints: 5 requests per minute. Asset upload: 30 per minute. Limits are enforced server-side via a sliding-window limiter and currently in-memory; production deployments will swap to Redis-backed limits without code changes.