ServiciosYa API uses JSON Web Token (JWT) Bearer authentication for all protected endpoints. A client obtains a token by posting credentials to the login endpoint. The API signs the token with HMAC-SHA256 using a symmetric key configured inDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CodexaCP/SERVICIOS-BACK/llms.txt
Use this file to discover all available pages before exploring further.
appsettings.json, embeds identity claims directly into the token payload, and then validates those claims on every subsequent request — no session state is stored server-side. The login response also carries a mustChangePassword flag that gates further API access for newly provisioned internal users.
Obtaining a token
Send aPOST request to /api/auth/login with a JSON body containing companyId, username, and password.
200 with the following shape:
LoginResponse DTO is defined as:
LoginRequest DTO accepted by the endpoint is:
Token lifetime
Tokens are valid for 8 hours from the moment of issuance. This is hardcoded inJwtService.GenerateToken:
401 response. The client must log in again to obtain a new token. There is no refresh-token endpoint in the current API version.
Claims embedded in the token
JwtService embeds three claims when generating a token:
| Claim key | Type | Description |
|---|---|---|
userId | int | The authenticated user’s primary key in the database. |
companyId | int | The company the user belongs to. Used to scope all multi-tenant queries. |
http://schemas.microsoft.com/ws/2008/06/identity/claims/role | string (uppercase) | The user’s role, e.g. SUPER_ADMIN, ADMIN_GENERAL, GESTOR_SUPREMO, GESTOR, or CUSTOMER. |
ClaimTypes.Role) so that ASP.NET Core’s [Authorize(Roles = "...")] attribute resolves it correctly. TokenValidationParameters in Program.cs sets RoleClaimType to that URI explicitly.
Controllers read these claims through the BaseController helpers:
Passing the token in requests
Include the token as a Bearer credential in theAuthorization HTTP header:
Error responses
401 — Token missing or invalid
Returned when theAuthorization header is absent, the token is malformed, the signature does not match, or the token has expired.
OnChallenge event handler registered on JwtBearerEvents in Program.cs, not by a controller, so it is returned consistently before any controller code runs.
403 — Insufficient role
Returned when the token is valid but the user’s role does not satisfy the[Authorize(Roles = "...")] requirement on the endpoint.
OnForbidden event handler on JwtBearerEvents.
The mustChangePassword flag
When an internal user is created through /api/auth/register/internal, the system assigns a default password of 123456 and sets MustChangePassword = true in the database. The login endpoint reads that flag and includes it in the response.
If mustChangePassword is true, the client must redirect the user to the change-password flow immediately. Attempting to call other API endpoints while this flag is active is not blocked at the HTTP layer, but it is enforced by business convention — the Angular portal and MAUI app both check this flag on login and prevent navigation to any other screen until the password is changed.
Prompt the user
Show a change-password screen. Do not cache or display any other content until the password is updated.
Submit the new password
POST /api/auth/change-password with the new password. The request must include the Bearer token obtained at login.Password policy
All passwords — including those set through/api/auth/change-password — are validated by PasswordPolicy.IsValid() before being accepted.
Minimum length
At least 8 characters long.
Uppercase letter
At least one uppercase letter (A–Z).
Lowercase letter
At least one lowercase letter (a–z).
Digit
At least one numeric digit (0–9).
Special character
At least one non-alphanumeric character (e.g.,
!, @, #, $).400 with the validation message:
The JWT signing key is currently stored in
appsettings.json under Jwt:Key. Before deploying to production, move this value to environment variables or a secrets manager to avoid exposing it in source control.