Open-Source Wikis

/

Cal.com

/

API

/

tRPC

calcom/cal.com

tRPC

The Next.js front end's primary API. Every dashboard interaction, every public booking-page query, every settings save lands here. See packages/trpc for package details; this page describes the API surface.

Mount point

apps/web/pages/api/trpc/[trpc].ts is the single mount. It calls createNextApiHandler from packages/trpc/server/createNextApiHandler.ts which builds the per-request context ({ prisma, session, user, locale, req, res, sourceIp, ... }) and dispatches to the appropriate router.

Router groups

packages/trpc/server/routers/
├── _app.ts                # Root router
├── viewer/                # Authenticated (most procedures)
├── loggedInViewer/        # Authenticated, user-scoped only
├── publicViewer/          # No auth (booking pages, public lookups)
└── features/              # Feature flags

Within each group, every procedure is split into:

  • <action>.handler.ts — implementation
  • <action>.schema.ts — Zod input schema
  • <action>.handler.test.ts — Vitest test
  • _router.tsx — registration

Notable procedure groups inside viewer/:

  • bookings/ — list, cancel, reschedule, confirm
  • eventTypes/ — list, create, update, delete, reorder, duplicate
  • availability/ — schedule CRUD, slot lookup
  • calendars/ — selected/destination management
  • settings/ — profile, billing, notifications, security
  • apps/ — App Store install/uninstall, per-app settings
  • webhooks/ — outbound webhook subscriptions
  • appRoutingForms/ — routing forms (some EE removed in Cal.diy)

publicViewer/ exposes:

  • event — load an event type by username + slug for the booking page
  • markHostAsNoShow — public link from a notification
  • submitRating — post-booking rating
  • countryCode — best-guess country lookup for prefilling timezone
  • checkIfUserEmailVerificationRequired
  • timezones — list

Authentication

  • Session cookiegetServerSession() (packages/features/auth/lib/getServerSession.ts) is called in createContext. Authenticated procedures use the authedProcedure builder.
  • CSRF — protected by NextAuth's CSRF cookie.
  • Public procedures use publicProcedure and don't require a session.

Errors

Procedures throw TRPCError (from @trpc/server). Services they call throw ErrorWithCode (from packages/lib/errorCodes.ts). The error formatter (packages/trpc/server/errorFormatter.ts) unwraps both and translates Zod validation errors to readable messages. The client receives { code, message, data: { code, httpStatus, ... } }.

Rate limiting

packages/lib/rateLimit.ts implements a Redis-backed token-bucket limiter, applied via tRPC middleware. Critical procedures (signup, booking submit) have stricter limits.

Client

The React client lives at packages/trpc/react. Consumers do:

import { trpc } from '@calcom/trpc/react';

const { data } = trpc.viewer.bookings.list.useQuery({ status: 'upcoming' });
const reschedule = trpc.viewer.bookings.reschedule.useMutation();

React Query is the underlying caching layer.

Example: a typical procedure

packages/trpc/server/routers/viewer/eventTypes/duplicate.handler.ts
packages/trpc/server/routers/viewer/eventTypes/duplicate.schema.ts
packages/trpc/server/routers/viewer/eventTypes/duplicate.handler.test.ts
packages/trpc/server/routers/viewer/eventTypes/_router.tsx (registers it)

The handler validates input via Zod, calls a service in packages/features/eventtypes/services/, and returns the result. The handler stays thin; the service owns the business logic.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

tRPC – Cal.com wiki | Factory