Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Gianluca-X/DigitalMoney/llms.txt

Use this file to discover all available pages before exploring further.

The /auth/login endpoint validates a user’s email and BCrypt-hashed password, confirms that the account’s email has been verified, and returns a signed HS256 JWT. Include that token in the Authorization header of every subsequent request that requires authentication.

Endpoint

POST http://localhost:8085/auth/login
Authentication: None required. Content-Type: application/json

Request Body

email
string
required
The email address used when the account was registered.
password
string
required
The account’s plain-text password. The service compares it against the stored BCrypt hash using PasswordEncoder.matches().

Response Fields

A successful 200 OK response returns an AuthResponse object.
token
string
A signed HS256 JWT Bearer token. The token payload contains:
  • sub — the user’s email address (used as the security principal throughout the platform).
  • role — the user’s assigned role (USER or ADMIN).
  • iat — issued-at timestamp.
  • exp — expiration timestamp, exactly 24 hours after issuance.
Pass this value in the Authorization header as Bearer <token> on all protected endpoints.
authId
number
The internal auth-service primary key for the authenticated user.
message
string
Confirmation message. Returns "Login Exitoso" on success.

Example

Request

curl -X POST http://localhost:8085/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "ada@digitalmoney.io",
    "password": "S3cure!Pass"
  }'

Response 200 OK

{
  "token": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZGFAZGlnaXRhbG1vbmV5LmlvIiwicm9sZSI6IlVTRVIiLCJpYXQiOjE3MjAwMDAwMDAsImV4cCI6MTcyMDA4NjQwMH0.abc123signature",
  "authId": 42,
  "message": "Login Exitoso"
}

Using the Token

Once you receive the token, attach it to every authenticated request via the Authorization header:
curl -X GET http://localhost:8085/users/42 \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9..."
The JWT subject (sub) is the user’s email address. Protected endpoints in the auth service — such as PATCH /auth/change-email and PATCH /auth/change-password — derive the current user’s identity directly from this claim via Authentication.getName(), not from any request body field.
Tokens expire after 24 hours. After expiry, repeat the login flow to obtain a fresh token.

Error Codes

HTTP StatusExceptionDescription
400 Bad RequestUserNotFoundExceptionNo account exists for the supplied email address.
400 Bad RequestInvalidPasswordExceptionThe password does not match the stored BCrypt hash.
403 ForbiddenEmailNotVerifiedExceptionThe account exists but the email address has not yet been verified. Complete the verification flow before logging in.
500 Internal Server ErrorExceptionAn unexpected server-side error occurred.
A 403 Forbidden response means the credentials are correct but the account is locked pending email verification. Direct the user to check their inbox and call GET /auth/verify?code= with the code they received at registration.

Build docs developers (and LLMs) love