Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Danielsl4/TFG_DAM_2526/llms.txt

Use this file to discover all available pages before exploring further.

FutsalLeague Manager uses a token-based authentication system to protect your account. Before you can access any personalised features — such as voting on match results, following teams, or viewing your prediction ranking — you need to register, verify your email address, and obtain a JWT token. This guide walks you through every step of that process.

Registration

To create a new account, send a POST request to /register with a username, email, and password in the request body. Usernames and email addresses must be unique; the comparison is case-insensitive and accent-insensitive.
1

Submit your details

Send your chosen username, email, and password to the registration endpoint.
POST /register
Content-Type: application/json

{
  "username": "jane_doe",
  "email": "[email protected]",
  "password": "securePassword123"
}
A successful response returns HTTP 201 and a confirmation message:
{
  "message": "Registro exitoso. Por favor, revisa tu correo para verificar tu cuenta.",
  "user": {
    "id": 42,
    "username": "jane_doe",
    "email": "[email protected]",
    "role": "user"
  }
}
2

Check your inbox

You will receive a verification email at the address you provided. The email contains a unique link of the form:
https://your-app.example.com/verify-email?token=<verification_token>
Click the link to verify your account and be automatically logged in.
3

Start using the app

On successful verification, the server issues a JWT token and you are logged in immediately — no separate login step required.
You have 24 hours from the moment of registration to verify your email address. A scheduled background job automatically deletes unverified accounts after this window. If your account is removed, you will need to register again.

Email Verification

Clicking the link in the verification email triggers a GET request to /verify-email/:token. On success, the server marks your account as verified and returns a JWT token so you are logged in straight away: 
{
  "message": "Cuenta verificada correctamente. Iniciando sesión...",
  "token": "<jwt_token>"
}
Store this token; you will need to include it in all subsequent authenticated requests (see Using the token below).

Resending the verification email

If the email never arrived or the link expired before you used it, you can request a new one: 
POST /resend-verification
Content-Type: application/json

{
  "email": "[email protected]"
}
You can supply either email or username — at least one is required. Note that the original 24-hour deletion window starts from account creation, not from when the resend was requested.

Login

Once your account is verified, log in by posting your credentials to /login. You may use either your username or your email address in the username field. 
POST /login
Content-Type: application/json

{
  "username": "jane_doe",
  "password": "securePassword123"
}
A successful response returns your JWT token: 
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
Error responses
StatusMeaning
401Invalid username or password
403Account not yet verified, or account has been deactivated

Using the Token

Include your JWT token in the Authorization header of every request that requires authentication: 
GET /user/profile
Authorization: Bearer <your_token>

Token Expiry

Token lifetime depends on your account role:
RoleExpiry
user7 days
admin / referee6 hours
When your token expires you will receive a 401 response. Simply log in again to obtain a fresh token.

Password Recovery

If you have forgotten your password, use the two-step recovery flow. Step 1 — Request a reset link 
POST /forgot-password
Content-Type: application/json

{
  "email": "[email protected]"
}
For security, the response is identical whether or not the email is registered: 
{
  "message": "Si el correo está registrado, recibirás un enlace de recuperación."
}
Step 2 — Set a new password Click the link in the recovery email, which takes you to a reset form. Under the hood this calls: 
POST /reset-password
Content-Type: application/json

{
  "token": "<reset_token_from_email>",
  "newPassword": "anotherSecurePassword456"
}
Password reset links expire after 15 minutes. If the link has expired, return to the forgot-password page and request a new one.

Rate Limiting

All authentication endpoints (/register, /login, /forgot-password, /resend-verification) are protected by a rate limiter: a maximum of 10 attempts per IP address per 15-minute window. If you exceed this limit, you will receive a 429 response and must wait before trying again.

Build docs developers (and LLMs) love

Get started for freeTalk to us