Docs

Setup, API reference, and operational tips for a privacy-first PR readiness assessment.

Start free assessment Status & health Roadmap

Getting started

The app provides a free, private PR readiness assessment for founders. Users can create an account, run a quick assessment, and receive a banded score plus an indicative PR timeline.

Sign up: /auth/signup
Run the free assessment: /assessment/free
Review results: score, band (Low/Medium/High), and timeline estimate.

Environment variables

Configure these in your host (e.g., DigitalOcean App → Settings → Environment):

Key	Required	Notes
DATABASE_URL	Yes	Postgres connection string used by Prisma.
FREE_COOLDOWN_DAYS	No	Default 180. Set 0 to allow one assessment ever per identity.
SMTP_HOST	Yes (email)	Resend SMTP host (e.g., smtp.resend.com).
SMTP_PORT	Yes (email)	587 recommended.
SMTP_USER	Yes (email)	Your Resend SMTP user.
SMTP_PASS	Yes (email)	Resend SMTP password (resettable in Resend dashboard).
SMTP_FROM	Yes (email)	From address on your verified domain (e.g., [email protected]).
EMAIL_DEBUG_TOKEN	Recommended	Required header for POST /api/debug/email.

Email (SMTP via Resend)

Register at resend.com and verify your domain DNS (SPF + DKIM).
Create or reset SMTP_PASS in Resend → Settings → SMTP.
Set SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS, SMTP_FROM in your app host.
Smoke test the mailer (locally):

curl -v -X POST http://localhost:3000/api/debug/email \
  -H "Content-Type: application/json" \
  -H "x-internal-token: $EMAIL_DEBUG_TOKEN" \
  -d '{"to":"[email protected]"}'

You should see 200 OK and an accepted recipient list. If you get 535 Authentication failed, recheck credentials and that your SMTP_FROM domain is verified.

API reference (current)

POST /api/signup

Create a user; sends a non-blocking welcome email.

POST https://startupstoryscale.com/api/signup
Content-Type: application/json

{
  "email": "[email protected]",
  "password": "StrongPass123!",
  "name": "Ada Founder",
  "website": "example.com"
}

Responses

201 → { ok: true }
409 user exists or team exists for website host
400/500 validation or internal error

POST /api/assessments/free

Computes score/band and stores a record; cooldown by identity.

POST https://startupstoryscale.com/api/assessments/free
Content-Type: application/json

{
  "answers": {
    "startupName": "Acme AI",
    "website": "https://acme.ai",
    "passportCountry": "CA",
    "losOrgName": "Creative Destruction Lab",
    "foundersCount": 2,
    "trl": 7,
    "fundingSource": "ANGEL",
    "ceoClb": 7,
    "teamChangeAfterLos": "NO_CHANGE"
  }
}

Response (example)

{
  "score": 50,
  "band": "Medium",
  "monthsEstimate": 16,
  "successProb": 0.5,
  "successProbPct": 50,
  "drivers": { "positive": ["High TRL speeds processing","Angel-backed"], "risk": [] }
}

POST /api/debug/email

Internal-only debug endpoint (requires header token).

curl -X POST https://startupstoryscale.com/api/debug/email \
  -H "Content-Type: application/json" \
  -H "x-internal-token: $EMAIL_DEBUG_TOKEN" \
  -d '{"to":"[email protected]"}'

Operations & health

Health endpoints help you verify connectivity and dependencies. The public site does not expose /api/healthz (404 via CDN), but it’s available locally and can be mounted behind auth/status in production.

Local

curl -s http://localhost:3000/api/healthz | jq

Production status page

See /status for a human-friendly view (API & DB).

Security

Debug email endpoint requires x-internal-token.
Emails are sent only from verified domains (SMTP_FROM).
Assessment cooldown prevents repeated submissions from the same identity within a window.
RBAC and audit log land in the next phases (see Roadmap).

Troubleshooting

SMTP 535 Authentication failed

Reset SMTP_PASS in Resend and update your host env.
Ensure SMTP_FROM matches a verified domain.
Test via debug endpoint (with EMAIL_DEBUG_TOKEN header).

Module not found: "nodemailer"

Add dependency: npm i nodemailer.
Ensure mailer code only runs in API routes / server context (no importing on client).

/api/healthz returns 404 in production

CDN intentionally hides raw health JSON. Use /status instead.
Locally, /api/healthz returns JSON with DB checks.

DB check shows db_timeout

Confirm DATABASE_URL, network ACLs, and DB availability.
Check connection limits and recent migrations.

What’s next

Team management and invites (multi-founder workspaces).
RBAC and audit log for sensitive changes.
Detailed report v2 with prioritized risks and actions.
Designated org integrations + advanced analytics.

Track progress on the Roadmap.

Support

Questions or feedback? Reach us at [email protected].

Privacy-first. Aggregate analytics only. Not legal advice.