Next.js App Router route handlers that export non-conventional names — handler, default, loader — are silently ignored by the framework. The file appears to have an endpoint but HTTP requests return 405 Method Not Allowed or fall through to the next handler with no warning, no build error, and no runtime log. This reference-integrity gap makes the failure invisible: your API contract says the route exists, but no code runs. The taxon code-quality understates the operational impact — a hallucinated export name deletes the handler entirely from the request lifecycle.
Medium because the route silently stops working rather than exposing a security vulnerability, but the debugging surface is near-zero without knowing the allowlist.
Rename every export in app/**/route.ts files to match a valid HTTP method or accepted Next.js config name. The complete allowlist is: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS, dynamic, dynamicParams, revalidate, fetchCache, runtime, preferredRegion, maxDuration, generateStaticParams.
// app/api/users/route.ts
// Bad — 'handler' is ignored by Next.js App Router
export async function handler(req: Request) {
return Response.json({ ok: true })
}
// Good — export the HTTP method name
export async function GET(req: Request) {
return Response.json({ ok: true })
}
export async function POST(req: Request) {
const body = await req.json()
// ...
return Response.json({ created: true }, { status: 201 })
}
Pages Router patterns (export default, getServerSideProps) are invalid in App Router route files.
ID: ai-slop-hallucinations.route-references.route-handler-exports-valid
Severity: medium
What to look for: When the framework is Next.js, walk all files matching app/**/route.{ts,js} or app/**/route.{tsx,jsx}. For each route handler file, extract every named export. Check each export against this exact allowlist of Next.js Route Handler conventional names: GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS, dynamic, dynamicParams, revalidate, fetchCache, runtime, preferredRegion, maxDuration, generateStaticParams. Any export name not on this allowlist (e.g., default, handler, loader, getServerSideProps, metadata) is a hallucination — Next.js will silently ignore it, leaving the developer confused. Count all route handler files inspected, total non-conventional exports found.
Pass criteria: 0 route handler files have non-conventional named exports. Report: "X route handler files inspected, 0 non-conventional exports."
Fail criteria: At least 1 route handler file exports a name that is not in the allowlist.
Skip (N/A) when: Framework is not Next.js OR no app/**/route.{ts,js,tsx,jsx} files exist.
Detail on fail: "2 route handlers with non-conventional exports: app/api/users/route.ts exports 'handler' (Next.js ignores this — use 'GET'/'POST' etc.), app/api/auth/route.ts exports 'default' (Pages Router pattern, won't work in App Router)."
Remediation: Next.js App Router route handlers must export named functions matching HTTP methods. Other names are silently ignored, which creates confusing "the route exists but does nothing" bugs:
// Bad: 'handler' won't be called by Next.js
export async function handler(req: Request) {
return Response.json({})
}
// Good: use the HTTP method as the export name
export async function GET(req: Request) {
return Response.json({})
}