Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CodexaCP/DG_BACK/llms.txt

Use this file to discover all available pages before exploring further.

The Auth API handles all identity and session management for Dragon Guard WMS. It covers standard email/password login, GrupoMAS-delegated handheld login, self-service registration, and password change workflows for both web and handheld clients.

GET /api/auth/registration-options

Returns the list of active companies available for self-service registration and the default role code that will be assigned to new users. Authentication: None required.
companies
array
List of active companies available for registration selection.
defaultRoleCode
string
The role code (e.g., OPERATOR) that will be automatically assigned to newly registered users.
Error codes
StatusMeaning
200Options returned successfully.
curl -X GET https://api.example.com/api/auth/registration-options

POST /api/auth/login

Authenticates a user by email and password. Optionally registers a handheld device when isHandheld is true. Returns a signed JWT along with user profile and company access list. Authentication: None required.
email
string
required
The user’s email address.
password
string
required
The user’s password.
isHandheld
boolean
Set to true when the request originates from a handheld/mobile device. Triggers device registration validation.
deviceId
string
Hardware device identifier. Required when isHandheld is true. Normalized to uppercase with : separators.
deviceName
string
Human-readable name for the device (e.g., Scanner-01). Optional.
token
string
Signed JWT for use in subsequent Authorization: Bearer headers.
userId
string (uuid)
Unique identifier of the authenticated user.
email
string
Authenticated user’s email address.
fullName
string
Authenticated user’s display name.
isSuperAdmin
boolean
Whether the user holds the SUPERADMIN_SUPREMO global role.
mustChangePassword
boolean
When true the UI must redirect the user to the change-password screen before continuing.
Companies
array
List of tenant company assignments for the authenticated user. Empty for super-admins.
Error codes
StatusCodeMeaning
400EMAIL_AND_PASSWORD_REQUIREDBoth fields must be non-empty.
401USER_NOT_FOUNDNo account matches the supplied email.
401INVALID_PASSWORDPassword does not match the stored hash.
402plans.deviceLimitExceededActive device count exceeds the tenant plan limit.
403plans.deviceNotAuthorizedDevice ID is not registered for this tenant.
403auth.companyInactiveThe user’s tenant is suspended or inactive.
409auth.userAssignedToOtherTenantThe account is already tied to a different tenant.
503LOGIN_TEMPORARILY_UNAVAILABLEUnexpected server error; retry later.
curl -X POST https://api.example.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "S3cur3Pass!",
    "isHandheld": false
  }'

POST /api/auth/grupomas-handheld-login

Delegates authentication to the GrupoMAS ERP system for handheld operators. The device must be pre-registered in Dragon Guard and the tenant must have IntegrationMode = GrupoMasNative. Credentials are forwarded to GrupoMAS and, on success, a Dragon Guard JWT is issued with role OPERATOR. Authentication: None required. The device key in deviceId is used to identify the tenant.
username
string
required
GrupoMAS operator username. Must not match any existing local Dragon Guard email.
password
string
required
GrupoMAS operator password.
deviceId
string
required
Hardware device identifier used to resolve the tenant. Normalized to uppercase colon format.
deviceName
string
Optional friendly name for the device.
clientCode
string
Optional GrupoMAS client/company code to pass alongside the authentication request.
token
string
Dragon Guard JWT with authProvider=GrupoMasNative.
userId
string (uuid)
Deterministic external user ID derived from provider, company, and username.
email
string
Normalized email or username used as the internal identity.
fullName
string
Display name returned by GrupoMAS (or username if not provided).
isHandheld
boolean
Always true for this endpoint.
isExternalAuth
boolean
Always true.
authProvider
string
Always GrupoMasNative.
username
string
Normalized GrupoMAS username.
deviceId
string
Normalized device key.
companyCode
string
Tenant company code sent to MAS on each request.
companyName
string
Tenant display name.
companies
array
Single-element array with the device’s company access.
Error codes
StatusCodeMeaning
400USERNAME_AND_PASSWORD_REQUIREDBoth fields are mandatory.
400DEVICE_ID_REQUIREDDevice ID is missing or empty after normalization.
401auth.externalLoginFailedGrupoMAS rejected the credentials.
403plans.deviceNotAuthorizedDevice not registered in Dragon Guard.
403plans.deviceInactiveDevice is disabled.
403auth.companyInactiveTenant is inactive.
409auth.localEmailConflictUsername matches an existing local Dragon Guard account.
409auth.grupoMasNativeRequiredTenant is not configured for GrupoMASNative.
501integration.adapterNotConfiguredGrupoMAS adapter not set up for this tenant.
502integration.remoteUnavailableGrupoMAS remote system returned an error.
curl -X POST https://api.example.com/api/auth/grupomas-handheld-login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "jdoe",
    "password": "MasP@ss1",
    "deviceId": "AA:BB:CC:DD:EE:FF"
  }'

