This page explains how a single user action travels through pages, API routes, third-party services, and database tables. It is meant for developers, operators, and non-technical readers who want a clearer process view.
Main flow map
| Flow | Starts from | Touches what |
|---|---|---|
| Auth and basic onboarding | auth pages | Supabase Auth, auth.users, profiles, subscriptions, user_roles |
| Checkout and subscription activation | dashboard billing | POST /api/payments, payment provider, webhook, payments, subscriptions, webhook_events, audit_logs |
| Profile and avatar updates | dashboard settings | POST /api/profile/avatar, Supabase Storage, POST /api/profile, profiles, audit_logs |
| Waitlist and contact | public pages | POST /api/waitlist or POST /api/contact, Supabase or Resend, rate limiting |
| AI requests | product AI UI | POST /api/ai/chat or POST /api/ai/generate, AI provider, ai_usage, rate limiting |
Auth and basic onboarding flow
The user signs up or logs in
The user enters through auth pages such as
/auth/login or /auth/sign-up.Supabase creates or verifies the session
The session lives in the Supabase auth flow. Callbacks such as OTP and OAuth land in
/auth/confirm.Database triggers create the baseline user data
When a new user appears in
auth.users, migrations also prepare default rows in profiles, subscriptions, and user_roles.- Supabase public env,
- redirect URLs,
- the
/auth/confirmcallback, - admin access rules in
user_roles.
Checkout to active subscription flow
The user chooses a plan in dashboard billing
The UI reads the plan catalog from
config/subscriptions.ts.The client calls POST /api/payments
The route validates the request, confirms the user is logged in, then creates a
payments row with PENDING status.The server creates a provider checkout session
Midtrans returns a Snap token. Doku returns a checkout URL.
The user completes payment in the provider flow
After that, the user usually returns to
/order/[id] or the fallback /payment/callback.The provider calls the webhook
The Midtrans or Doku webhook verifies the signature, records the event in
webhook_events, and updates the payment status.paymentssubscriptionswebhook_eventsaudit_logs
Profile and avatar flow
The user opens dashboard settings
The settings page reads the existing profile, role, and avatar values.
The client requests a signed upload URL
POST /api/profile/avatar receives fileSize and fileType, then returns an upload token if valid.The browser uploads the file to the avatars bucket
The file is stored at
${userId}/avatar inside Supabase Storage.The client saves the avatar reference back to the profile
POST /api/profile updates full_name, avatar_path, and avatar_url.- auth is not available,
SUPABASE_SERVICE_ROLE_KEYis not ready for the relevant writes,- file size is too large,
- the MIME type is not supported.
Waitlist and contact flow
Waitlist
Waitlist
The flow is:
- the user submits email in
/waitlist, POST /api/waitlistpasses through IP-based rate limiting,- the payload is validated,
- the row is inserted into
waitlist, - duplicate email attempts return a response the UI can handle.
Contact form
Contact form
The flow is:
- the user submits name, email, and message in
/contact, POST /api/contactpasses through IP-based rate limiting,- the payload is validated,
- the server sends email through Resend,
- the destination inbox is taken from
CONTACT_EMAILor falls back toEMAIL_FROM.
AI request flow
The server authorizes the request
The route checks the provider, logged-in user, subscription plan, and monthly usage limit.
The request goes to the selected model
The server chooses the model from the active provider and sends the request.
401usually means the user is not authenticated,429can mean request rate limit or monthly usage limit,503usually means the AI provider is not configured.