CruciDrive delegates all authentication to Supabase Auth — the backend never stores passwords or issues its own tokens. Every REST endpoint except the public OTP flow requires anDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/DavidCevallos15/Crucidrive---APP/llms.txt
Use this file to discover all available pages before exploring further.
Authorization: Bearer <token> header containing a valid Supabase-issued JWT. If the header is missing, malformed, or the token is expired, the server returns a 401 before any controller logic runs.
Obtaining a token
CruciDrive uses a passwordless Phone OTP flow. Users identify themselves by their Ecuadorian mobile number and a one-time code delivered by SMS. There are no passwords involved at any step. Step 1 — Send OTP: callsupabase.auth.signInWithOtp({ phone }). Supabase sends a 6-digit code to the number via SMS.
Step 2 — Verify OTP: call supabase.auth.verifyOtp({ phone, token, type: 'sms' }). On success, Supabase returns a session object containing the access_token you pass to every API request.
Using the token in API calls
Include theaccess_token as a Bearer token in the Authorization header of every request. The example below registers a new passenger profile immediately after OTP verification:
Token validation flow
Every protected route passes throughauthMiddleware before reaching the controller. The middleware performs the following steps:
- Reads the
Authorizationheader and asserts it starts withBearer. - Extracts the raw token string.
- Calls
supabase.auth.getUser(token)— Supabase validates the signature and expiry server-side. - If valid, attaches the returned user object to
req.userand callsnext(). - On any failure, it short-circuits with a
401error response.
roleMiddleware, which queries public.perfiles for the authenticated user’s rol and rejects the request with 403 if the role is not in the allowed list for that route.
Error responses
All errors across the API share a single JSON shape produced byresponse.js:
details field is omitted when there is no additional context to surface.
Common authentication errors
| HTTP status | Scenario |
|---|---|
401 | Authorization header is absent or does not start with Bearer |
401 | Token is invalid, malformed, or has expired |
403 | Token is valid but the user’s role is not permitted on this route |
404 | Token is valid but no matching profile exists in public.perfiles |
Supabase access tokens expire according to your project’s session configuration (default: 1 hour). When your app receives a
401, attempt a silent refresh with supabase.auth.refreshSession() and retry the original request with the new access_token.