diff --git a/lib/api/index.js b/lib/api/index.js
index 828842c..cc1870f 100644
--- a/lib/api/index.js
+++ b/lib/api/index.js
@@ -1,12 +1,13 @@
 import { Router } from 'express';
 import { ownerOnly } from '../auth/owner.js';
 import { errorMiddleware, NotFoundError } from './errors.js';
+import { router as spacesRouter } from './routes/spaces.js';
 
 export function mountApi(app) {
   const api = Router();
   api.use(ownerOnly);
 
-  // route modules registered here as Plan 2 progresses
+  api.use('/spaces', spacesRouter);
 
   api.use((_req, _res, next) => next(new NotFoundError('route not found')));
 
diff --git a/lib/api/routes/spaces.js b/lib/api/routes/spaces.js
new file mode 100644
index 0000000..9d6545c
--- /dev/null
+++ b/lib/api/routes/spaces.js
@@ -0,0 +1,70 @@
+import { Router } from 'express';
+import { z } from 'zod';
+import * as repo from '../../db/repos/spaces.js';
+import { validate } from '../validate.js';
+import { NotFoundError, asyncWrap } from '../errors.js';
+
+const createSchema = z.object({
+  slug: z.string().min(1).max(64).regex(/^[a-z0-9-]+$/),
+  name: z.string().min(1).max(200),
+  description: z.string().optional(),
+  theme: z.string().optional()
+});
+
+const patchSchema = z.object({
+  slug: z.string().min(1).max(64).regex(/^[a-z0-9-]+$/).optional(),
+  name: z.string().min(1).max(200).optional(),
+  description: z.string().nullable().optional(),
+  theme: z.string().nullable().optional()
+});
+
+const uuidParams = z.object({ id: z.string().uuid() });
+
+export const router = Router();
+
+router.get('/', asyncWrap(async (_req, res) => {
+  res.json(await repo.list());
+}));
+
+router.post('/',
+  validate({ body: createSchema }),
+  asyncWrap(async (req, res) => {
+    const row = await repo.create(req.body, req.actor);
+    res.status(201).json(row);
+  })
+);
+
+router.get('/by-slug/:slug', asyncWrap(async (req, res) => {
+  const row = await repo.getBySlug(req.params.slug);
+  if (!row) throw new NotFoundError('space not found');
+  res.json(row);
+}));
+
+router.get('/:id',
+  validate({ params: uuidParams }),
+  asyncWrap(async (req, res) => {
+    const row = await repo.getById(req.params.id);
+    if (!row) throw new NotFoundError('space not found');
+    res.json(row);
+  })
+);
+
+router.patch('/:id',
+  validate({ params: uuidParams, body: patchSchema }),
+  asyncWrap(async (req, res) => {
+    const existing = await repo.getById(req.params.id);
+    if (!existing) throw new NotFoundError('space not found');
+    const row = await repo.update(req.params.id, req.body, req.actor);
+    res.json(row);
+  })
+);
+
+router.delete('/:id',
+  validate({ params: uuidParams }),
+  asyncWrap(async (req, res) => {
+    const existing = await repo.getById(req.params.id);
+    if (!existing) throw new NotFoundError('space not found');
+    await repo.del(req.params.id, req.actor);
+    res.status(204).end();
+  })
+);
diff --git a/tests/api/spaces.test.js b/tests/api/spaces.test.js
new file mode 100644
index 0000000..7781a0d
--- /dev/null
+++ b/tests/api/spaces.test.js
@@ -0,0 +1,78 @@
+import { describe, it, expect, beforeAll } from 'vitest';
+import request from 'supertest';
+import { setup } from './helpers.js';
+import { pool } from '../../lib/db/pool.js';
+
+let app, ownerHeaders;
+beforeAll(async () => { ({ app, ownerHeaders } = await setup()); });
+
+describe('spaces routes', () => {
+  it('GET /api/spaces empty returns []', async () => {
+    const res = await request(app).get('/api/spaces').set(ownerHeaders);
