The Auth API handles every step of the user identity lifecycle: account creation, credential verification, and secure password recovery via email. All tokens are JSON Web Tokens signed server-side withDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Blackterz2/Proyecto_5to_Semestre/llms.txt
Use this file to discover all available pages before exploring further.
HS256. Passwords are never stored in plain text — bcrypt is used with 10 salt rounds before any password reaches the database.
/register and /login endpoints are rate-limited at the Express router level. Exceeding the limit returns 429 Too Many Requests.POST /api/auth/register
POST/api/auth/register
Creates a new user account. On success, returns the new user’s public profile (id, nombre, email). The password is hashed with bcrypt (10 rounds) before being stored — the plain-text value never touches the database. A JWT is not issued on registration; call POST /api/auth/login after registering to obtain a token.
Auth required: No
Request body
/^[^\s@]+@[^\s@]+\.[^\s@]+$/.Responses
201 Created — Account registered successfully
201 Created — Account registered successfully
400 Bad Request — Validation failure
400 Bad Request — Validation failure
409 Conflict — Email already registered
409 Conflict — Email already registered
Example
POST /api/auth/login
POST/api/auth/login
Authenticates an existing user and returns a signed JWT. The token is valid for 7 days and must be included in the Authorization header of every protected request.
Auth required: No
Request body
bcrypt.compare().Responses
400 Bad Request — Missing fields
400 Bad Request — Missing fields
401 Unauthorized — Wrong credentials
401 Unauthorized — Wrong credentials
403 Forbidden — Account deactivated
403 Forbidden — Account deactivated
activo = FALSE).Example
POST /api/auth/forgot-password
POST/api/auth/forgot-password
Initiates the password-reset flow. If the submitted email belongs to an active account, a reset link is sent via email. The server always returns the same success response regardless of whether the email is registered — this prevents user enumeration attacks.
Auth required: No
crypto.randomBytes(32) (64 hex characters) and expires 1 hour after issuance. Only one valid token exists per user at a time.Request body
Responses
200 OK — Request accepted (always)
200 OK — Request accepted (always)
400 Bad Request — Missing email field
400 Bad Request — Missing email field
Example
POST /api/auth/reset-password
POST/api/auth/reset-password
Completes the password-reset flow. Accepts the token delivered via email and the new desired password. If the token is valid and unexpired, the user’s password is updated and the token is permanently invalidated so it cannot be reused.
Auth required: No
Request body
Responses
200 OK — Password updated
200 OK — Password updated
400 Bad Request — Token invalid, expired, or already used
400 Bad Request — Token invalid, expired, or already used
400 Bad Request — Password too short
400 Bad Request — Password too short
400 Bad Request — Missing fields
400 Bad Request — Missing fields
