Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Esteban-Mendez-j/Proyecto-Docker/llms.txt

Use this file to discover all available pages before exploring further.

SearchJobs uses cookie-based JWT authentication. When you log in, the server generates a signed JWT and stores it in an HttpOnly cookie named jwtToken. All subsequent requests send this cookie automatically — you never need to manage tokens or set Authorization headers manually.

Overview

The authentication flow works as follows:
  1. You submit credentials to POST /api/usuarios/login.
  2. On success, the server sets a jwtToken HttpOnly cookie on the response.
  3. Your browser sends that cookie with every request automatically.
  4. The server validates the cookie on each request and establishes your security context.
  5. To end the session, call POST /api/usuarios/cerrarSesion, which clears both the jwtToken and JSESSIONID cookies.

Login

Submit credentials as application/x-www-form-urlencoded form data. The username field must be the user’s email address. 
POST /api/usuarios/login
Content-Type: application/x-www-form-urlencoded
username
string
required
The user’s email address.
password
string
required
The user’s password.
On success, the server sets a jwtToken cookie (HttpOnly, Secure, SameSite=None, Path=/, Max-Age=3600) and returns a JSON body with the authenticated user’s roles.
roles
string[]
All roles assigned to the authenticated user (e.g., ["ROLE_CANDIDATO"]).
rolPrincipal
string
The user’s primary role. One of CANDIDATO, EMPRESA, ADMIN, or SUPER_ADMIN.
curl -c cookies.txt -X POST https://searchjobs.up.railway.app/api/usuarios/login \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "username=usuario@email.com&password=mypassword"
Example response: 
{
  "roles": ["ROLE_CANDIDATO"],
  "rolPrincipal": "CANDIDATO"
}
Credentials are rejected with a non-2xx status if the email or password is incorrect. The response body will not contain role information.

Logout

Invalidates the current HTTP session and clears both the jwtToken and JSESSIONID cookies by setting them to Max-Age=0. 
POST /api/usuarios/cerrarSesion
No request body is required. The cookie is read from the incoming request automatically.
status
number
HTTP status code 401, indicating the session is now closed.
mensaje
string
A confirmation message. Value: "Sesión Cerrada".
curl -b cookies.txt -X POST https://searchjobs.up.railway.app/api/usuarios/cerrarSesion
Example response: 
{
  "status": 401,
  "mensaje": "Sesión Cerrada"
}

Token validation

The JWT is validated automatically on every request via the jwtToken cookie. You do not need to set an Authorization header — the browser sends the cookie transparently. The server verifies the token’s signature using HMAC256 and confirms the issuer. If the token is valid, your identity and roles are established for that request. If the token is missing or invalid, you are treated as an unauthenticated visitor (ROLE_INVITADO).

Getting the current user’s role

You can query the authenticated user’s role at any time without side effects. 
GET /api/usuarios/rol
This endpoint does not require authentication. If the jwtToken cookie is absent or invalid, it returns ROLE_INVITADO instead of an error.
rolPrincipal
string
The user’s primary role. One of CANDIDATO, EMPRESA, ADMIN, SUPER_ADMIN, or ROLE_INVITADO when not authenticated.
roles
string[]
All roles assigned to the user. Contains only ROLE_INVITADO when not authenticated.
id
number
The authenticated user’s numeric ID. Not present when the user is not authenticated.
curl -b cookies.txt https://searchjobs.up.railway.app/api/usuarios/rol
Example response (authenticated): 
{
  "rolPrincipal": "CANDIDATO",
  "roles": ["ROLE_CANDIDATO"],
  "id": 42
}
Example response (not authenticated): 
{
  "rolPrincipal": "ROLE_INVITADO",
  "roles": ["ROLE_INVITADO"]
}

Token expiration

Token lifetime is controlled by the JWT_EXPIRATION environment variable, which specifies the duration in milliseconds. A value of 86400000 (24 hours) is recommended for production. When a token expires, the next request to a protected endpoint returns 401 Unauthorized. The user must log in again to obtain a new token. There is no refresh mechanism — re-authentication is required.

Error responses

StatusErrorCause
401 UnauthorizedTOKEN_EXPIREDThe jwtToken cookie is present but has expired.
401 UnauthorizedINVALID_TOKENThe token signature is invalid or the payload is malformed.
401 Unauthorized(no body)Credentials were rejected during login.
Example error body: 
{ "error": "TOKEN_EXPIRED" }

{ "error": "INVALID_TOKEN", "message": "The Token has expired on ..." }

Build docs developers (and LLMs) love

Get started for freeTalk to us