Athena, route map
Every page route and API route in the Athena admin dashboard
Athena exposes 19 user-facing pages and 24 API routes (route.ts files), grouped into 12 feature modules. This page maps them all.
Page routes
| Path | Source | Purpose |
|---|---|---|
/ | src/app/page.tsx | Dashboard home with analytics widgets. |
/identities | src/app/identities/page.tsx | List + filter identities. |
/identities/[id] | src/app/identities/[id]/page.tsx | Identity detail: traits, credentials, verifiable addresses. |
/sessions | src/app/sessions/page.tsx | All active sessions; revoke. |
/oauth2-clients | src/app/oauth2-clients/page.tsx | OAuth2 client management. |
/oauth2-clients/[id] | src/app/oauth2-clients/[id]/page.tsx | Client detail. |
/oauth2-tokens | src/app/oauth2-tokens/page.tsx | Token introspection. |
/m2m-clients | src/app/m2m-clients/page.tsx | M2M client management (with secret rotation). |
/messages | src/app/messages/page.tsx | Kratos courier message log (verification, recovery). |
/schemas | src/app/schemas/page.tsx | Identity schemas; live reload. |
/settings | src/app/settings/page.tsx | Settings vault editor (Athena + global settings). |
/social-connections | src/app/social-connections/page.tsx | OIDC IdP connections. |
/locked-accounts | src/app/locked-accounts/page.tsx | Active lockouts; manual unlock. |
/security | src/app/security/page.tsx | Security audit log. |
/analytics | src/app/analytics/page.tsx | PKCE analytics, MFA stats, login attempts. |
/login, /logout, /callback | src/app/<...>/page.tsx | OAuth2 login flow into Athena. |
API routes
| Path | Methods | Source |
|---|---|---|
/api/health | GET | src/app/api/health/route.ts |
/api/auth/login | GET | src/app/api/auth/login/route.ts |
/api/auth/callback | GET | src/app/api/auth/callback/route.ts |
/api/auth/logout | POST | src/app/api/auth/logout/route.ts |
/api/auth/session | GET | src/app/api/auth/session/route.ts |
/api/identities | GET, POST | src/app/api/identities/route.ts |
/api/identities/[id] | GET, PATCH, DELETE | src/app/api/identities/[id]/route.ts |
/api/sessions | GET, DELETE | src/app/api/sessions/route.ts |
/api/clients/m2m | GET, POST | src/app/api/clients/m2m/route.ts |
/api/clients/m2m/[id] | GET, DELETE | src/app/api/clients/m2m/[id]/route.ts |
/api/clients/m2m/[id]/rotate-secret | POST | src/app/api/clients/m2m/[id]/rotate-secret/route.ts |
/api/connections/public | GET | src/app/api/connections/public/route.ts |
/api/connections/social | GET (deprecated) | src/app/api/connections/social/route.ts |
/api/oauth2/clients | GET, POST | src/app/api/oauth2/clients/route.ts |
/api/oauth2/clients/[id] | GET, PATCH, DELETE | src/app/api/oauth2/clients/[id]/route.ts |
/api/oauth2/tokens | POST (introspect) | src/app/api/oauth2/tokens/route.ts |
/api/locked-accounts | GET | src/app/api/locked-accounts/route.ts |
/api/locked-accounts/[id]/unlock | POST | src/app/api/locked-accounts/[id]/unlock/route.ts |
/api/messages | GET | src/app/api/messages/route.ts |
/api/schemas | GET, POST | src/app/api/schemas/route.ts |
/api/schemas/[id] | GET, PATCH, DELETE | src/app/api/schemas/[id]/route.ts |
/api/settings | GET | src/app/api/settings/route.ts |
/api/settings/batch | POST | src/app/api/settings/batch/route.ts |
/api/settings/[key] | GET, PUT, DELETE | src/app/api/settings/[key]/route.ts |
/api/config | GET | src/app/api/config/route.ts |
The generated per-route reference is at Reference, Athena API.
Feature module layout
Under src/features/, these are the logical groupings:
| Module | Responsibility |
|---|---|
analytics | Dashboard widgets, PKCE/MFA charts. |
auth | Athena's own auth chain (session cookie, OAuth2 callback). |
identities | Identity CRUD UI + list view. |
m2m-clients | M2M client management. |
messages | Courier message log. |
oauth2-auth | OAuth2 login flow into Athena. |
oauth2-clients | OAuth2 client management. |
oauth2-tokens | Token introspection UI. |
schemas | Identity schemas + live reload. |
security | Audit log viewer. |
sessions | Sessions list + revoke. |
settings | Settings vault UI. |
Each feature module typically contains: page.tsx (Next.js route), actions.ts (server actions / API client calls), components/ (atomic feature-specific React).
Service layer
Under src/services/, these wrap the Kratos and Hydra admin APIs:
services/kratos/, admin and public Kratos client (10 endpoint wrappers).services/hydra/, admin Hydra client (clients, consent sessions, tokens).
Reasoning: Athena should never call Kratos or Hydra directly from a route handler, always through the service layer. This makes mocking in tests trivial and keeps the auth-passing logic in one place.
Middleware chain
src/middleware.ts is the Next.js edge middleware. The full chain:
- isPublicRoute? (
/api/health,/api/auth/**,/api/connections/social) → pass through. - isProxyRoute? (
/api/kratos/**,/api/hydra/**,/api/iam-kratos/**,/api/iam-kratos-admin/**,/api/hydra-admin/**) → pass through (the Ory APIs enforce their own auth). - verifySession(cookie) → 401 if invalid or missing.
- isAdminRoute? + check role ===
admin→ 403 if not admin. - Route handler runs.
See Athena API Authentication for the auth chain in full detail.
Testing approach
Unit tests with Vitest, mocking the services/kratos/* and services/hydra/* modules, see Develop, Testing strategy. The service-layer abstraction makes this clean.
End-to-end tests with Playwright cover a small set of golden-path flows: log in as admin, create an identity, list identities, delete identity, log out. Not exhaustive, Vitest does the bulk.
Where next
- Internals, Athena service layer
- Internals, Athena middleware
- Reference, Athena API, generated per-route reference.