Dragon Guard WMS API uses JWT Bearer authentication for all protected endpoints. Every request to an operational controller must present a valid token issued by the Dragon Guard auth service. The API exposes two distinct authentication flows depending on the type of actor: a standard email/password flow for back-office users and a GrupoMAS delegated handheld flow for warehouse device operators.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/CodexaCP/DG_BACK/llms.txt
Use this file to discover all available pages before exploring further.
Authentication flows
Standard Login
Back-office users authenticate with their email address and BCrypt-verified password. The API issues a Dragon Guard JWT that carries tenant scope and role claims. Suitable for supervisors, administrators, and any user who logs in through the web interface.
Handheld Login
Warehouse operators on GrupoMAS-integrated tenants authenticate their credentials directly against the MAS ERP. Dragon Guard validates the device, delegates credential verification to MAS, and then issues its own JWT for the session. No local
auth.Users row is created for these operators.How authentication works
Call the login endpoint
Send a
POST request to the appropriate login endpoint with the required credentials. The two endpoints are:POST /api/auth/login— standard email/passwordPOST /api/auth/grupomas-handheld-login— GrupoMAS delegated handheld
Receive the JWT
A successful response includes a signed JWT in the
token field along with user metadata. Tokens are HMAC SHA-256 signed and carry an expiry set by Jwt:ExpiresInMinutes in the server configuration.Company context
Every protected request must resolve to a specific tenant. Dragon Guard uses the following resolution order (first match wins):companyIdquery parameterX-Company-Idrequest headercompanyIdclaim embedded in the JWT
company_access claims in the token. A request that supplies a companyId the token does not grant access to is rejected immediately — the API never trusts an arbitrary company identifier without checking token claims first.
SUPERADMIN_SUPREMO accounts bypass tenant access checks and have no
company_access claims. All other users must resolve to a company present in their token.Tenant isolation
Dragon Guard enforces strict single-tenant boundaries for non-supreme users:- A user belongs to exactly one tenant. Assigning the same user to a second tenant is rejected in
AuthRepository.AssignUserToCompanyAsyncregardless of how the assignment is triggered (self-registration, admin creation, or supreme admin creation). - If historical data leaves a user assigned to more than one tenant, login is blocked with
auth.userAssignedToOtherTenantuntil the data is corrected. This prevents any possibility of cross-tenant token scope leakage. - SUPERADMIN_SUPREMO is a global account with no tenant context. Operational re-assignment back into a tenant is also rejected for supreme accounts.
Roles
Dragon Guard defines the following role codes:| Role code | Scope | Description |
|---|---|---|
OPERATOR | Tenant | Default role for self-registered and handheld users. |
SUPERVISOR | Tenant | Elevated warehouse operations access. |
ADMIN | Tenant | Full tenant administration. |
SUPERADMIN_SUPREMO | Global | Global SaaS administration. No tenant context. Full platform access. |
ApiControllerBase.Role. When company_role claims are present the effective role for the resolved company is used. Legacy tokens without company_role fall back to the global role claim.
Inactive tenant enforcement
Tenant active status is checked in two independent layers:- At login —
POST /api/auth/loginqueriesdbo.Companiesand rejects the login with403 auth.companyInactivewhen the tenant’sIsActiveflag isfalseorStatusis not"Active". - Per request — authenticated requests to operational endpoints re-check tenant active status so that a user cannot continue operating with a previously issued token after a supreme admin deactivates the company.
Further reading
- Login (email/password) — full endpoint reference for
POST /api/auth/login, registration, and password management - Handheld Login — GrupoMAS delegated login flow for warehouse devices
- JWT Claims — complete claim reference and company context resolution details