Skip to main content

Overview

The André Ruperto Portfolio API uses JWT (JSON Web Tokens) for authentication. Protected endpoints require a valid JWT token in the Authorization header.

Login Endpoint

This endpoint is rate limited to 5 requests per 15 minutes to prevent brute force attacks.

POST /api/auth/login

Authenticate with admin password to receive a JWT token.

Request Body

password
string
required
Admin password for authentication

Response

success
boolean
Indicates successful authentication
token
string
JWT token valid for 24 hours

Example Request

cURL
curl -X POST https://andreruperto.dev/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"password": "your-admin-password"}'
JavaScript
const response = await fetch('https://andreruperto.dev/api/auth/login', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({
    password: 'your-admin-password'
  })
});

const data = await response.json();
console.log(data.token);

Example Response

Success (200)
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "success": true
}
Error - Invalid Password (401)
{
  "error": "Senha incorreta"
}
Error - Rate Limited (429)
{
  "error": "Muitas tentativas de login. Tente novamente em 15 minutos."
}

Using the Token

Once you have a JWT token, include it in the Authorization header for protected endpoints:

Authorization Header

Authorization: Bearer YOUR_JWT_TOKEN

Alternative: Query Parameter

You can also pass the token as a query parameter (useful for browser previews): 
GET /api/admin/email-preview/notification?token=YOUR_JWT_TOKEN

Protected Endpoints

The following endpoints require authentication:
  • POST /api/projects - Create a new project
  • PUT /api/projects/:id - Update a project
  • DELETE /api/projects/:id - Delete a project
  • GET /api/admin/email-preview/notification - Preview notification email
  • GET /api/admin/email-preview/confirmation - Preview confirmation email

Token Expiration

JWT tokens are valid for 24 hours from the time of issuance. After expiration, you must authenticate again to receive a new token.
If you receive a 401 Unauthorized error with message “Token inválido”, your token has likely expired. Re-authenticate to get a new token.

Error Handling

Security Best Practices

Store Securely

Never store JWT tokens in local storage. Use secure, httpOnly cookies when possible.

HTTPS Only

Always use HTTPS in production to prevent token interception.

Refresh Tokens

Re-authenticate before the 24-hour expiration to maintain access.

Environment Variables

Store admin password and JWT secret in environment variables, never in code.

Implementation Details

The authentication system (backend/src/server.js:58-76):
  • Uses jsonwebtoken library for JWT creation and verification
  • Signs tokens with JWT_SECRET from environment variables
  • Validates tokens via middleware before accessing protected routes
  • Supports both header and query parameter authentication

Build docs developers (and LLMs) love

Get started for freeTalk to us