Kantuta POS Backend secures its API with JSON Web Tokens (JWT). Every protected endpoint requires a short-lived access token passed as a Bearer token in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Eleazarguitar18/kantuta_pos_back/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header. When the access token expires, a separate long-lived refresh token can be exchanged for a new one without re-entering credentials. On top of token authentication, a role-based access control system (RBAC) restricts sensitive operations to the appropriate user roles — Administrador or Operador.
JWT Authentication Flow
Login — obtain both tokens
Send a Response:
POST request to /auth/login with your credentials. On success, the server returns an access_token and a refresh_token.Attach the access token to every request
Include the access token as a Bearer token in the
Authorization header of all subsequent requests.Handle 401 — refresh the access token
When the server returns a Response:
401 Unauthorized (access token expired), call /auth/refresh_token using the refresh token as the Bearer value.Access Token vs Refresh Token
| Access Token | Refresh Token | |
|---|---|---|
| Purpose | Authenticate individual API requests | Obtain a new access token after expiry |
| Lifetime | Short (minutes to hours — set via JWT_EXPIRATION) | Longer (days — set via JWT_REFRESH_EXPIRATION) |
| Where to store | In-memory or sessionStorage | localStorage or a secure HttpOnly cookie |
| Sent to | Every protected API endpoint | Only /auth/refresh_token |
Using the Token
All protected routes require theAuthorization header in this exact format:
Public Routes
Routes decorated with@Public() skip the AuthGuard entirely. The decorator works by setting the isPublic metadata key, which the guard checks before attempting token verification:
Authorization header:
| Method | Path | Purpose |
|---|---|---|
POST | /auth/login | Obtain access + refresh tokens |
POST | /auth/refresh_token | Exchange refresh token for new access token |
POST | /auth/reset/code | Request a password-reset code by email |
POST | /auth/confirm-code | Verify the password-reset code |
POST | /auth/reset-confirm | Set a new password after code confirmation |
POST | /usuario/register | Register a new user account |
Role-Based Access Control
Kantuta POS defines two built-in roles:Administrador
Role ID: 1 — Full, unrestricted access to every endpoint. The
RolesGuard short-circuits and returns true for any user with roleId === 1, roleName === 'admin', or roleName === 'Administrador'.Operador
Role ID: 2 — Access to operational endpoints (sales, cash sessions, agent transactions). Blocked from administrative-only routes.
@Roles() decorator:
RolesGuard reads the ROLES_KEY metadata and compares it against the roleName / roleId stored in request.user (populated by AuthGuard):
Password Reset Flow
Request a reset code
Send the user’s email address. The backend generates a random 6-character alphanumeric code, stores it in Redis with a 15-minute TTL, and delivers it to the inbox via the MailModule.Response:
Verify the code
Submit the email and the code from the inbox. The backend validates the code against the Redis entry.Response:
The 6-character code expires after 15 minutes. If the user does not complete the flow within that window, they must request a new code from step 1.
Change Password (Authenticated)
An already-authenticated user can change their own password without going through the reset code flow:@Public() decorator is not applied here.
Axios Interceptor for Auto-Refresh (TypeScript)
The following pattern handles token injection and transparent refresh in a React + TypeScript frontend, based on the official integration guide:Auth Endpoint Reference
POST /auth/login — Iniciar sesión
POST /auth/login — Iniciar sesión
Public. Returns
access_token, refresh_token, and the full Usuario object.POST /auth/refresh_token — Refrescar token
POST /auth/refresh_token — Refrescar token
Public. Pass the refresh token as a Bearer token in the
Authorization header (no request body needed). Returns a new access_token.GET /auth/roles/list — Listar roles (autenticado)
GET /auth/roles/list — Listar roles (autenticado)
Requires authentication. Returns all available roles from the database.
GET /auth — Listar usuarios (autenticado)
GET /auth — Listar usuarios (autenticado)
Requires authentication. Administrative endpoint to list all registered user accounts.