The Blackterz API provides four public authentication endpoints — no JWT is required to call any of them. Successful login and registration both return a signed JWT that must be included in all subsequent protected requests. All four endpoints are covered by the auth rate limiter (10 req / 15 min in production).Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Blackterz2/Proyecto_5to_Semestre/llms.txt
Use this file to discover all available pages before exploring further.
POST /api/auth/register
Create a new user account. The supplied password is hashed with bcrypt (10 salt rounds) before storage — the plaintext password is never persisted. Authentication: None requiredRate limited: Yes
Request Body
Display name for the new user.
Email address. Must be unique across all accounts and match the format
[email protected].Plaintext password. Must be at least 6 characters. Stored as a bcrypt hash — never returned in any response.
Responses
- 201 Created
- 400 Bad Request
- 409 Conflict
Example
Registration does not return a JWT. Call
POST /api/auth/login immediately after registration to obtain a token.POST /api/auth/login
Authenticate with email and password. Returns a signed JWT valid for 7 days. The token payload containsusuario_id, nombre, and email.
Authentication: None requiredRate limited: Yes
Request Body
The registered email address.
The account password in plaintext. Verified against the stored bcrypt hash using
bcrypt.compare().Responses
- 200 OK
- 400 Bad Request
- 403 Forbidden
Example
POST /api/auth/forgot-password
Trigger a password reset email. If the supplied email belongs to an active account, a secure 64-character hex token is generated, stored with a 1-hour expiry, and emailed as a reset link. If the email is not found, the response is identical — this prevents account enumeration. Authentication: None requiredRate limited: Yes (shared auth limiter)
Request Body
The email address associated with the account to recover.
Responses
- 200 OK
- 400 Bad Request
Always returned regardless of whether the email exists.
Reset Link Format
When an email is found and active, the user receives a message containing a link in the following format:APP_URL defaults to http://localhost:3000 if the environment variable is not set. The token expires 1 hour after generation and is single-use.
Example
The API always returns
200 for this endpoint. Do not use the response to infer whether an account exists.POST /api/auth/reset-password
Set a new password using the token from the reset email. The token is validated against thepassword_resets table — it must exist, be unused, and not have passed its expira_en timestamp. On success, the token is immediately marked as used and cannot be reused.
Authentication: None requiredRate limited: Yes (shared auth limiter)
Request Body
The 64-character hex token from the reset link query string (
?token=...).The new plaintext password. Must be at least 8 characters. Hashed with bcrypt (10 rounds) before storage.
Responses
- 200 OK
- 400 Bad Request
Password updated and token consumed.
