Admin endpoints

The /api/admin/* namespace exposes operator-facing endpoints used by the Polaris Express admin console. These routes are not intended for customer integrations — they assume an authenticated admin session and operate across tenant boundaries.

Caution

Admin endpoints can mutate billing state, ChargeBox configuration, and user mappings. Treat them as privileged. Do not expose admin session cookies to untrusted clients.

Base URL

https://admin.polaris.express

Admin endpoints are served only from the admin host. Requests to app.polaris.express/api/admin/* are rejected at the edge.

Authentication

Every request must carry a valid BetterAuth session cookie belonging to a principal with the admin role. The session is established via the admin sign-in flow (out of scope for this reference).

Unauthenticated requests receive 401 Unauthorized. Authenticated non-admin sessions receive 403 Forbidden.

The route inventory references web/routes/api/admin/, but no handler source files were provided with this task. The endpoint catalog below cannot be generated without walking the actual route handlers to determine path parameters, request body schemas, response shapes, and error cases.

Re-run this page once the following are available:

• web/routes/api/admin/**/*.ts (or .tsx) handler files
• Any shared Zod schemas referenced from those handlers
• Middleware files that gate the namespace (for the authoritative auth contract)

Endpoints