The same endpoints the Astero dashboard uses internally. Browser sessions authenticate via an HttpOnly cookie ; Bearer tokens are accepted only by /api/mcp-server (the LLM-agent endpoint). Rate-limited per route. Surface inventory below extracted from apps/api/src/index.js mounts and route files.
Non-exhaustive. Many sub-routes (per-module analytics, branding sub-endpoints, admin tools) are not enumerated here — they evolve with the dashboard. The full surface is apps/api/src/routes/*.js in the source repository.
Base URL
https://astero.gg
Authentication
Authorization: Bearer <token>
Get your token via POST /api/auth/login
Rate limiting: 500 requests / 15 min (global, prod) · 60 requests / 15 min on auth mutation routes (login, register, password reset). GET /api/auth/me and POST /api/auth/refresh are excluded from the auth-mutation limiter. Exceeding the limit returns 429 Too Many Requests.