From 67f1927eb5c18b387688daa90a01c360a168bd4e Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Mon, 23 Mar 2026 14:23:44 -0700
Subject: [PATCH] fix(rflows): exempt public on-ramp endpoints from space auth
 middleware

Space visibility defaults to "private", blocking unauthenticated API calls.
The on-ramp and webhook endpoints are designed for unauthenticated users,
so they need to bypass the space-level auth check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 server/index.ts | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/index.ts b/server/index.ts
index 62dcc99..31b2ff3 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -2218,7 +2218,16 @@ for (const mod of getAllModules()) {
 		const accept = c.req.header("Accept") || "";
 		const isHtmlRequest = accept.includes("text/html");
 
-		if (!isHtmlRequest && (vis === "private" || vis === "permissioned")) {
+		// Exempt public-facing endpoints that are designed for unauthenticated users
+		const pathname = new URL(c.req.url).pathname;
+		const isPublicEndpoint = pathname.endsWith("/api/flows/user-onramp")
+			|| pathname.endsWith("/api/onramp/config")
+			|| pathname.endsWith("/api/transak/config")
+			|| pathname.endsWith("/api/transak/webhook")
+			|| pathname.endsWith("/api/coinbase/webhook")
+			|| pathname.endsWith("/api/ramp/webhook");
+
+		if (!isHtmlRequest && !isPublicEndpoint && (vis === "private" || vis === "permissioned")) {
 			const token = extractToken(c.req.raw.headers);
 			if (!token) {
 				return c.json({ error: "Authentication required" }, 401);