Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/AndrewwCO/Pana-Baker/llms.txt

Use this file to discover all available pages before exploring further.

The Panahashi Baker API authenticates requests with Firebase ID tokens passed as Bearer credentials. The mobile app obtains a short-lived ID token from Firebase Auth after sign-in, injects it into every request, and handles 401 responses by throwing a sentinel error that triggers a re-login flow. You do not need to implement token refresh manually — Firebase handles it automatically.

How the token reaches the API

After a successful Firebase sign-in, onAuthStateChanged fires with the authenticated user. The app calls firebaseUser.getIdToken() to obtain an ID token, then registers it on the shared API client: 
const token = await firebaseUser.getIdToken();
api.setToken(token);
api.setUserName(firebaseUser.displayName || "Baker");
On sign-out, both values are cleared: 
api.setToken(null);
api.setToken(token) and api.setUserName(name) store the values in memory on the singleton ApiService instance. They are applied automatically to every subsequent request.

Request header format

Include both headers on every API call: 
Authorization: Bearer <firebase-id-token>
X-User-Name: <displayName>
A complete example with curl: 
curl https://your-backend.com/api/v1/bakeries/me \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "X-User-Name: María" \
  -H "Content-Type: application/json"

401 responses

When the server returns HTTP 401, the API client throws immediately: 
if (res.status === 401) throw new Error("NO_AUTH");
Callers that catch Error("NO_AUTH") should prompt the user to sign in again. The app’s navigation layer listens for this sentinel and redirects to the login screen.
Firebase ID tokens expire after one hour. firebaseUser.getIdToken() automatically returns a fresh token when the current one is near expiry — you do not need to call a refresh endpoint or manage expiry timestamps yourself. Re-calling getIdToken() before each request is safe and recommended for long-running sessions.

Other non-2xx responses

For any HTTP error other than 401, the client reads the response body and throws: 
const err = await res.json().catch(() => ({}));
throw new Error(err.message || `HTTP ${res.status}`);
The error message comes from the server’s { "message": "..." } payload when available, or falls back to the raw status code string.

Build docs developers (and LLMs) love

Get started for freeTalk to us