The Auth API handles all identity and session management for Dragon Guard WMS. It covers standard email/password login, GrupoMAS-delegated handheld login, self-service registration, and password change workflows for both web and handheld clients.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/CodexaCP/DG_BACK/llms.txt
Use this file to discover all available pages before exploring further.
GET /api/auth/registration-options
Returns the list of active companies available for self-service registration and the default role code that will be assigned to new users. Authentication: None required.List of active companies available for registration selection.
The role code (e.g.,
OPERATOR) that will be automatically assigned to newly registered users.| Status | Meaning |
|---|---|
| 200 | Options returned successfully. |
POST /api/auth/login
Authenticates a user by email and password. Optionally registers a handheld device whenisHandheld is true. Returns a signed JWT along with user profile and company access list.
Authentication: None required.
The user’s email address.
The user’s password.
Set to
true when the request originates from a handheld/mobile device. Triggers device registration validation.Hardware device identifier. Required when
isHandheld is true. Normalized to uppercase with : separators.Human-readable name for the device (e.g.,
Scanner-01). Optional.Signed JWT for use in subsequent
Authorization: Bearer headers.Unique identifier of the authenticated user.
Authenticated user’s email address.
Authenticated user’s display name.
Whether the user holds the
SUPERADMIN_SUPREMO global role.When
true the UI must redirect the user to the change-password screen before continuing.List of tenant company assignments for the authenticated user. Empty for super-admins.
| Status | Code | Meaning |
|---|---|---|
| 400 | EMAIL_AND_PASSWORD_REQUIRED | Both fields must be non-empty. |
| 401 | USER_NOT_FOUND | No account matches the supplied email. |
| 401 | INVALID_PASSWORD | Password does not match the stored hash. |
| 402 | plans.deviceLimitExceeded | Active device count exceeds the tenant plan limit. |
| 403 | plans.deviceNotAuthorized | Device ID is not registered for this tenant. |
| 403 | auth.companyInactive | The user’s tenant is suspended or inactive. |
| 409 | auth.userAssignedToOtherTenant | The account is already tied to a different tenant. |
| 503 | LOGIN_TEMPORARILY_UNAVAILABLE | Unexpected server error; retry later. |
POST /api/auth/grupomas-handheld-login
Delegates authentication to the GrupoMAS ERP system for handheld operators. The device must be pre-registered in Dragon Guard and the tenant must haveIntegrationMode = GrupoMasNative. Credentials are forwarded to GrupoMAS and, on success, a Dragon Guard JWT is issued with role OPERATOR.
Authentication: None required. The device key in deviceId is used to identify the tenant.
GrupoMAS operator username. Must not match any existing local Dragon Guard email.
GrupoMAS operator password.
Hardware device identifier used to resolve the tenant. Normalized to uppercase colon format.
Optional friendly name for the device.
Optional GrupoMAS client/company code to pass alongside the authentication request.
Dragon Guard JWT with
authProvider=GrupoMasNative.Deterministic external user ID derived from provider, company, and username.
Normalized email or username used as the internal identity.
Display name returned by GrupoMAS (or username if not provided).
Always
true for this endpoint.Always
true.Always
GrupoMasNative.Normalized GrupoMAS username.
Normalized device key.
Tenant company code sent to MAS on each request.
Tenant display name.
Single-element array with the device’s company access.
| Status | Code | Meaning |
|---|---|---|
| 400 | USERNAME_AND_PASSWORD_REQUIRED | Both fields are mandatory. |
| 400 | DEVICE_ID_REQUIRED | Device ID is missing or empty after normalization. |
| 401 | auth.externalLoginFailed | GrupoMAS rejected the credentials. |
| 403 | plans.deviceNotAuthorized | Device not registered in Dragon Guard. |
| 403 | plans.deviceInactive | Device is disabled. |
| 403 | auth.companyInactive | Tenant is inactive. |
| 409 | auth.localEmailConflict | Username matches an existing local Dragon Guard account. |
| 409 | auth.grupoMasNativeRequired | Tenant is not configured for GrupoMASNative. |
| 501 | integration.adapterNotConfigured | GrupoMAS adapter not set up for this tenant. |
| 502 | integration.remoteUnavailable | GrupoMAS remote system returned an error. |
POST /api/auth/register
Creates a new user account and assigns it to a tenant. If the email already exists in another tenant the request is rejected. Password must satisfy complexity policy (≥8 chars, upper, lower, digit, special character). Authentication: None required.User’s email address. Must match the tenant’s configured email domain if one is set.
Must be at least 8 characters and contain uppercase, lowercase, digit, and special character.
User’s display name.
Target tenant. If omitted, the first available company from registration options is used.
Always
USER_REGISTERED on success.ID of the created or matched user.
Tenant the user was assigned to.
Assigned role code (default role from registration options).
| Status | Code | Meaning |
|---|---|---|
| 400 | MISSING_REQUIRED_FIELDS | Email, password, or fullName is blank. |
| 400 | PASSWORD_POLICY_NOT_MET | Password doesn’t meet complexity requirements. |
| 400 | NO_ACTIVE_COMPANY_AVAILABLE | No active company found or provided. |
| 400 | validation.companyRequired | The supplied companyId does not exist. |
| 400 | validation.emailDomainMismatch | Email domain doesn’t match the tenant’s configured domain. |
| 409 | auth.userAlreadyExistsInTenant | Account already registered in this tenant. |
| 409 | auth.userAssignedToOtherTenant | Account belongs to a different tenant. |
POST /api/auth/change-password
Changes the password for the currently authenticated user. Blocked for users whose account was authenticated via an external provider (e.g.,GrupoMasNative).
Authentication: Authorization: Bearer <token> (required).
The user’s existing password for verification.
The desired new password. Must meet complexity policy.
Always
PASSWORD_CHANGED on success.| Status | Code | Meaning |
|---|---|---|
| 400 | PASSWORD_REQUIRED | One or both fields are missing. |
| 400 | PASSWORD_POLICY_NOT_MET | New password fails complexity check. |
| 400 | CURRENT_PASSWORD_INVALID | Current password is incorrect. |
| 400 | auth.externalPasswordManaged | Password is managed by external provider. |
| 401 | INVALID_SESSION | JWT is missing, expired, or userId claim is invalid. |
GET /api/auth/test
Returns the decoded claims from the caller’s JWT. Useful for verifying token content, company access, and role assignments during integration development. Authentication:Authorization: Bearer <token> (required).
Always
OK.User ID claim from the token.
Primary company ID claim.
Global role claim (e.g.,
ADMIN, OPERATOR, SUPERADMIN_SUPREMO).List of
company_access claims from the token.List of
company_role claims from the token.