Routes
Ezvento uses Next.js App Router route groups to organize pages by persona and access level. Every route group has a dedicated layout with appropriate guards — from public marketing pages to platform-admin-only surfaces.
Route Groups Overview
Public vs Private Routes
These routes require no authentication. Anyone can access them.
| Route | Group | Visibility | Guard / Permission | Notes |
|---|---|---|---|---|
| / | root | Public | — | Marketing landing page |
| /login | (auth) | Public | — | Email/password and OAuth login |
| /signup | (auth) | Public | — | Account creation with plan selection |
| /forgot-password | (auth) | Public | — | Password recovery email |
| /update-password | (auth) | Public | — | Reset password after recovery link |
| /support | (auth) | Public | — | Support/help page |
| /terms | (auth) | Public | — | Terms of service |
| /privacy | (auth) | Public | — | Privacy policy |
| /terms-conditions | root | Public | — | Full terms and conditions |
| /privacy-policy | root | Public | — | Full privacy policy |
| /contact | root | Public | — | Contact form |
| /auth/token | root | Public | — | OAuth callback handler |
| /payment | root | Public | — | Subscription payment page |
| /payment/success | root | Public | — | Payment success confirmation |
| /customer-portal/[tokenId] | root | Public | — | Token-authenticated customer portal |
| /api/auth/start | api | Public | — | Auth flow starter |
| /api/auth/exchange | api | Public | — | OAuth code exchange |
| /api/auth/callback-server | api | Public | — | Post-login server callback |
| /api/auth/logout | api | Public | — | Sign out endpoint |
| /api/auth/permissions | api | Public | — | Read effective permissions |
| /api/auth/session-persona | api | Public | — | Set persona cookie |
| /api/payments/dodo-webhook | api | Public | signature | Dodo Payments webhook (signature verified) |
| /api/payments/pos/webhook | api | Public | — | POS payment provider webhook |
| /api/payments/dev-bypass | api | Public | — | Dev-only payment bypass |
| /api/payments/dev-expire-trial | api | Public | — | Dev-only trial expiration |
Role-Guarded Routes
In addition to layout-level auth, many pages and API routes check specific permissions. Missing permissions redirect to /unauthorized (pages) or return 403 (API).
| Route / Operation | Required Permission | Scope | Notes |
|---|---|---|---|
| /dashboard/settings | ORGANIZATION_SETTINGS_EDIT | ORG | Tenant-wide config |
| /dashboard/products | PRODUCT_VIEW | ORG | Catalog view |
| /dashboard/customers | CUSTOMER_VIEW | ORG | CRM access |
| /dashboard/reports | REPORT_VIEW_SALES | ORG | All report types |
| /dashboard/inventory | INVENTORY_VIEW | STORE | Stock levels by store |
| /dashboard/billing | SALE_VIEW | STORE | Invoice list |
| /dashboard/billing/new | SALE_CREATE | STORE | Create invoice |
| /dashboard/vendors | VENDOR_VIEW | ORG | Supplier management |
| /dashboard/purchases | PURCHASE_VIEW | ORG | Purchase invoices |
| /dashboard/stores | STORE_VIEW | ORG | Store management |
| /dashboard/team | USER_VIEW | ORG | User list |
| /dashboard/shifts | SHIFT_VIEW | STORE | Shift management |
| /cashier/** | SALE_CREATE | STORE | Cashier persona entry point |
| /helper/lookup | INVENTORY_VIEW | STORE | Inventory staff lookup |
Redirects
Common redirect flows based on auth state, persona, and permissions.
Route Parameters
Dynamic segments in Next.js App Router. These are resolved from the URL path and used in database queries with tenant isolation.
| Pattern | Example URL | Used In | Validation |
|---|---|---|---|
| [id] | /api/products/prod_abc123 | Products, Users, Categories, Vendors, Stores, Locations | Must exist and belong to tenant |
| [storeId] | /api/billing?storeId=str_001 | Billing, Inventory, Reports, Shifts | User's allowedStoreIds must include it (or null = all) |
| [tokenId] | /customer-portal/tok_xyz789 | Customer portal public access | Token must be valid and unexpired |
| [id] (shifts) | /api/shifts/shf_001/close | Shift close, shift summary | Must belong to user's store or own shift |
| [id] (transfers) | /api/stock-transfers/xfr_001/ship | Stock transfer ship/receive | User must have scope on source/dest store |
Route exploration tip
Run find src/app -name "page.tsx" | sort and find src/app/api -name "route.ts" | sort to see the full live route map. Guards are defined in layout files and individual page components.