API Reference¶
Surfaces¶
The application has three distinct HTTP surfaces. The API surface (routes/api.php) is thin — most application functionality is on the Web surface using Inertia.js server-side routing.
Web Surface (routes/web/)¶
Inertia.js routes — return Inertia page components, not JSON (except XHR navigation).
Authentication (routes/web/membership.php subset)¶
| Method | Path | Controller | Auth |
|---|---|---|---|
| GET | /login |
Auth\LoginController@showLoginForm |
guest |
| POST | /login |
Auth\LoginController@login |
guest |
| POST | /logout |
Auth\LoginController@logout |
auth |
| GET | /register |
RegisterController@showRegistrationForm |
guest |
| POST | /register |
RegisterController@register |
guest |
| GET | /password/reset |
ForgotPasswordController |
guest |
| POST | /password/email |
ForgotPasswordController@sendResetLinkEmail |
guest |
| POST | /password/reset |
ResetPasswordController@reset |
guest |
| GET | /email/verify/{id}/{hash} |
Verification | auth |
Product¶
| Method | Path | Controller | Auth |
|---|---|---|---|
| GET | /product/show/{product} |
ProductController@show |
— (private: code param) |
| GET | /product/stream/{product} |
ProductController@stream |
auth + verified |
| GET | /product/download/{product} |
ProductController@download |
auth + verified |
Cart¶
| Method | Path | Controller | Auth |
|---|---|---|---|
| GET | /order/cart |
CartController@index |
— |
| POST | /order/addCart |
CartController@store |
— |
| PUT | /order/updateCart/{cartItem} |
CartController@update |
— |
| DELETE | /order/deleteCart/{cartItem} |
CartController@destroy |
— |
Order / Checkout¶
| Method | Path | Controller | Auth |
|---|---|---|---|
| GET | /order/address |
OrderController@address |
auth + verified |
| POST | /order/confirm |
OrderController@confirm |
auth + verified |
| GET | /order/confirm |
OrderController@showConfirmation |
auth + verified |
| POST | /order/process |
OrderController@store |
auth + verified |
| POST | /order/finish/{order} |
OrderController@complete |
— (SBPS callback) |
| POST | /order/failure/{order} |
OrderController@fail |
— (SBPS callback) |
| GET | /order/complete/{order} |
OrderController@complete |
auth + verified |
Lottery¶
| Method | Path | Controller | Auth |
|---|---|---|---|
| GET | /product/lottery_cart |
LotteryCartController@index |
— |
| POST | /product/lottery_cart |
LotteryCartController@store |
auth |
| PUT | /product/lottery_cart/{item} |
LotteryCartController@update |
auth |
| DELETE | /product/lottery_cart/{item} |
LotteryCartController@destroy |
auth |
| POST | /product/apply_lottery |
LotteryController@apply |
auth + verified |
| PATCH | /product/update_lottery |
LotteryController@update |
auth + verified |
| GET | /product/lottery_winner/{product} |
LotteryController@winner |
auth + verified |
MyPage¶
| Method | Path | Controller | Auth |
|---|---|---|---|
| GET | /mypage |
MypageController@index |
auth + verified |
| GET | /mypage/orders |
Order\OrderController@index |
auth + verified |
| GET | /mypage/address |
UpdateAddressController@index |
auth + verified |
| PUT | /mypage/address |
UpdateAddressController@update |
auth + verified |
| GET | /mypage/card-storage-link |
UpdateCardController@index |
auth + verified |
| GET | /mypage/ckc_connect |
— | auth + verified |
| GET | /storeby/auth |
— | auth (SSO token for CKC) |
Admin Surface (routes/admin/)¶
Requires auth:admin guard. All paths prefixed /admin/ (except login).
Auth¶
| Method | Path | Notes |
|---|---|---|
| GET | /admin/login |
guest:admin |
| POST | /admin/login |
guest:admin |
| POST | /admin/logout |
auth:admin |
Products¶
/admin/products — CRUD (index, create, store, show, edit, update, destroy)
/admin/products/{product}/variations — variation management
/admin/products/{product}/bonus_items — gift items
/admin/products/{product}/oricon_items — Oricon reporting items
/admin/products/import — product CSV import
/admin/artists — artist CRUD
/admin/sliders — homepage slider management
Orders¶
/admin/orders — order list, show, update status
/admin/orders/shipping — shipping CSV import
/admin/orders/export — order export (CSV/Excel)
Users¶
/admin/users — user list, show, edit
/admin/users/{user}/blacklist — manage lottery blacklists
Sales¶
/admin/sales — sales reporting dashboard
/admin/sales/export — sales data export
Label Surface (routes/web/sales.php)¶
Artist label routes — password-protected product view for label/record company staff.
| Method | Path | Controller | Notes |
|---|---|---|---|
| GET | /label/show/{product} |
LabelController@show |
Product view for label users |
| POST | /label/show{product} |
LabelController@authenticate |
Label password authentication |
| GET | /label/forget_password/{product} |
LabelController@forgetPassword |
Label password reset |
Webhooks (routes/webhook.php)¶
No auth, no CSRF. Use api middleware group.
| Method | Path | Controller | Notes |
|---|---|---|---|
| POST | /webhook/sbps |
SbpsPaymentController@updateStatus |
SBPS async status; idempotency via status === OPEN; no HMAC |
| POST | /webhook/atone |
AtoneWebhookController@notify |
Atone authorization; hash_equals on Np-Confirmation-Checksum |
API Surface (routes/api.php)¶
Thin — only one active endpoint. Sanctum middleware present but EnsureFrontendRequestsAreStateful is commented out.
| Method | Path | Controller | Auth | Notes |
|---|---|---|---|---|
| GET | /api/address |
Api\AddressController@index |
— | Postcode → address lookup via Google Maps |
Response Format¶
- Web routes: Inertia response (full HTML on first request; JSON
X-Inertiaon navigation) - Admin routes: Blade or Inertia response
- API routes: JSON
- Webhooks: Plain-text (
OK,/NG,for SBPS), JSON for Atone
Form Request Validation¶
All mutating web routes use Form Request classes. Invalid requests: - Standard routes: 422 JSON or redirect back with errors - Cart routes: redirect back to cart with specific error message
See validation.md for full rule catalog.