Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/160906/Yakultt-App/llms.txt

Use this file to discover all available pages before exploring further.

Yakult App secures every API request with JSON Web Tokens (JWT). When a user registers or logs in, the server returns a signed token that encodes the user’s id and rol. This token must be attached to every subsequent request that requires authentication. Tokens are valid for 30 days, after which the user must log in again to obtain a fresh one.

Registration

New accounts are created by sending a POST request to /api/auth/registro. The server validates the input, hashes the password, assigns a role based on the email domain, and returns the new user object together with a ready-to-use JWT token.
Email addresses ending in @upa.edu.mx are automatically assigned the Master role. All other email addresses receive the Promotor role. This assignment happens at registration and can be changed later by a Master user.

Request

POST /api/auth/registro
FieldTypeRequiredDescription
nombrestringFull display name of the user.
correostringUnique email address. Determines the initial role.
contrasenastringPassword that satisfies the complexity rules below.

Password requirements

Passwords are validated on the client before the request is sent. A password is accepted only when it meets all three of the following conditions:
  • At least 8 characters long.
  • Contains at least one uppercase letter (A–Z).
  • Contains at least one special character from the set: ! @ # $ % ^ & * ( ) - _ , . ? " : { } | < >

Example — register a new user

curl -X POST https://your-api/api/auth/registro \
  -H "Content-Type: application/json" \
  -d '{
    "nombre": "Ana García",
    "correo": "ana@upa.edu.mx",
    "contrasena": "Segura#2024"
  }'

Response 200 OK

{
  "usuario": {
    "id": 42,
    "nombre": "Ana García",
    "correo": "ana@upa.edu.mx",
    "rol": "Master"
  },
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Login

Existing users authenticate with POST /api/auth/login. The server looks up the account, checks that it is active, verifies the password, and returns the same {usuario, token} shape as registration.

Request

POST /api/auth/login
FieldTypeRequiredDescription
correostringThe registered email address.
contrasenastringThe account password.

Error cases

ScenarioStatusMessage
Missing correo or contrasena400"Correo y contraseña son obligatorios."
Email not found or wrong password401"Correo o contraseña incorrectos."
Account is deactivated403"Tu cuenta está desactivada. Contacta al administrador."

Example — log in

curl -X POST https://your-api/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "correo": "ana@upa.edu.mx",
    "contrasena": "Segura#2024"
  }'

Response 200 OK

{
  "usuario": {
    "id": 42,
    "nombre": "Ana García",
    "correo": "ana@upa.edu.mx",
    "rol": "Master"
  },
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Using the token

Store the token securely (the mobile app uses AsyncStorage) and attach it to every protected request via the Authorization header using the Bearer scheme.
Authorization: Bearer <your-token>
The server also accepts the token as a token query parameter or in the request body, but the Authorization header is the recommended approach for API clients.

Example — authenticated request

curl https://your-api/api/auth/usuarios \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
If the token is missing or has expired, the server responds with 401:
{
  "error": "Token de autenticación requerido."
}
{
  "error": "Token inválido o expirado."
}

JWT payload

The token is signed with the HS256 algorithm. Only id and rol are embedded in the payload — no name or email is stored in the token itself.
{
  "id": 42,
  "rol": "Master"
}
ClaimDescription
idUnique integer identifier of the user in the database.
rolRole of the user: Master, Promotor, or Repartidor.
The default signing secret is yakult-reportes-dev-secret, which is embedded in the source code and must not be used in production. Override it by setting the JWT_SECRET environment variable on your server before starting the application. Any tokens signed with the development secret will become invalid once the variable is changed.

Mobile app — AuthContext

The React Native app wraps all authentication logic in AuthContext, which exposes the following interface to every screen:
Value / MethodTypeDescription
usuario{id, nombre, correo, rol} | nullThe currently authenticated user, or null when logged out.
cargandobooleantrue while an auth request is in flight.
login(correo, contrasena)PromiseCalls POST /api/auth/login and stores the returned token in AsyncStorage.
registro(nombre, correo, contrasena)PromiseCalls POST /api/auth/registro and stores the token.
logout()Promise<void>Clears the token from AsyncStorage and sets usuario to null.

Example — consuming the context in a screen

import { useAuth } from '@/context/AuthContext';

export default function LoginScreen() {
  const { login, cargando } = useAuth();

  const handleLogin = async () => {
    await login('ana@upa.edu.mx', 'Segura#2024');
  };
}

Error response reference

Returned when required fields are missing or when the email is already registered.
{
  "error": "Todos los campos son obligatorios."
}
{
  "error": "Este correo ya está registrado."
}

Build docs developers (and LLMs) love