Audience: admins, support engineers, internal developers Difficulty: intermediate
What this covers
A grouped, navigable map of every routable URL in the Solavel parent app (308 routes) and the Solabooks app (1,060 routes). The full list is too long to read by hand, so routes are bucketed by area and the auth chain that protects them is given once per group.
For the literal route list, run php artisan route:list --json in
either app — these tables are summaries, not a copy.
Parent app (/var/www/html/solavel)
Mounted at the apex domain (e.g. solavel.com/).
Public marketing & docs
| URI | Purpose | Auth |
|---|---|---|
GET / |
Marketing homepage | none |
GET /finance |
Solabooks landing | none |
GET /hr |
HR landing | none |
GET /finance/plans, GET /hr/plans |
Plans listing | none |
GET /comparison, GET /launch |
Plan comparison & launch CTA | none |
GET /docs/finance |
Public finance setup walkthrough | none |
POST /error-report |
Public error capture endpoint | none |
Authentication (Breeze + SSO bridge)
| URI | Purpose | Auth |
|---|---|---|
GET|POST /login, POST /logout |
Session login/logout | guest / auth |
GET|POST /register |
Account registration | guest |
GET|POST /forgot-password, /reset-password/{token} |
Password reset | guest |
GET /verify-email, POST /email/verification-notification |
Email verification | auth |
GET /confirm-password, POST /confirm-password |
Re-confirm password | auth |
GET /signin/finance, GET /signin/hr |
Project-scoped sign-in entry | guest |
GET /sso/finance |
SSO entry (cold) | web |
GET /sso/finance/redirect |
SSO redirect (warm, throttled 20/min) | auth |
POST /sso/logout |
Cross-app logout | web |
Onboarding
| URI prefix | Purpose | Auth |
|---|---|---|
/onboarding/* |
Workspace onboarding verification | auth + client |
/finance/onboarding/* |
Solabooks project onboarding | auth |
/hr/onboarding/* |
HR project onboarding | auth |
/finance/start, /finance/login, /finance/provisioning/status |
Solabooks provisioning shell | auth |
/hr/start, /hr/login, /hr/provisioning/status |
HR provisioning shell | auth |
/admin/* — admin shell (89 routes)
Auth chain: web + auth + EnsureAdmin + LoadMyWorkspace. The
super-admin sub-tree (permissions, roles, send-email) layers
EnsureSuperAdmin on top.
| Sub-prefix | Routes | Notes |
|---|---|---|
admin/projects |
14 | Projects + nested project plans CRUD |
admin/my-workspace |
8 | Internal "Solavel Internal" workspace tools |
admin/admins |
7 | Manage admin users |
admin/clients |
7 | Client (tenant) CRUD |
admin/plans |
7 | Bundle plans CRUD |
admin/permissions |
7 | Super-admin only |
admin/roles |
7 | Super-admin only |
admin/client-users |
5 | Cross-tenant user list |
admin/system-event-logs |
3 | Cross-app audit feed |
admin/user-monitor, admin/form-monitor |
6 | Live presence and form-event tail |
admin/tap-test, admin/contact-messages, admin/errors, admin/beta-reports, admin/features |
misc | See logs-and-errors |
/portal/* — client workspace (35 routes)
Auth chain: web + auth + SetClientContext + EnsureWorkspaceOnboardingCompleted.
This is the canonical post-login surface for tenant owners and members.
| Sub-prefix | Routes | Notes |
|---|---|---|
portal/orgs/* |
32 | Org list, members, projects, billing, subscriptions, invoices, payments |
portal/billing/*, portal/plan/*, portal/settings/* |
3 | Workspace-level billing |
/client/* — client beta-reports
| URI | Routes |
|---|---|
client/beta-reports/* |
4 |
/api/* — parent API surface (52 routes)
| Sub-prefix | Auth | Notes |
|---|---|---|
api/auth/{login,logout,me} |
open / sanctum | Token issue |
api/sso/validate |
throttle:60,1 |
Open by design — Solabooks verifies tokens here |
api/workspace-control/* |
auth:sanctum |
Used by tenant apps to read/write central data |
api/subscriptions/* |
sanctum | Subscription lifecycle |
api/beta-reports, api/errors/ingest, api/system-events/ingest, api/tenancy/organizations/projects/sync |
VerifySolavelSyncSignature (HMAC) |
Sync ingest |
api/webhooks/tap |
open route, controller-verified | Tap payment webhook |
Solabooks app (/var/www/html/solavel-finance)
Mounted at solavel.com/finance/.
