Public request surface and docs boundaries

SpendDaddy exposes two production hosts:

• api.spenddaddy.app — runtime + webhook + lightweight ingestion endpoints
• app.spenddaddy.app — operator UI and admin workflows
• docs.spenddaddy.app — this documentation site

On api.spenddaddy.app, the currently stable public routes are:

• GET /healthz
• POST /webhooks/revenuecat/{token}
• POST /identify
• POST /event

There is no tokenized /api/v1/* public control plane in this release.

Practical onboarding contract

• Treat /webhooks/revenuecat/{token} as machine-authenticated integration traffic.
• Treat identify/event routes as key-authenticated ingestion traffic.
• Keep secret values in config stores and out of logs.

For private operational workflows (recommendation review, settings changes, mutation actions), use the authenticated app.spenddaddy.app login flow.