The AI Startup Analyzer API does not useDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Abbaddii-99/AI-Startup-Analyzer/llms.txt
Use this file to discover all available pages before exploring further.
Authorization headers or API keys. Instead, it relies on httpOnly cookie-based JWT authentication — a pattern that is both more secure against XSS attacks and simpler to use in browser-based applications. This page explains exactly how cookies are issued, how to send them with every request, how to renew an expired access token, and how to satisfy the CSRF requirement on state-changing calls.
How Cookie Auth Works
When you callPOST /auth/login or POST /auth/register successfully, the server sets two cookies on the response:
| Cookie | Value | Lifetime | Flags |
|---|---|---|---|
accessToken | Signed JWT containing userId and email | 7 days | HttpOnly, SameSite=Lax (dev) / Strict (prod), Secure (prod only) |
refreshToken | Opaque token stored in database | 30 days | HttpOnly, SameSite=Lax (dev) / Strict (prod), Secure (prod only) |
HttpOnly, JavaScript running on the page cannot read them — they are automatically attached to every same-origin request by the browser. This eliminates the risk of token theft via XSS.
The
accessToken cookie is what the server reads to authenticate protected endpoints. You never need to extract the JWT value manually — the browser (or curl) handles forwarding it.Browser Clients
For browser-based clients (React, Next.js, etc.) you must explicitly opt in to sending cookies on cross-origin requests. The API server has CORS configured withcredentials: true, so you just need to enable it on the client side.
curl Testing
When testing withcurl, use -c to write cookies to a file after login, and -b to send them on subsequent requests:
CSRF Protection
AllPOST and DELETE requests to /analysis routes require a CSRF token in addition to the auth cookie. The server implements the Double Submit Cookie pattern:
- Fetch the token — call
GET /analysis/csrf-token. The server generates a cryptographically random 32-byte hex token, sets it as a non-httpOnlyXSRF-TOKENcookie (so JavaScript can read it), and also returns it in the response body. - Include the token — on every subsequent state-changing request to
/analysis, read theXSRF-TOKENcookie value and send it in theX-XSRF-TOKENrequest header. - Server validates — the server compares the header value against the cookie value. A cross-origin attacker cannot read the cookie and therefore cannot forge the header.
Token Refresh Flow
TheaccessToken cookie is valid for 7 days. When it expires, requests to protected endpoints return 401 Unauthorized. At that point, exchange the refreshToken for a new token pair by calling POST /auth/refresh.
The
refreshToken is stored as an httpOnly cookie, so you cannot read it directly in the browser. When calling /auth/refresh, pass the value you received in the original login/register JSON response body — or store it securely (e.g. in secure storage for native apps).accessToken and a new refreshToken in the JSON body. The old refresh token is invalidated in the database. Store the new refresh token for the next renewal cycle.
Logout
CallingPOST /auth/logout with the current refreshToken invalidates it in the database. The auth cookies are not automatically cleared by the server on logout (they will naturally expire), so for client-side cleanup you should also delete the accessToken and refreshToken cookies from the browser if your SameSite policy allows it.