Skip to main content

API Overview

Estudio Three uses a modern serverless architecture with Supabase as the backend and Vercel for serverless functions.

Architecture

Backend Stack

  • Supabase: PostgreSQL database with real-time subscriptions
  • Vercel Serverless Functions: AI and translation endpoints
  • Zustand Stores: Client-side state management with Supabase sync
  • Row Level Security (RLS): User data isolation at database level

Data Flow

Client (Zustand Store) <-> Supabase API <-> PostgreSQL
                      \-> Vercel Functions <-> External AI APIs

Authentication

All API operations require authentication via Supabase Auth. The system supports:
  • Email/Password authentication
  • OAuth providers (Google, GitHub)
  • Session-based access control
  • Automatic Row Level Security (RLS)
See Authentication for detailed implementation.

Base URLs

Supabase API
https://[project-id].supabase.coConfigured via VITE_SUPABASE_URL environment variable
Vercel Functions
/api/* endpoints deployed on your Vercel domainExample: https://your-domain.vercel.app/api/ai

Rate Limiting

AI Coach Endpoint

  • Limit: 30 requests per minute per IP address
  • Tracking: In-memory rate limit map with 60-second sliding window
  • Error Code: 429 when limit exceeded
// Rate limit response
{
  "error": "Demasiadas peticiones",
  "code": 429
}

Supabase Operations

  • No explicit rate limits on read operations
  • Write operations protected by RLS policies
  • Connection pooling handles concurrent requests

Data Models

The API operates on these core entities:
  • Profiles: User profiles with onboarding state
  • Tasks: Academic and personal tasks with subtasks
  • Events: Calendar events (exams, matches, training, classes)
  • Routines: Daily routine blocks (fixed and flexible)
  • Focus Sessions: Pomodoro-style work sessions
  • Subjects: Academic subjects with difficulty ratings
  • Goals: Long-term objectives with progress tracking

Error Handling

All endpoints return consistent error formats: 
{
  "error": string,  // Human-readable error message
  "code": number    // HTTP status code
}

Common Error Codes

  • 400: Bad request (missing or invalid parameters)
  • 401: Unauthorized (invalid or missing authentication)
  • 403: Forbidden (RLS policy violation)
  • 404: Not found
  • 429: Rate limit exceeded
  • 500: Internal server error
  • 503: Service unavailable (AI provider down)

Security

Row Level Security (RLS)

All database tables have RLS policies that automatically filter data by user_id: 
-- Example RLS policy
create policy "Usuarios gestionan sus tareas" 
  on tasks for all 
  using ( auth.uid() = user_id );
This means users can only access their own data, even if they know other record IDs.

API Key Management

  • Supabase anonymous key is safe for client-side use
  • Vercel function secrets (e.g., GROQ_API_KEY) are server-side only
  • CORS is configured to allow requests from your app domain

Client Libraries

Supabase Client

import { createClient } from '@supabase/supabase-js';

export const supabase = createClient(
  process.env.VITE_SUPABASE_URL,
  process.env.VITE_SUPABASE_ANON_KEY
);

Store-based Operations

Most API operations are abstracted through Zustand stores:
  • useAuthStore: Authentication and profile management
  • useTaskStore: Task CRUD operations
  • useCalendarStore: Event and calendar operations
  • useRoutineStore: Routine generation and management

Next Steps

Authentication

Learn about sign-up, sign-in, and session management

AI Coach

Integrate the AI coaching and translation endpoint

Tasks

Manage tasks, subtasks, and recurring patterns

Calendar

Work with events and weekly schedules

Build docs developers (and LLMs) love

Get started for freeTalk to us