Summary

Spacebar's REST API returns 404 when the path /api/v10/users/%40me is requested, while Discord's API accepts it. Per RFC 3986, %40 is the percent-encoded form of @, and the two should be interchangeable in the path segment.

Steps to reproduce

# Works on Discord, fails on Spacebar:
curl -H "Authorization: Bot <token>" https://<spacebar-host>/api/v10/users/%40me
# Returns 404

# This works:
curl -H "Authorization: Bot <token>" https://<spacebar-host>/api/v10/users/@me
# Returns 200 with user object

Impact

Any Discord library that URL-encodes the @ character before making requests will fail to fetch the bot's own identity. For example, @buape/carbon's fetchUser("@me") internally encodes the path, producing %40me, which Spacebar rejects.

Expected behavior

/api/v10/users/%40me should be treated identically to /api/v10/users/@me and return the authenticated user object.

Suggested fix

The route handler or a middleware should URL-decode path parameters before matching, so %40me resolves to @me. This is standard HTTP behavior.

Environment

• Spacebar server: latest (built from main branch, Feb 2026)
• Node.js: v22