Skip to Content
How the backend is builtWho calls the API

Who calls the API

All clients share the same hono-backend. Differences are only UX and which routes they hit.

vite-frontend (student web)

  • Origin: localhost:5173 in dev
  • Auth: Google → access token in memory, refresh token in httpOnly cookie (web pattern)
  • Uses: practice PYQ, current affairs, library, timestamps, study stats

admin-frontend (staff)

  • Origin: localhost:5174 in dev
  • Auth: same stack, user must have isAdmin / adminRole
  • Uses: /api/v1/admin/* — content, PYQ import, current affairs, users, rate limits

unforgett-app (Flutter)

  • No browser CORS (native HTTP client)
  • Auth: Authorization: Bearer on every call
  • Same JSON contracts as web where features overlap

Chrome extension

  • Allowed by CORS prefix chrome-extension://
  • Timestamp capture + sync endpoints under /api/v1 timestamps routes

cloudflare-worker

  • Calls /internal/notifications with NOTIFICATION_WORKER_KEY
  • Triggers due reminders, streak warnings, etc. on a schedule
  • Not a user-facing app — no JWT

Contract rule

When you change a route’s request or response shape:

  1. Update Zod validator + service in hono-backend
  2. Update each client that calls it (web, admin, Flutter)
  3. Document here or in PR description

The server wins on conflicts — clients must adapt.

Last updated on
Route mapAPI rate limiting