Skip to main content
The TaskFlow Pro API uses JWT (JSON Web Tokens) for authentication. To access protected endpoints, you must first obtain a token by registering or logging in, then include it in every subsequent request.

How authentication works

1

Create an account or log in

Call POST /register to create a new account, or POST /login if you already have one.
2

Receive a token

A successful login returns an accessToken in the response body.
3

Include the token in requests

Pass the token in the Authorization header as Bearer <token> on all protected endpoints.
4

Re-authenticate when the token expires

Tokens expire after 30 minutes. Call POST /login again to get a new token.

Register

POST /register
Creates a new user account. The account is assigned the Developer role by default. No token is returned — log in after registering to get a token.

Request body

nombre
string
required
The user’s full name. Cannot be empty.
email
string
required
A valid email address. Must be unique — registering with an existing email returns a 400 error.
password
string
required
The account password. Must meet all of the following rules:
  • Minimum 8 characters
  • At least one uppercase letter
  • At least one number

Example

curl --request POST \
  --url http://localhost:3001/api/v1/register \
  --header "Content-Type: application/json" \
  --data '{
    "nombre": "Carlos López",
    "email": "[email protected]",
    "password": "Secure123"
  }'

Response

201
{
  "success": true,
  "message": "Usuario creado correctamente"
}
Registration does not return a token. After registering, call POST /auth/login with the same credentials to get your accessToken.

Login

POST /login
Authenticates a user and returns a JWT access token.

Request body

email
string
required
The registered email address.
password
string
required
The account password.

Example

curl --request POST \
  --url http://localhost:3001/api/v1/login \
  --header "Content-Type: application/json" \
  --data '{
    "email": "[email protected]",
    "password": "Secure123"
  }'

Response

success
boolean
required
true on successful login.
message
string
required
Confirmation message.
data
object
required
200
{
  "success": true,
  "message": "Inicio de sesion correcto",
  "data": {
    "usuario": {
      "id": 2,
      "nombre": "María García",
      "email": "[email protected]",
      "rol": "Project Manager"
    },
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6Miwicm9sIjoiUHJvamVjdCBNYW5hZ2VyIiwiaWF0IjoxNzE3MDAwMDAwLCJleHAiOjE3MTcwMDE4MDB9.abc123"
  }
}

Using the token

Include the accessToken from the login response in the Authorization header of every protected request: 
Authorization: Bearer <accessToken>

curl http://localhost:3001/api/v1/usuario/me \
  --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Store the token in memory (e.g., a variable or state store) rather than localStorage to reduce XSS exposure. The token expires after 30 minutes, so plan to re-authenticate or prompt the user to log in again.

Token expiration

Tokens are valid for 30 minutes from the time of issue. Once expired, protected endpoints return a 401 response:
Expired token
{
  "mensaje": "El token ha expirado"
}
Call POST /login again to get a fresh token.

Error responses

StatusCauseResponse message
400Email already registeredEmail duplicado
400Validation failure (e.g., weak password)Field-level validation errors
401Wrong email or passwordCredenciales invalidas
401Account deactivatedUsuario desactivado, comunicate con el administrador
401Token expiredEl token ha expirado
403Valid token but insufficient roleNo tienes permiso para esta acción
401 and 403 are distinct. A 401 means authentication failed entirely — your token is missing, expired, or your credentials are wrong. A 403 means you are authenticated but your role does not permit the requested action.

Build docs developers (and LLMs) love

Get started for freeTalk to us