Reference
API Endpoints
HTTP API routes exposed by Recurex.
MCP server
GET|POST|DELETE /api/mcp
MCP JSON-RPC server for AI connectors. Requires Authorization: Bearer <token>.
| Method | Purpose |
|---|---|
GET | Server metadata |
POST | JSON-RPC (initialize, ping, tools/list, tools/call) |
DELETE | Session teardown |
OPTIONS | CORS preflight |
OAuth
| Endpoint | Method | Purpose |
|---|---|---|
/api/oauth/authorize | GET, POST | Authorization + consent |
/api/oauth/token | POST | Token exchange / refresh |
/api/oauth/register | POST | Dynamic client registration (RFC 7591) |
Discovery
| Endpoint | Standard |
|---|---|
/.well-known/oauth-authorization-server | RFC 8414 |
/.well-known/oauth-protected-resource | RFC 9728 |
/api/mcp/.well-known/oauth-protected-resource | RFC 9728 |
Webhooks
POST /api/razorpay/webhook
Razorpay subscription lifecycle events. Verified via x-razorpay-signature HMAC.
Handled events:
| Event | Result |
|---|---|
subscription.activated, charged, resumed | Plan → pro/team, active |
subscription.pending, halted | Plan → past_due |
subscription.cancelled, completed, expired | Plan → free, canceled |
Auth callback
GET /auth/callback
Supabase OAuth code exchange. New users without country → /onboarding.
Cron (internal)
See Cron Jobs. Authenticated via CRON_SECRET.
Middleware bypass
These paths skip session middleware: api/mcp, api/cron, api/razorpay, auth/callback.
External vs internal
| Route | Facing |
|---|---|
/api/mcp | External (AI clients) |
/api/oauth/* | External (OAuth clients) |
/api/razorpay/webhook | External (Razorpay only) |
/api/cron/* | Internal (Vercel Cron) |
There is no public REST API for expense CRUD outside MCP.