fullstack apps additionally get a dedicated Supabase project (PostgreSQL, auth, storage, edge functions). Naive owns the provider credentials and injects them into every call.
Apps can be frontend_only (static/Next.js) or fullstack (Next.js + Supabase).
Apps are fully standalone — no agent orchestration required. Build locally from a starter template and deploy by uploading your project; or, when the company has an agent container, let engineer agents build and deploy from their workspaces.
Capability Model
Two layers of access:- Lifecycle endpoints — curated, opinionated operations for the common path: create, deploy, publish, secrets, domains, database queries.
- Provider proxies — generic passthrough to the Vercel REST API and Supabase Management API, scoped to the app’s own project. Anything those APIs support — build logs, project settings, auth config, storage, edge functions, migrations — works through the proxies.
Endpoints
| Method | Path | Description |
|---|---|---|
GET | /v1/apps | List all apps |
POST | /v1/apps | Create a new app |
GET | /v1/apps/templates | List starter templates (GitHub clone commands) |
GET | /v1/apps/:id | Get app details |
DELETE | /v1/apps/:id | Delete an app |
POST | /v1/apps/:id/deploy | Deploy — tarball upload (direct) or workspace (orchestrated) |
POST | /v1/apps/:id/publish | Promote to production |
GET | /v1/apps/:id/deployments | List deployments |
POST | /v1/apps/:id/retry | Retry failed provisioning |
GET | /v1/apps/:id/secrets | List secret keys |
POST | /v1/apps/:id/secrets | Set a secret (synced to Vercel) |
DELETE | /v1/apps/:id/secrets/:key | Delete a secret (removed from Vercel) |
GET | /v1/apps/:id/secrets/:key/reveal | Reveal secret value |
GET | /v1/apps/:id/domains | List domains |
POST | /v1/apps/:id/domains | Add custom domain |
DELETE | /v1/apps/:id/domains/:domainId | Remove domain |
POST | /v1/apps/:id/domains/:domainId/set-primary | Set primary production domain |
POST | /v1/apps/:id/connect-domain | Connect company domain |
DELETE | /v1/apps/:id/connect-domain/:domainId | Disconnect company domain |
POST | /v1/apps/:id/verify-domain-dns | Verify DNS |
POST | /v1/apps/:id/db/query | Run SQL query (fullstack) |
GET | /v1/apps/:id/db/tables | List tables (fullstack) |
ANY | /v1/apps/:id/vercel/proxy/* | Vercel API passthrough (scoped to the app’s project) |
ANY | /v1/apps/:id/supabase/proxy/* | Supabase Management API passthrough (scoped to the app’s project) |
ANY | /v1/apps/:id/db/rest/* | Supabase PostgREST passthrough (fullstack, service-role key injected) |
ANY | /v1/apps/:id/storage/proxy/* | Supabase Storage passthrough (fullstack) |
ANY | /v1/apps/:id/auth/proxy/* | Supabase GoTrue passthrough (fullstack) |
ANY | /v1/apps/:id/functions/proxy/* | Supabase Edge Functions invoke passthrough (fullstack) |
Capability Primitives
A fullstack app’s Supabase backend is also exposed as four first-class primitives, each a curated surface over these proxies (and individually gateable in Account Kits):- Database — SQL, PostgREST CRUD, migrations
- Storage — buckets & objects
- Edge Functions — list, deploy, invoke
- Auth — auth config & admin users
Per-User Scoping
All routes are also mounted under/v1/users/:user_id/apps for multi-tenant setups. On the per-user mount, the subject’s Account Kit must enable the apps primitive, and every :id route verifies the app belongs to that user.