REST API reference

DASHH exposes a versioned REST API under /api/v2/*. All endpoints return JSON. Authentication is via SIWS session cookies (set after sign-in) OR explicit wallet pubkeys in request bodies for select endpoints.

Auth

  • GET /api/auth/nonce — issue a nonce to be signed.
  • POST /api/auth/verify — submit signed nonce; receive session cookie.
  • POST /api/auth/logout — clear session.
  • GET /api/auth/me — current authenticated wallet.

Campaigns

  • GET /api/v2/campaigns — list. Query params: platform=instagram|youtube|twitter|tiktok, status=active|..., brand=<wallet>, verifiedOnly=true.
  • POST /api/v2/campaigns — create. Requires SIWS orbrandWallet in body. Rate-limited per wallet.
  • GET /api/v2/campaigns/[id] — single campaign.
  • POST /api/v2/campaigns/[id]/participate — creator joins. Body: creatorWallet, termsSignature, referredBy?.
  • POST /api/v2/campaigns/[id]/cancel — brand-only. Allowed only with zero participants.
  • POST /api/v2/campaigns/[id]/refund — brand-only. Allowed only after the final-window closes with zero settled creators.
  • GET /api/v2/campaigns/[id]/leaderboard — per-campaign leaderboard.

Proofs

  • POST /api/v2/proofs — submit a Reclaim proof. Body: participationId, reclaimProofId, rawProof. Runs the 13-rule pipeline, anchors to Arweave on success, routes proof to Join or Final based on timestamp.

Settlement

  • GET /api/v2/settle — cron-driven settlement runner. Walks every campaign past its 7-day window and finalises payouts. Gated by CRON_SECRET in production.
  • GET /api/v2/settle?force=true&campaign=<id> — manual trigger. Dev-only without CRON_SECRET.

Analytics

  • GET /api/v2/analytics/summary — aggregated metrics. Optional ?wallet= param scopes to a brand's campaigns.
  • GET /api/v2/analytics/landing-counters — public counters used by the landing page (cached 60s).

Creator-self

  • GET /api/v2/creators/me?wallet=<w> — current creator's lifetime stats, tier, and participations grouped by lifecycle bucket.
  • GET /api/v2/referrals/me?wallet=<w> — referral attribution + bonuses-paid summary.

Notifications

  • GET /api/v2/notifications?wallet=<w> — latest 50 notifications for the wallet.
  • POST /api/v2/notifications/[id]/read — mark a single notification as read.

Embeds

  • GET /embed/campaign/[id] — minimal, chrome-free iframe-ready widget. Query params: accent=14F195, theme=light, hide=image,description.

Open Graph

  • GET /og?title=...&subtitle=... — dynamic 1200×630 PNG share card.

Rate limiting

All write endpoints are rate-limited per wallet AND per IP. Limits are in src/lib/ratelimit.ts under LIMITS:

  • CAMPAIGN_CREATE — 5/hour per wallet
  • PARTICIPATE — 20/hour per wallet
  • PROOF_SUBMIT — 10/hour per IP
  • CANCEL_REFUND — 5/min per wallet

CAPTCHA

Campaign creation accepts an optional captchaToken field. When the server is configured with TURNSTILE_SECRET, the token is verified against Cloudflare Turnstile and 403 is returned on failure. Without a configured secret, verification is bypassed (development mode).