The login endpoint validates a username and password against the ServiciosYa database, issues a signed JWT token on success, and writes an audit event regardless of whether the attempt succeeds or fails. All subsequent authenticated requests must carry this token in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CodexaCP/SERVICIOS-BACK/llms.txt
Use this file to discover all available pages before exploring further.
Authorization: Bearer <token> header.
Endpoint
| Method | URL |
|---|---|
POST | /api/auth/login |
POST | /api/v1/auth/login |
Request body
Company scope for the login attempt. This field is accepted by the API but is not currently used in credential validation — the user lookup is performed by username alone. Defaults to
0 when omitted.The user’s login username. Typically an email address but the field is treated as a free-form identifier scoped to the company.
The user’s current password. Passwords are compared using a SHA-256 hash stored in the database.
Response fields
A successful200 OK response returns a JSON object with the following fields.
A signed JWT Bearer token. Pass this value in the
Authorization: Bearer <token> header on every subsequent authenticated request. The token embeds the claims listed below.When
true, the user is required to call POST /api/auth/change-password before any other operation is permitted. This flag is set for all users created through the internal registration flow, whose initial password is 123456.JWT claims
The generated token includes the following claims:| Claim | Description |
|---|---|
userId | Numeric ID of the authenticated user |
companyId | Numeric ID of the user’s company |
role | User role, using the Microsoft role claim type (http://schemas.microsoft.com/ws/2008/06/identity/claims/role) |
Example request
Example response
Error responses
| HTTP status | Body | Cause |
|---|---|---|
401 Unauthorized | {"error": "Invalid credentials"} | Username not found or password does not match |
The error response shape for
401 uses a simple {"error": "..."} envelope rather than the standard {"success": false, "data": null, "error": {"code": 401, "message": "..."}} wrapper. Clients should handle both shapes defensively.Audit events
An audit record withAction = "LOGIN" and Module = "AUTH" is written to the database for every login attempt:
- Successful login:
Result = "Success",Severity = "Info",Message = "Inicio de sesion exitoso." - Failed login:
Result = "Fail",Severity = "Warning",Message = "Inicio de sesion rechazado."— the username is recorded asEntityIdeven though no matching user was found.