Dragon Guard uses a two-path login strategy: the handheld first attempts a GrupoMas-federated login, and automatically falls back to the standard local login when the tenant is standalone or the user identity exists locally. All four endpoints described here are public and do not require anDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CodexaCP/DG_APK/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header. Once a session is established, the returned token must be sent as a Bearer token on every subsequent protected request together with the X-Company-Id header matching the chosen company.
POST /api/auth/grupomas-handheld-login
Authenticates a warehouse operator through the GrupoMas external identity provider. This is the primary login path on every handheld launch. If the server returnsmessageKey auth.localEmailConflict or auth.grupoMasNativeRequired, the client automatically retries using POST /api/auth/login with the same credentials — no user action is required.
The two-path strategy is transparent to the operator. The handheld always calls the GrupoMas endpoint first. A silent automatic retry to the local endpoint is triggered only when the server’s
messageKey signals that the tenant is not federated or the user has a conflicting local account.POST /api/auth/grupomas-handheld-loginAuth required: No
Request body
The operator’s GrupoMas username (maps to
AuthLoginRequestDto.Email internally).The operator’s password.
Hardware identifier of the handheld device (MAC address or device serial). Required for device-authorization checks and plan-limit enforcement. If omitted, the server may reject the request with
DEVICE_ID_REQUIRED.Human-readable label for the device, stored in the session audit log.
Response — 200 OK
JWT bearer token. Include this in
Authorization: Bearer <token> on every protected request.Internal UUID of the authenticated user.
Resolved email address for the authenticated identity.
Display name of the operator, shown in the handheld UI header.
List of companies the user can access. The operator selects one; its
companyId becomes the X-Company-Id header on protected requests.Error messageKeys
When the response is non-2xx and the body is JSON, themessageKey field drives the client error message. Possible values:
messageKey | Meaning |
|---|---|
auth.externalLoginFailed | GrupoMas rejected the username or password. |
auth.localEmailConflict | A local user with the same identifier exists — triggers automatic fallback to local login. |
auth.grupoMasNativeRequired | Tenant is not configured for federated login — triggers automatic fallback to local login. |
auth.companyInactive | The tenant is inactive. |
integration.adapterNotConfigured | GrupoMas integration is not configured for this tenant. |
integration.remoteUnavailable | GrupoMas service is unreachable or rejected the connection. |
integration.companyCodeRequired | GrupoMas company code is missing from tenant configuration. |
plans.deviceNotAuthorized | This device’s ID/MAC is not authorised for the tenant. The response body may include the resolved deviceId. |
plans.deviceInactive | The device exists but is set to inactive. |
plans.deviceLimitExceeded | The tenant has exceeded its plan’s active-device limit. |
| Code | Meaning |
|---|---|
EMAIL_AND_PASSWORD_REQUIRED | Credentials were not supplied. |
USERNAME_AND_PASSWORD_REQUIRED | Credentials were not supplied. |
DEVICE_ID_REQUIRED | deviceId field was absent or empty. |
USER_NOT_FOUND | No matching user found. |
INVALID_USER | User account is invalid or disabled. |
INVALID_PASSWORD | Password does not match. |
LOGIN_TEMPORARILY_UNAVAILABLE | Transient server-side failure. |
Example
POST /api/auth/login
Standard local login endpoint. Used directly when the tenant is standalone, or reached automatically via the client’s fallback logic aftergrupomas-handheld-login returns auth.localEmailConflict or auth.grupoMasNativeRequired. The isHandheld flag tells the server this request originates from a physical handheld device.
Method & path: POST /api/auth/loginAuth required: No
Request body
The operator’s local account email address.
The operator’s password.
Hardware identifier of the handheld device.
Human-readable label for the device.
Always
true for requests originating from the Dragon Guard handheld client. Allows the server to apply handheld-specific session logic.Response — 200 OK
Identical shape toPOST /api/auth/grupomas-handheld-login. See Response fields above.
Error messageKeys
Same table as the GrupoMas login endpoint. The fallback keysauth.localEmailConflict and auth.grupoMasNativeRequired will not appear on this endpoint.
Example
GET /api/auth/registration-options
Returns the list of companies available for self-registration and the default role code that will be assigned to new users. Call this endpoint to populate the company picker on the registration screen before submittingPOST /api/auth/register.
Method & path: GET /api/auth/registration-optionsAuth required: No
Response — 200 OK
Companies available for self-registration.
Role code assigned to newly registered users. Defaults to
OPERATOR.Example
POST /api/auth/register
Creates a new local user account within the specified company. On success, the server returns200 OK with no response body. The new user can immediately log in with POST /api/auth/login.
Method & path: POST /api/auth/registerAuth required: No
Request body
Email address for the new account. Must be unique within the tenant.
Password for the new account. Minimum strength requirements are enforced server-side.
Full display name of the new user, shown in the handheld UI header after login.
UUID of the company to associate with the new user. Obtain valid values from
GET /api/auth/registration-options. If omitted, the server may assign a default or return an error.Response — 200 OK
No response body. A successful200 indicates the account was created. Proceed to POST /api/auth/login.