Handheld devices on GrupoMAS-integrated tenants use a delegated authentication flow. The warehouse operator submits their MAS credentials from the device; Dragon Guard validates the device authorization, then delegates credential verification directly to the GrupoMAS ERP. When MAS accepts the credentials, Dragon Guard issues its own JWT for the session. No localDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CodexaCP/DG_BACK/llms.txt
Use this file to discover all available pages before exploring further.
auth.Users row is created for delegated operators — MAS remains the identity authority while Dragon Guard remains the device authorization authority.
Prerequisites
Before a handheld device can authenticate, three conditions must be met:Tenant must use GrupoMASNative integration
The device’s company record must have
IntegrationMode = GrupoMASNative. Login is rejected with 409 auth.grupoMasNativeRequired for any other integration mode.Device must be pre-authorized
The device key (normalized MAC address) must exist in the
dbo.HandheldDevices table for the tenant and must have IsActive = true. Unregistered devices receive 403 plans.deviceNotAuthorized; inactive devices receive 403 plans.deviceInactive.POST /api/auth/grupomas-handheld-login
Authenticates a warehouse operator against the GrupoMAS ERP and returns a Dragon Guard JWT scoped to the device’s tenant with theOPERATOR role.
Request body
The operator’s MAS username. Passed directly to the GrupoMAS authentication endpoint.
The operator’s MAS password in plaintext. Passed directly to the GrupoMAS authentication endpoint over HTTPS.
The device’s MAC address or hardware identifier. The value is normalized to uppercase colon-separated format before lookup (e.g.
aa-bb-cc-dd-ee-ff → AA:BB:CC:DD:EE:FF). Must match a pre-authorized entry in dbo.HandheldDevices.DeviceKey for the tenant.Human-readable label for the device (e.g.
"Scanner-01"). When supplied, it updates the DeviceName field on the device record. Optional.Client or branch code forwarded to MAS during credential verification. Required only for MAS tenants that segment operators by client code. Optional.
Response fields
Signed HMAC SHA-256 JWT. Use as
Authorization: Bearer <token> on all subsequent requests.A deterministic UUID derived from
GrupoMASNative:<companyId>:<username> via SHA-256. Stable across sessions for the same operator on the same tenant.The email address returned by MAS, or the
username value when MAS does not return an email.The display name returned by MAS, or the
username value when MAS does not return a name.Always
false for handheld delegated sessions.Always
false for handheld delegated sessions. Password management remains in MAS.Always
true.Always
true for GrupoMAS delegated sessions.Always
"GrupoMASNative" for this endpoint.The normalized MAS username for the session (trimmed, as returned by MAS or the request value).
The normalized device key (uppercase colon-separated MAC) that authenticated the session.
The
dbo.Companies.Code value for the device’s tenant. Used as codigo_empresa in subsequent MAS integration calls.The display name of the device’s tenant (
dbo.Companies.Name).Single-element array containing the device’s company and the
OPERATOR role:companyId(UUID)roleCode:"OPERATOR"
Example
Error responses
| Status | Body / messageKey | Cause |
|---|---|---|
400 | USERNAME_AND_PASSWORD_REQUIRED | username or password is missing or blank. |
400 | DEVICE_ID_REQUIRED | deviceId is missing, blank, or normalizes to an empty string. |
401 | auth.externalLoginFailed | MAS rejected the supplied credentials. |
403 | plans.deviceNotAuthorized | No dbo.HandheldDevices record found for the normalized device key in this tenant. |
403 | plans.deviceInactive | The device record exists but IsActive = false. |
403 | auth.companyInactive | The device’s tenant is inactive (IsActive = false or Status ≠ "Active"). |
409 | auth.grupoMasNativeRequired | The tenant’s IntegrationMode is not GrupoMASNative. |
409 | auth.localEmailConflict | A local Dragon Guard user already exists with the same username. Use /api/auth/login instead. |
501 | integration.adapterNotConfigured | The GrupoMAS native adapter is not configured for the tenant (missing BaseUrl or similar). |
502 | integration.remoteUnavailable | Dragon Guard reached MAS but received an error response. The remoteStatusCode field gives details. |
503 | LOGIN_TEMPORARILY_UNAVAILABLE | An unexpected server error occurred. Retry with exponential back-off. |
MAS endpoint compatibility
Dragon Guard supports both modern and legacy GrupoMAS site layouts. It attempts the modern endpoint first and falls back automatically:- Modern —
POST /api/loginwith a JSON body. Used for current MAS deployments. - Legacy fallback —
POST /Default.aspx/Ingresarwith{ usuario, pas, empresa, idioma }. Triggered when the modern endpoint returns404or405. A successful legacy response has an emptymensajefield and a non-emptyhreffield inresponse.d.
For legacy on-premise MAS environments, set the tenant
BaseUrl to the site root (e.g. http://localhost:34670). Dragon Guard appends the correct path for each endpoint variant.Device auto-registration
TheX-Device-Id middleware runs on every authenticated request. When a request includes a device identifier that is not yet recorded in dbo.HandheldDevices, the middleware attempts best-effort registration. This allows devices to be implicitly registered during normal operation after an admin has pre-authorized them in the plan.
Device ID normalization
The rawdeviceId value provided in the request is always normalized before use:
- Whitespace is trimmed
- All characters are uppercased
- Hyphens (
-) are replaced with colons (:)
aa-bb-cc-dd-ee-ff becomes AA:BB:CC:DD:EE:FF. The normalized value is stored in the JWT deviceId claim and in dbo.HandheldDevices.DeviceKey. Ensure your device firmware sends the MAC in a consistent format to avoid mismatches.