Per-org chain (most pages)
The default authenticated chain for tenant pages is:
web → Authenticate → ResolveActiveOrganization → EnsureOrgMembership → EnsureOrgSelected
On top, most pages add feature:<flag> and/or perm:<key> checks.
See permission-matrix and
plan-feature-matrix.
/admin/* (180 routes)
Auth: web + Authenticate + RoleMiddleware:admin (Spatie role).
| Sub-prefix | Routes | Notes |
|---|---|---|
admin/inventory |
101 | Items, categories, units; mounted under admin but withoutMiddleware('role:admin') (open to org users) |
admin/suppliers |
17 | Legacy supplier admin |
admin/plans, admin/plan-tasks, admin/steps, admin/task-steps |
38 | Project-plan editor (legacy) |
admin/customers, admin/quotations |
14 | Legacy editors |
admin/clients, admin/inventory-setup, admin/activity-logs |
misc | Admin-shell utilities |
Reports (/reports/*, 120 routes)
41 viewer routes + 48 PDF endpoints + 12 CSV endpoints + 7 scheduled-report
admin routes + per-area sub-paths (budgets, projects, dimensions,
fixed-assets). Most viewers gate on feature:tracker.<report> and
perm:reports.view.
Sales / AR (/ar/*, 89 routes)
| Sub-prefix | Feature gate | Permission gate |
|---|---|---|
ar/invoices |
tracker.invoices |
sales.invoices.* |
ar/quotes |
tracker.quotes_estimates |
quotes.* |
ar/sales-orders |
sales.use_sales_orders + tracker.sales_orders |
sales_orders.* |
ar/credit-notes |
tracker.credit_notes |
sales.credit_notes.* |
ar/sales-receipts |
tracker.sales_receipts |
sales.receipts.* |
ar/customer-payments |
tracker.record_offline_payments |
sales.payments.* |
ar/refund-receipts |
– | sales.refunds.* |
ar/retainers |
finance.retainers (undeclared, see audit) |
– |
ar/price-lists, ar/pricing-rules |
price_lists, advanced_pricing_rules |
price_lists.*, pricing_rules.* |
Purchases / AP (/ap/*, 95 routes)
| Sub-prefix | Feature gate | Permission gate |
|---|---|---|
ap/bills |
tracker.bills |
purchases.bills.* |
ap/expenses |
tracker.expenses_direct_pay |
purchases.expenses.* |
ap/bill-payments |
tracker.record_payments_made |
purchases.bill_payments.* |
ap/debit-notes |
tracker.vendor_credits_debit_notes |
purchases.debit_notes.* |
ap/purchase-orders |
enable_purchase_orders + tracker.purchase_orders |
purchase_orders.* |
ap/landed-costs |
tracker.landed_costs |
landed_costs.* |
Banking (/banking/*, /reconciliations/*, /bank-imports/*)
| Sub-prefix | Feature gate | Permission gate |
|---|---|---|
banking/accounts |
– | banking.accounts.* |
reconciliations |
bank_reconciliation_enabled + tracker.bank_reconciliation |
banking.reconciliation.* |
bank-imports |
tracker.import_bank_statements |
banking.import.* |
banking/rules, banking/templates |
– | banking.rules.*, banking.templates.* |
Settings (/settings/*, 79 routes)
Gates use perm:settings.*, plus perm:custom_fields.manage,
perm:custom_views.manage_*, perm:dimensions.manage, etc. Each settings
sub-page is one row in permission-matrix.
Customer-facing (no auth on parent app)
| URI | Throttle | Token middleware |
|---|---|---|
i/{token}/* (canonical) |
portal-public |
portal.token |
portal/{token}/* (legacy) |
portal-public |
portal.token |
i/{token}/request-access, i/{token}/send-again |
portal-recovery |
– |
q/{token}/* (public quote) |
quotes-public |
quote.token |
customer-portal/* (account-based) |
customer-portal-{login,password} |
customer-portal.tenant + customer-portal.{auth,guest} |
customer/time-approvals/{timeEntry}/{token}/* |
30,1 |
controller-verified |
shared/projects/{token}/*, p/projects/{token}/* |
portal-public |
controller-verified |
See secure-document-links and overview.
Solabooks API (/api/*, 40 routes)
| Sub-prefix | Auth |
|---|---|
api/auth/login |
open |
api/v1/{customers,suppliers,invoices,bills,payments} |
EnsureExternalApiAccess:<scope> |
api/tenancy/* |
VerifySolavelSyncSignature (HMAC, parent-issued) |