Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Danielings/Pasantia-Proyecto/llms.txt

Use this file to discover all available pages before exploring further.

The Sistema de Inventario Tecnológico exposes a REST API built with Express.js and backed by Firebase Firestore. Every feature available in the frontend — managing users, registering equipment, tracking peripherals, querying locations, exporting reports, and reviewing the audit log — is accessible through this API. This page describes the conventions that apply to every endpoint so you can integrate or test any part of the system consistently.

Base URL

All endpoints are mounted under the /api prefix. During local development the server binds to port 3001.
http://localhost:3001/api
Replace http://localhost:3001 with your production host when deploying. Every path shown in this documentation is relative to this base URL (e.g. POST /login means POST http://localhost:3001/api/login).

Authentication Model

The API uses JWT cookie-based authentication. There are no Authorization headers to manage manually — the session token is issued as an HTTP-only cookie named acceso_token when you call POST /api/login and is cleared automatically on POST /api/logout.
Because the token lives in an HTTP-only cookie, JavaScript running in the browser cannot read it directly. All requests that require authentication must be made with credentials included so the browser attaches the cookie automatically.
For browser clients, set withCredentials: true on every request. For command-line tools such as curl, use a cookie jar (-c to save, -b to send). Protected routes return 401 immediately if the cookie is absent or the JWT has expired. See the Authentication page for full details.

Content Type

All request bodies must be sent as JSON and all responses are returned as JSON, with two exceptions:
Endpoint groupResponse content type
All other endpointsapplication/json
GET /export/descargar (PDF)application/pdf
GET /export/descargar (Excel)application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Always include the Content-Type: application/json header when sending a request body.

CORS

The server is pre-configured to accept cross-origin requests with credentials from the Vite development server:
Origin: http://localhost:5173
Credentials: enabled
Allowed methods: GET, POST, PUT, DELETE
Allowed headers: Content-Type, Authorization
Exposed headers: Content-Disposition
If you host the frontend on a different origin in production you must update the origin value in the CORS configuration on the server. Requests from unlisted origins will be rejected by the browser before they reach the API.

HTTP Status Codes

The API uses a consistent set of HTTP status codes across all resources.
CodeMeaningWhen it is returned
200 OKSuccessSuccessful read (GET) or update (PUT)
201 CreatedResource createdSuccessful POST that created a new document
400 Bad RequestValidation errorMissing required fields, invalid format, or failed business-rule check
401 UnauthorizedAuthentication requiredCookie is absent, expired, or the JWT cannot be verified
403 ForbiddenInsufficient permissionsAuthenticated user’s role does not permit the action
404 Not FoundResource missingThe requested document ID does not exist in Firestore
409 ConflictDuplicate resourceDuplicate serial number, username, cedula, or location
500 Internal Server ErrorUnexpected errorUnhandled exception or Firestore failure

Error Response Shape

Every error response — regardless of status code — uses the same JSON envelope:
{
  "message": "Human-readable description of the error."
}
Always read the message field when handling non-2xx responses. Validation errors (400) include a specific description of which field failed and why, which you can surface directly in your UI.

Endpoint Index

The tables below list every available endpoint organized by resource group. All paths are relative to http://localhost:3001/api.

Auth

MethodPathDescriptionAuth required
POST/loginAuthenticate and receive the session cookieNo
POST/logoutClear the session cookieNo
GET/meReturn the JWT payload for the current sessionYes
GET/usuarios/meReturn the full Firestore user document for the current sessionYes

Users

MethodPathDescriptionAuth required
POST/usuariosCreate a new user accountNo
GET/usuariosList all active usersYes (super-admin)
PUT/usuarios/:idUpdate a user’s profile and locationYes
PUT/usuarios/eliminado/:idSoft-delete a user (sets status to inactivo)Yes

Equipment

MethodPathDescriptionAuth required
POST/pcRegister a new desktop PCYes
POST/laptopRegister a new laptopYes
GET/equiposList all equipmentYes
GET/equipos/listaSimplified equipment list for dropdownsYes
GET/equipos/:idGet equipment detail by IDYes
PUT/equipos/:idUpdate equipment recordYes
GET/equipo/:idGet a single equipment documentYes
GET/buscar/:serialLook up equipment by serial numberYes
GET/verificar-periferico/:dispositivo/:serialCheck whether a serial already exists for a device typeYes
GET/:dispositivo/:idGet a specific device by type and IDYes

Peripherals

MethodPathDescriptionAuth required
POST/perifericos/:tipoRegister a new peripheral of the given typeYes
GET/componentesList all peripheral componentsYes
GET/perifericos/:idGet peripheral detail by IDYes
PUT/perifericos/:tipo/:idUpdate a peripheral recordYes

Locations

MethodPathDescriptionAuth required
GET/regionList all regionsYes
GET/region/:id/estadosList states belonging to a regionYes
GET/estados/:id/ciudadesList cities belonging to a stateYes
GET/ubicacionesList all registered locationsYes
POST/ubicacionesCreate a new locationYes
GET/ubicaciones/:idGet a location by IDYes
PUT/ubicaciones/:idUpdate a locationYes
DELETE/ubicaciones/:idPermanently delete a locationYes
PUT/ubicaciones/eliminadas/:idSoft-delete a locationYes

Audit Log

MethodPathDescriptionAuth required
GET/bitacoraRetrieve the full audit logYes

Export

MethodPathDescriptionAuth required
GET/export/tiposList available export formats and report typesYes
GET/export/descargarDownload a report as PDF or ExcelYes

Password Recovery

MethodPathDescriptionAuth required
POST/recuperar-passwordSend a password-reset emailNo
GET/validar-tokenValidate a password-reset tokenNo
POST/restablecer-passwordSet a new password using a valid reset tokenNo

Build docs developers (and LLMs) love