+    expect(res.status).toBe(200);
+    expect(res.body).toEqual([]);
+  });
+
+  it('GET /api/spaces without auth → 401', async () => {
+    const res = await request(app).get('/api/spaces');
+    expect(res.status).toBe(401);
+  });
+
+  it('POST /api/spaces creates 201 and persists', async () => {
+    const res = await request(app).post('/api/spaces').set(ownerHeaders)
+      .send({ slug: 'home', name: 'Home' });
+    expect(res.status).toBe(201);
+    expect(res.body.slug).toBe('home');
+    expect(res.body.id).toBeDefined();
+    const { rows } = await pool.query('SELECT slug FROM spaces WHERE id=$1', [res.body.id]);
+    expect(rows[0].slug).toBe('home');
+  });
+
+  it('POST /api/spaces with bad slug → 400 with details', async () => {
+    const res = await request(app).post('/api/spaces').set(ownerHeaders)
+      .send({ slug: 'Bad Slug!', name: 'X' });
+    expect(res.status).toBe(400);
+    expect(res.body.error.code).toBe('validation_failed');
+    expect(Array.isArray(res.body.error.details)).toBe(true);
+  });
+
+  it('GET /api/spaces/:id returns the row', async () => {
+    const created = await request(app).post('/api/spaces').set(ownerHeaders)
+      .send({ slug: 'getme', name: 'Get Me' });
+    const res = await request(app).get(`/api/spaces/${created.body.id}`).set(ownerHeaders);
+    expect(res.status).toBe(200);
+    expect(res.body.id).toBe(created.body.id);
+  });
+
+  it('GET /api/spaces/by-slug/:slug returns the row', async () => {
+    await request(app).post('/api/spaces').set(ownerHeaders)
+      .send({ slug: 'lookup', name: 'Lookup' });
+    const res = await request(app).get('/api/spaces/by-slug/lookup').set(ownerHeaders);
+    expect(res.status).toBe(200);
+    expect(res.body.slug).toBe('lookup');
+  });
+
+  it('GET unknown id → 404', async () => {
+    const res = await request(app)
+      .get('/api/spaces/00000000-0000-0000-0000-000000000000').set(ownerHeaders);
+    expect(res.status).toBe(404);
+  });
+
+  it('PATCH updates fields', async () => {
+    const created = await request(app).post('/api/spaces').set(ownerHeaders)
+      .send({ slug: 'patch', name: 'Patch' });
+    const res = await request(app).patch(`/api/spaces/${created.body.id}`).set(ownerHeaders)
+      .send({ name: 'Patched' });
+    expect(res.status).toBe(200);
+    expect(res.body.name).toBe('Patched');
+  });
+
+  it('DELETE returns 204 then GET 404', async () => {
+    const created = await request(app).post('/api/spaces').set(ownerHeaders)
+      .send({ slug: 'del', name: 'Del' });
+    const del = await request(app).delete(`/api/spaces/${created.body.id}`).set(ownerHeaders);
+    expect(del.status).toBe(204);
+    const get = await request(app).get(`/api/spaces/${created.body.id}`).set(ownerHeaders);
+    expect(get.status).toBe(404);
+  });
+});
diff --git a/tests/server.test.js b/tests/server.test.js
index f293718..934bd75 100644
--- a/tests/server.test.js
+++ b/tests/server.test.js
@@ -25,6 +25,14 @@ describe('server', () => {
     expect(res.status).toBe(401);
   });
 
+  it('GET /api/spaces with token returns 200 and empty array', async () => {
+    const res = await request(app)
+      .get('/api/spaces')
+      .set('Authorization', 'Bearer test-token');
+    expect(res.status).toBe(200);
+    expect(res.body).toEqual([]);
+  });
+
   it('unknown /api route returns 404 with structured error', async () => {
     const res = await request(app).get('/api/nope').set('Authorization', 'Bearer test-token');
     expect(res.status).toBe(404);