Admin endpoints

All require admin auth (Bearer BEDS24_WEBHOOK_SECRET OR Basic auth challenge — paste the secret as the password). Source: src/lib/webhook-auth.ts → verifyAdminAuth.

Read views (HTML)

Path	Description
`GET /admin/clean-status`	Cleaning state per upcoming booking; `?past=1` for full history
`GET /admin/email-status`	Mailgun event timeline; `?msg=X` or `?booking=X` filters
`GET /admin/delivery-status`	Cross-channel send log; `?booking=X` filter
`GET /admin/property/{id}`	Visual editor for property_config fields
`GET /admin/property/{id}/raw`	Raw-JSON textarea fallback for property_config
`GET /admin/booking/{id}`	Raw Beds24 booking + thread message dump

Mutation endpoints

Path	Method	Description
`POST /admin/backfill`	POST	Spawn `DailyFlagSyncWorkflow` with horizonDays=365
`POST /admin/property/{id}/form-overrides`	POST	Save raw JSON form_overrides
`POST /admin/property/{id}/toggle-omit`	POST	Flip omit flag on one form field
`POST /admin/booking/{id}/respawn`	POST	Force ensureBookingFlagWorkflow respawn
`POST /admin/booking/{id}/allow-auto-action?value=all\|disable\|default`	POST	Set BA’s allowAutoAction on a booking
`POST /admin/sms-test?to=+1...&body=...`	POST	Fire a one-shot diagnostic SMS via Twilio

Add-on action endpoints (M4c)

Path	Method	Description
`GET /admin/booking/{id}/addon-capture?addon=early_checkin\|late_checkout`	GET	Bill clicks → capture payment intent + notify guest
`GET /admin/booking/{id}/addon-decline?addon=...&reason=...`	GET	Bill clicks → cancel auth + apologize

GET (not POST) so the URL in the workflow’s email works directly in a browser tab.

Auth shape

The auth header can be either:

Authorization: Bearer {secret} — programmatic calls (curl, scripts)
Authorization: Basic {b64(:secret)} — browser dialog if no header

If auth fails, response is 401 with WWW-Authenticate: Basic realm="..." header to trigger the browser dialog.

Source

src/routes/admin.ts — all routes
Wired in src/index.ts via url.pathname.startsWith("/admin/")