Spring Community’s authentication model is fully stateless — no server-side session is ever created. Every request is authenticated by a signed JSON Web Token (JWT) carried in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/CristianRR94/springCommunity/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header. Two token types are in play at all times: a short-lived ACCESS token for regular API calls and a longer-lived REFRESH token used exclusively to obtain a new token pair. Both tokens are persisted in the database so they can be individually revoked before their natural expiry, giving the platform hard logout semantics that pure stateless JWTs cannot provide on their own.
Public vs Protected Endpoints
Not every endpoint requires a token. The table below lists all routes and their access level as configured inWebSecurityConfig.
| Endpoint pattern | Access level | Notes |
|---|---|---|
/auth/** | Public | Register, login, refresh — no token needed |
/api/usuarios/** | Public | User profile reads and creation |
/images/** | Public | Static image assets |
/ws-chat | Public | WebSocket handshake (token checked by STOMP interceptor) |
/api/eventos/** | Authenticated | Event management — requires valid ACCESS token |
/api/participantes/** | Authenticated | Participant management — requires valid ACCESS token |
| Any other route | Authenticated | Defaults to requiring authentication |
Although the
/ws-chat WebSocket handshake URL itself is marked public in Spring Security, the STOMP CONNECT frame is intercepted by JwtChannelInterceptor, which reads the Authorization native header and extracts the username from the token. If a valid username is resolved, a principal is bound to the session; otherwise the connection proceeds with no authenticated principal.Auth Flow
The complete lifecycle from registration to logout follows these steps:Register a new account
Send a
POST request to /auth/crear with a UsuarioEntradaDTO body. On success the server creates the user, issues both token types, and returns a TokenResponse.Log in to an existing account
Send a
POST request to /auth/login with a LoginDTO body. The server validates the credentials, revokes any existing tokens, and issues a fresh TokenResponse.Call protected endpoints
Include the access token from
TokenResponse.access_token in every request to a protected resource using the standard Authorization: Bearer scheme.Refresh an expired access token
When the access token expires (default 1 hour), send a
POST to /auth/refresh with the refresh token in the Authorization header. A brand-new token pair is returned and the old tokens are revoked.TokenResponse Shape
Both the registration and login endpoints return the sameTokenResponse record. The JSON property names use snake_case as declared with @JsonProperty in the source.
access_token for every API call and keep refresh_token only for the /auth/refresh endpoint.
Error Responses
When authentication fails the API returns a standard error envelope:| HTTP Status | Meaning |
|---|---|
400 | Validation failure on the request body (missing fields, blank values) |
401 | Token is missing, expired, revoked, or of the wrong type |
404 | Referenced user was not found in the database |
JWT Token Lifecycle
Signing algorithm, claims structure, expiry defaults, revocation mechanics, and curl examples for refresh and logout.
WebSocket Authentication
How to pass your ACCESS token in a STOMP CONNECT frame and interact with the real-time chat system.