Zippi’s authentication layer is built on JWT (JSON Web Tokens). Every login — whether for a platform admin or a customer — issues a short-lived access token and a longer-lived refresh token. The access token is used in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CRISTIANCAMACH34/Zippi/llms.txt
Use this file to discover all available pages before exploring further.
Authorization: Bearer <access_token> header on every protected request. When the access token expires, exchange the refresh token for a new one without re-entering credentials. Refresh sessions also enforce an idle timeout: if no refresh call is made within the configured idle window (default 15 minutes), the session is invalidated and the user must log in again.
Token lifetimes
These values are controlled by environment variables and default to the values shown below.| Setting | Environment variable | Default |
|---|---|---|
| Access token TTL | JWT_ACCESS_TOKEN_EXPIRES_MINUTES | 4 minutes |
| Refresh token TTL | JWT_REFRESH_TOKEN_EXPIRES_DAYS | 30 days |
| Admin idle timeout | ADMIN_SESSION_IDLE_TIMEOUT_MINUTES | 15 minutes |
The
JWT_ACCESS_TOKEN_EXPIRES_MINUTES default of 4 minutes is intentionally short. Clients must call POST /api/v1/auth/refresh before the access token expires to maintain a continuous session. The refresh endpoint checks activity within ADMIN_SESSION_IDLE_TIMEOUT_MINUTES (default 15 minutes) — if the session has been idle beyond that window, the server rejects the refresh even though the refresh token itself has not yet expired.Authorization header
Admin / platform endpoints
POST /api/v1/auth/login
Authenticates a platform administrator (database admin or environment-seed admin) and issues an access/refresh token pair.The admin’s email address. Case-insensitive; trimmed and lowercased before lookup.
The admin’s password. Must be non-empty.
200 OK
Short-lived JWT to pass in the
Authorization: Bearer header.Long-lived JWT used to obtain a new access token via the refresh endpoint.
Always
"Bearer".ISO 8601 UTC timestamp when the access token expires.
ISO 8601 UTC timestamp when the refresh token expires.
Maximum inactivity window in minutes before the session is invalidated.
Configured lifetime of the access token in minutes.
The authenticated admin’s access profile. See Access profile object below.
POST /api/v1/auth/refresh
Exchanges a valid, non-idle refresh token for a new access token. The sessionlast_seen timestamp is updated on each successful call, keeping the session alive as long as calls occur within ADMIN_SESSION_IDLE_TIMEOUT_MINUTES.
The refresh token issued at login or from a previous refresh call.
200 OK
New short-lived access token.
Rotated refresh token. The previous refresh token is invalidated. Sending the old token again after rotation results in a
401 and destroys the session (theft-detection).POST /api/v1/auth/logout
Invalidates the server-side refresh session associated with the provided refresh token. NoAuthorization header is required — the refresh token in the request body is sufficient to identify the session. The access token remains cryptographically valid until it expires naturally, but the session will no longer issue new tokens.
The refresh token to invalidate. If omitted or invalid, the call still succeeds (logout is always safe).
200 OK
Always
true on a successful logout.ISO 8601 UTC timestamp of when the session was closed.
GET /api/v1/auth/me
Requires authentication. Returns the current user’s full access profile, freshly resolved from the database. Useful for verifying token validity and refreshing the client-side permission set.200 OK
Full access profile. See Access profile object below.
POST /api/v1/auth/actions/log
Requires authentication. Records a client-side UI action for audit and analytics purposes. This endpoint is fire-and-forget; the response does not block the UI action.A short string identifying the action type (e.g.,
"click", "view", "submit"). Defaults to "click" if omitted.Human-readable label for the action. Truncated to 120 characters.
The current frontend route or URL path. Truncated to 240 characters. Falls back to the
Referer header if omitted.200 OK
GET /api/v1/auth/audit-events
Requiresaudit.read permission. Returns a paginated list of administrative audit events, with filtering by event type, actor, target, and date range.