POST /api/auth/register

Creates a new user account and assigns it to a tenant. If the email already exists in another tenant the request is rejected. Password must satisfy complexity policy (≥8 chars, upper, lower, digit, special character). Authentication: None required.
email
string
required
User’s email address. Must match the tenant’s configured email domain if one is set.
password
string
required
Must be at least 8 characters and contain uppercase, lowercase, digit, and special character.
fullName
string
required
User’s display name.
companyId
string (uuid)
Target tenant. If omitted, the first available company from registration options is used.
message
string
Always USER_REGISTERED on success.
userId
string (uuid)
ID of the created or matched user.
companyId
string (uuid)
Tenant the user was assigned to.
role
string
Assigned role code (default role from registration options).
Error codes
StatusCodeMeaning
400MISSING_REQUIRED_FIELDSEmail, password, or fullName is blank.
400PASSWORD_POLICY_NOT_METPassword doesn’t meet complexity requirements.
400NO_ACTIVE_COMPANY_AVAILABLENo active company found or provided.
400validation.companyRequiredThe supplied companyId does not exist.
400validation.emailDomainMismatchEmail domain doesn’t match the tenant’s configured domain.
409auth.userAlreadyExistsInTenantAccount already registered in this tenant.
409auth.userAssignedToOtherTenantAccount belongs to a different tenant.
curl -X POST https://api.example.com/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "S3cur3Pass!",
    "fullName": "Jane Smith",
    "companyId": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
  }'

POST /api/auth/change-password

Changes the password for the currently authenticated user. Blocked for users whose account was authenticated via an external provider (e.g., GrupoMasNative). Authentication: Authorization: Bearer <token> (required).
currentPassword
string
required
The user’s existing password for verification.
newPassword
string
required
The desired new password. Must meet complexity policy.
message
string
Always PASSWORD_CHANGED on success.
Error codes
StatusCodeMeaning
400PASSWORD_REQUIREDOne or both fields are missing.
400PASSWORD_POLICY_NOT_METNew password fails complexity check.
400CURRENT_PASSWORD_INVALIDCurrent password is incorrect.
400auth.externalPasswordManagedPassword is managed by external provider.
401INVALID_SESSIONJWT is missing, expired, or userId claim is invalid.
curl -X POST https://api.example.com/api/auth/change-password \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "currentPassword": "OldPass1!",
    "newPassword": "NewPass2@"
  }'

GET /api/auth/test

Returns the decoded claims from the caller’s JWT. Useful for verifying token content, company access, and role assignments during integration development. Authentication: Authorization: Bearer <token> (required).
message
string
Always OK.
userId
string (uuid)
User ID claim from the token.
companyId
string (uuid)
Primary company ID claim.
role
string
Global role claim (e.g., ADMIN, OPERATOR, SUPERADMIN_SUPREMO).
companies
array
List of company_access claims from the token.
companyRoles
array
List of company_role claims from the token.
curl -X GET https://api.example.com/api/auth/test \
  -H "Authorization: Bearer <token>"

Build docs developers (and LLMs) love