Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Glemynart/SaaS/llms.txt

Use this file to discover all available pages before exploring further.

La Oficina Nítida uses a stateless JWT authentication model layered on top of a stateful refresh-token store. Every user session produces two tokens: a short-lived access token that is sent with every API request, and a longer-lived refresh token that is kept securely by the client and used only to obtain new token pairs. Because all data in the platform is scoped to a tenant, both the login flow and the JWT payload carry the tenant context so that the API can enforce strict data isolation on every request.

How to authenticate requests

Include the access token as a Bearer credential in the Authorization header of every protected API call:
Authorization: Bearer {accessToken}
Requests to protected endpoints that are missing this header, or that carry an expired or tampered token, receive a 401 Unauthorized response. The JwtAuthGuard extracts the sub (userId), tenantId, rol, and email claims from the verified payload and attaches them to the request context, where downstream guards and handlers can read them.

Token lifetimes

TokenLifetimeNotes
Access token15 minutesShort-lived; keep in memory only
Refresh token7 daysSingle-use; rotate on every call to /auth/refresh
Access tokens are signed JWTs and are never stored server-side. Refresh tokens are opaque strings (base64(tokenId:secret)) whose bcrypt hash is stored in the refresh_tokens table — the raw secret is never persisted.

Multi-tenant authentication

The platform is multi-tenant by design: the same email address can exist in multiple organizations simultaneously because the uniqueness constraint is (tenantId, email), not email alone. This means every authentication request must identify both the user and the organization:
  • POST /auth/login requires email, passwordPlain, and tenantNit.
  • POST /auth/forgot-password requires email and tenantNit for the same reason.
tenantNit is the Colombian NIT (tax identification number) of the organization, without the check digit.

Rate limits

Rate limiting is applied per IP address on all authentication endpoints using the NestJS Throttler module.
EndpointLimit
POST /auth/register3 requests / minute
POST /auth/login5 requests / minute
POST /auth/refresh10 requests / minute
POST /auth/forgot-password3 requests / hour
POST /auth/reset-password5 requests / 15 minutes
Exceeding a limit returns 429 Too Many Requests. The limits are configured independently per endpoint, so a burst of login attempts does not consume the refresh-token budget.

Explore the endpoints

Register

Create a new organization and its first ADMIN user in one atomic operation.

Login

Authenticate with email, password, and tenantNit to receive JWT tokens.

Refresh

Rotate an expiring token pair using a valid refresh token.

Password Reset

Two-step password recovery: request a reset email, then set a new password.

Error codes

CodeMeaning
401 UnauthorizedMissing, invalid, or expired access token; also returned for wrong credentials on login
403 ForbiddenToken is valid but the user’s role does not have permission for the operation
429 Too Many RequestsRate limit exceeded for the endpoint

Build docs developers (and LLMs) love