Page number (1-based).
Items per page. Maximum
100.Full-text filter across description, event type, actor name/email, and target name/email.
Filter by exact event type (e.g.,
login_success, admin_created, admin_deactivated, sessions_revoked, audit_exported).Filter events where this admin ID is the actor.
Filter events where this admin ID is the target/subject.
ISO date string (
YYYY-MM-DD) for the beginning of the date range.ISO date string (
YYYY-MM-DD) for the end of the date range.200 OK
GET /api/v1/auth/audit-events/export
Requiresaudit.export permission. Streams the filtered audit event log as a UTF-8 CSV file. Accepts the same filter query parameters as the list endpoint. An audit_exported event is recorded for the requesting admin upon every successful export.
GET /api/v1/auth/audit-events — search, event_type, actor_id, target_id, start_date, end_date.
Response — text/csv; charset=utf-8
The file is returned as an attachment. The filename follows the pattern rapi-turbo-auditoria-{scope_label}-{date}.csv. Columns: fecha, evento, descripcion, actor, actor_email, objetivo, objetivo_email, detalle.
GET /api/v1/auth/access-catalog
Requiresadmins.read permission. Returns all role definitions and scope types registered on the platform. Use this endpoint to populate role/scope dropdowns when creating or editing admin users.
200 OK
Full definitions for all console roles. Each entry includes
key, label, description, surface, console_access, default_scope_type, home_route, modules, and permissions.All valid scope type identifiers with their human-readable labels.
Customer endpoints
POST /api/v1/auth/customer/login
Authenticates an end customer by phone number and password. Returns an access token valid for the standard access TTL and a refresh token, plus the customer’s profile.Customer login accepts
phone (not email) as the primary identifier. The phone number is normalized by stripping all non-digit characters before lookup, so +57 310 123 4567, 573101234567, and 3101234567 all resolve to the same account.The customer’s phone number. Non-digit characters are stripped automatically.
The customer’s account password.
200 OK
Alias for
access_token. Provided for backwards compatibility with older clients.Short-lived JWT for authenticating customer requests.
Long-lived JWT to obtain a new access token.
ISO 8601 UTC expiry of the access token.
Customer profile with role
"customer", scope "self", and limited permissions (orders.read, clients.read).POST /api/v1/auth/customer/register
Creates a new customer account and immediately returns a session. The phone number must be unique across all customers.Customer’s display name.
Customer’s phone number. Normalized to digits only. Must be unique.
Optional email address. Stored as-is; not used for authentication.
Password for the new account. Minimum 6 characters.
201 Created
409 Conflict if a customer with the same phone number already exists.
Access profile object
Theuser object returned by login, refresh, and /me contains a fully-resolved access profile built by build_access_profile(). The fields are consistent across all admin roles.
Admin database ID, or
"env-admin" for the environment-seed administrator.Admin’s display name.
Admin’s email address.
Normalized role key (e.g.,
city_admin, super_admin). See the role keys in Admin Users.Human-readable role name (e.g.,
"Administrador ciudad").One-sentence description of what the role can do.
UI surface identifier (e.g.,
superadmin_panel, admin_panel, business_portal).The default redirect route after login (e.g.,
"/app/admin/city").Expanded list of permission strings granted to this role. Umbrella permissions like
catalog.manage are automatically expanded to their individual action permissions.List of module keys accessible to this role (e.g.,
"dashboard", "orders", "audit").The operational scope level:
global, country, city, zippi_branch, business_group, business, business_branch, or self.The database ID of the scoped entity.
null for global scope.Human-readable label for the scope (e.g.,
"Bogotá", "Operacion global").Monotonically increasing integer. Incremented when a password changes or sessions are manually revoked. Tokens carrying an outdated version are rejected.
Token origin:
"database" for DB admins, "environment" for the seed admin, "customer" for customer tokens.