Digital Money House uses JSON Web Tokens (JWT) for all API authentication. Every protected endpoint requires a signed Bearer token issued by the auth-service. Tokens are generated with the HS256 algorithm, carry the authenticated user’s email as the subject, embed the user’s role, and expire 24 hours after they are issued. This page walks through the full lifecycle — from creating an account to attaching the token to every API call.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Gianluca-X/DigitalMoney/llms.txt
Use this file to discover all available pages before exploring further.
Authentication Flow
Register a new user
Create your user account by sending a
POST request to /users/register. Supply your personal details in the request body. A successful call returns a 201 Created response with your new user record.Verify your email address
After registration the auth-service sends a verification email to the address you provided. Check your inbox and click the verification link, or call the verification endpoint directly with the code from the email:
Login attempts made before email verification is complete will be rejected with 403 Forbidden and an
EmailNotVerifiedException error.Log in and receive your JWT token
Once your email is verified, exchange your credentials for a JWT token:A successful login returns a JSON response containing the token:Copy the value of
token — you will include it in every subsequent request.JWT Token Details
Tokens are produced byJwtUtil in the auth-service and signed with a shared secret configured via jwt.secret. The key properties of every token are:
| Property | Value |
|---|---|
| Algorithm | HS256 |
Subject (sub) | User’s email address |
| Role claim | role (e.g. "USER" or "ADMIN") |
Issued at (iat) | Current UTC timestamp |
Expiry (exp) | Issued-at + 86 400 000 ms (24 hours) |
How the Token is Validated
Auth-service filter
TheJwtAuthFilter in the auth-service runs on every request (except /auth/login and /auth/register). It:
- Reads the
Authorizationheader. - Strips the
Bearerprefix to extract the raw token string. - Calls
JwtUtil.getUsernameFromToken()to extract the email subject. - Loads user details from the database and verifies the token signature with
JwtUtil.isValidToken(). - Sets the authenticated principal in Spring Security’s
SecurityContextHolder.
API Gateway filter
The Spring Cloud Gateway passes theAuthorization header through to every downstream service unchanged via JwtGatewayFilter:
Accounts-service filter
JwtAuthenticationFilter in the accounts-service parses the JWT directly (it does not call the auth-service). It extracts the role claim (or falls back to a roles list), builds the corresponding Spring Security GrantedAuthority list, and looks up the matching Account entity by the email subject before admitting the request.
Role-Based Access Control
Every user has one of two roles embedded in their JWT:| Role | Access |
|---|---|
ROLE_USER | Can only read and modify their own data. |
ROLE_ADMIN | Can access and modify data for any account or user. |
checkOwnerOrAdmin pattern. Here is the canonical implementation from the user-service:
DELETE /users/delete/{userId} will succeed only if the authenticated user is the owner of that record or an admin.
Internal Service-to-Service Tokens
Some endpoints — such asPOST /accounts/create — are called by other microservices rather than by external clients. These inter-service calls authenticate with a static internal.token value configured in application.properties:
Token Expiry and Refresh
Tokens are valid for exactly 24 hours from the moment they are issued. There is no refresh-token endpoint — once a token expires, the user must log in again withPOST /auth/login to obtain a new one.
