AI Startup Analyzer uses a cookie-based JWT authentication strategy. Access tokens and refresh tokens are stored inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Abbaddii-99/AI-Startup-Analyzer/llms.txt
Use this file to discover all available pages before exploring further.
httpOnly cookies rather than being returned in response bodies or expected in Authorization headers. This approach means tokens are never accessible to JavaScript running on the page, which eliminates an entire class of cross-site scripting (XSS) token theft. Two login methods are supported: email and password, and Google OAuth 2.0.
Token Storage and Lifetimes
When you register or log in, the server sets twohttpOnly cookies on the response:
| Cookie | Lifetime | Purpose |
|---|---|---|
accessToken | 7 days | Authenticates API requests via the JWT guard |
refreshToken | 30 days | Used to obtain a new access token when it expires |
secure: true and sameSite: strict in production environments, and with sameSite: lax in development. Because they are httpOnly, they cannot be read or modified by client-side JavaScript.
Refresh tokens are stored in the database and rotated on every use — when you call the refresh endpoint, the old refresh token is deleted and a new one is issued alongside a new access token.
Registration
- Minimum 10 characters, maximum 128
- At least one lowercase letter
- At least one uppercase letter
- At least one digit
- At least one special character (
!@#$%^&*()etc.)
201):
accessToken and refreshToken cookies are set automatically on the response. A 409 Conflict is returned if the email is already registered.
Rate limits: 5 requests per minute, 20 per hour.
Login
200):
UnauthorizedException (401) is returned for invalid credentials — the error message does not distinguish between an unknown email and a wrong password.
Rate limits: 10 requests per minute, 50 per hour.
Token Refresh
When theaccessToken cookie expires, call the refresh endpoint with the current refresh token:
200):
401 Unauthorized.
Logout
Getting the Current User
To retrieve the authenticated user’s identity using the currentaccessToken cookie:
200):
JwtAuthGuard. A 401 is returned if the cookie is missing or the token is invalid.
Google OAuth 2.0
Users can sign in with their Google account without setting a password.Initiate the OAuth Flow
Redirect the user’s browser to:The server redirects to Google’s OAuth consent screen.
Google Redirects Back
After the user grants access, Google calls:The Passport
google strategy validates the OAuth code and extracts the user’s Google profile.Account Lookup or Creation
The server calls
findOrCreateGoogleUser. If no user with that email exists, a new account is created with a cryptographically random unusable password (the account can only be accessed via Google OAuth or future password reset). If an account already exists with that email, it is used as-is regardless of how it was originally created.CSRF Protection
State-changing requests (POST, PUT, PATCH, DELETE) are protected using the Double Submit Cookie pattern. The server sets anXSRF-TOKEN cookie that your client must read and echo back in a request header.
Step 1 — Obtain the CSRF token:
XSRF-TOKEN cookie in the browser. Because the cookie is readable by JavaScript (it is not httpOnly), your frontend can extract its value.
Step 2 — Include the token in subsequent state-changing requests:
XSRF-TOKEN cookie value due to the browser’s same-origin policy, so they cannot forge the header even if they can trigger the request.
Code Examples
Rate Limiting Summary
| Endpoint | Per Minute | Per Hour |
|---|---|---|
POST /auth/register | 5 | 20 |
POST /auth/login | 10 | 50 |
| Chat endpoints | 10 | — |
429 Too Many Requests. Clients should implement exponential backoff before retrying.