La Oficina Nítida uses a stateless JWT authentication model layered on top of a stateful refresh-token store. Every user session produces two tokens: a short-lived access token that is sent with every API request, and a longer-lived refresh token that is kept securely by the client and used only to obtain new token pairs. Because all data in the platform is scoped to a tenant, both the login flow and the JWT payload carry the tenant context so that the API can enforce strict data isolation on every request.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Glemynart/SaaS/llms.txt
Use this file to discover all available pages before exploring further.
How to authenticate requests
Include the access token as aBearer credential in the Authorization header of every protected API call:
401 Unauthorized response. The JwtAuthGuard extracts the sub (userId), tenantId, rol, and email claims from the verified payload and attaches them to the request context, where downstream guards and handlers can read them.
Token lifetimes
| Token | Lifetime | Notes |
|---|---|---|
| Access token | 15 minutes | Short-lived; keep in memory only |
| Refresh token | 7 days | Single-use; rotate on every call to /auth/refresh |
base64(tokenId:secret)) whose bcrypt hash is stored in the refresh_tokens table — the raw secret is never persisted.
Multi-tenant authentication
The platform is multi-tenant by design: the same email address can exist in multiple organizations simultaneously because the uniqueness constraint is(tenantId, email), not email alone. This means every authentication request must identify both the user and the organization:
POST /auth/loginrequiresemail,passwordPlain, andtenantNit.POST /auth/forgot-passwordrequiresemailandtenantNitfor the same reason.
tenantNit is the Colombian NIT (tax identification number) of the organization, without the check digit.
Rate limits
Rate limiting is applied per IP address on all authentication endpoints using the NestJS Throttler module.| Endpoint | Limit |
|---|---|
POST /auth/register | 3 requests / minute |
POST /auth/login | 5 requests / minute |
POST /auth/refresh | 10 requests / minute |
POST /auth/forgot-password | 3 requests / hour |
POST /auth/reset-password | 5 requests / 15 minutes |
429 Too Many Requests. The limits are configured independently per endpoint, so a burst of login attempts does not consume the refresh-token budget.
Explore the endpoints
Register
Create a new organization and its first ADMIN user in one atomic operation.
Login
Authenticate with email, password, and tenantNit to receive JWT tokens.
Refresh
Rotate an expiring token pair using a valid refresh token.
Password Reset
Two-step password recovery: request a reset email, then set a new password.
Error codes
| Code | Meaning |
|---|---|
401 Unauthorized | Missing, invalid, or expired access token; also returned for wrong credentials on login |
403 Forbidden | Token is valid but the user’s role does not have permission for the operation |
429 Too Many Requests | Rate limit exceeded for the endpoint |