The Comunidades Vecinos API uses JSON Web Tokens (JWT) signed with HMAC-SHA256. Authentication is entirely stateless: the server never stores session data, and every request is authorised solely by verifying the signature and claims embedded in the token. You obtain a token by posting credentials toDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/GuillermoNavarro/Proyecto_comunidades/llms.txt
Use this file to discover all available pages before exploring further.
POST /api/login, then attach that token to all subsequent requests via the Authorization header.
Login
POST /api/login
Validates the supplied credentials against the database, checks that the account is active, and — if successful — returns a signed JWT as a plain-text string.
This is the only endpoint that does not require a token. All other paths return
401 Unauthorized without a valid Authorization: Bearer <token> header.Request
The email address associated with the user’s account.
The user’s plain-text password. The backend compares it against a BCrypt hash stored in the database.
Responses
A raw JWT string — not JSON-wrapped. Store this value and include it in the
Authorization header of every subsequent request.Returned when the credentials are wrong or the account has been deactivated.
Using the token
Include the token returned by/api/login in every subsequent request using the Authorization header with the Bearer scheme:
JWT claims
Every token issued by the API carries the following claims in its payload:| Claim | Type | Description |
|---|---|---|
sub | string | The user’s email address (JWT standard subject). |
idUsuario | long | The user’s primary key in the usuarios table. |
idComunidad | long | The ID of the community the user belongs to. |
rol | string | The user’s role string (see values below). |
iat | timestamp | Issued-at time (set automatically). |
exp | timestamp | Expiry time — 24 hours after issuance. |
Role values
rol claim value | Description |
|---|---|
USER | Regular resident (vecino). |
ADMIN | Community administrator (e.g. president, treasurer). |
SUPER_ADMIN | Platform manager with access across all communities. |
The backend reads
idUsuario, idComunidad, and rol directly from the JWT claims on every request. There is no secondary database call to look up the user’s identity during authentication filter processing.First-login password change
Every new user account is created withcambiarPass = true. Until the user changes their password, the getAuthorities() method on the Usuario entity returns ROLE_PRE_AUTH instead of their actual role — regardless of what role the database record holds.
First login
The user calls
POST /api/login with their temporary credentials. The response is a valid JWT — but with ROLE_PRE_AUTH embedded in the rol claim.Change password
The user immediately calls
PATCH /api/usuarios/pass with oldPassword (the temporary one) and newPassword. The backend sets cambiarPass = false and saves the record.Token storage (frontend)
The React frontend that ships with Comunidades Vecinos stores the JWT inlocalStorage under the key token: