NISIRA Assistant uses JSON Web Tokens (JWT) for all API authentication. The flow is straightforward: register or log in to receive an access token and a refresh token, attach the access token as aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/HugoX2003/nisira-assistant/llms.txt
Use this file to discover all available pages before exploring further.
Bearer header on every protected request, and use the refresh endpoint to silently renew it before it expires. All four auth endpoints are publicly accessible — no prior token is needed.
Register a New User
POST /api/auth/register/
Creates a new user account. The endpoint applies strict server-side validation before persisting the user.
Validation Rules
Must be 3–20 characters. Only letters, numbers, and underscores (
_) are allowed. Must start with a letter. Must be unique across all accounts.Must be a valid email format matching the pattern
local@domain.tld. No consecutive dots (..) allowed. Must be unique across all accounts.Minimum 6 characters. Must contain at least one letter and at least one number.
Example Request
Successful Response — 201 Created
Error Responses
| HTTP | error value |
|---|---|
400 | "El nombre de usuario es requerido" |
400 | "El nombre de usuario debe tener al menos 3 caracteres" |
400 | "El nombre de usuario no puede tener más de 20 caracteres" |
400 | "El nombre de usuario solo puede contener letras, números y guion bajo (_)" |
400 | "El nombre de usuario debe comenzar con una letra" |
400 | "El formato del email no es válido" |
400 | "El email no puede contener puntos consecutivos (..)" |
400 | "La contraseña debe tener al menos 6 caracteres" |
400 | "La contraseña debe contener al menos una letra y un número" |
400 | "El nombre de usuario ya está en uso" |
400 | "El email ya está registrado" |
Login
POST /api/auth/login/
Authenticates an existing user and returns a JWT token pair together with the full user object. This is the recommended login endpoint because it includes user profile data alongside the tokens.
Request Body
The account’s username.
The account’s password.
Example Request
Successful Response — 200 OK
Short-lived access token. Valid for 24 hours. Attach this to the
Authorization header on all protected requests.Long-lived refresh token. Valid for 7 days. Use it to obtain new access tokens without re-entering credentials.
Unique numeric identifier for the authenticated user.
The account’s username.
The account’s email address.
First name (empty string if not set).
Last name (empty string if not set).
Error Responses
| HTTP | error value |
|---|---|
400 | "Por favor ingresa tu usuario y contraseña" |
400 | "Por favor ingresa tu nombre de usuario" |
400 | "Por favor ingresa tu contraseña" |
401 | "El usuario no existe. Verifica tu nombre de usuario o regístrate" |
401 | "Contraseña incorrecta. Intenta nuevamente" |
403 | "Tu cuenta está desactivada. Contacta al administrador" |
Obtain Token Pair (JWT Standard)
POST /api/auth/token/
The standard djangorestframework-simplejwt obtain-pair endpoint. Returns the same access and refresh tokens as the login endpoint, but without the user object. Suitable for integrations that need a pure JWT flow.
Request Body
The account’s username.
The account’s password.
Example Request
Successful Response — 200 OK
Refresh Access Token
POST /api/auth/refresh/
Exchanges a valid refresh token for a new access token. Because ROTATE_REFRESH_TOKENS is enabled, a new refresh token is also issued and the old one is blacklisted immediately.
Request Body
A valid, unexpired refresh token obtained from the login or token-pair endpoint.
Example Request
Successful Response — 200 OK
A fresh access token valid for another 24 hours.
Using the Token on Protected Requests
Once you hold an access token, attach it to every protected API call using the standardAuthorization header:
Token Lifetimes (from settings.py)
| Token | Lifetime | Setting key |
|---|---|---|
| Access token | 24 hours | ACCESS_TOKEN_LIFETIME = timedelta(hours=24) |
| Refresh token | 7 days | REFRESH_TOKEN_LIFETIME = timedelta(days=7) |
HS256. The user_id claim inside the token payload identifies the authenticated user.
Frontend Token Handling
The React frontend (src/services/api.js) manages tokens automatically using its TokenManager class:
- On login, both
accessandrefreshtokens are saved tolocalStorageunder the keystokenandrefresh. - An Axios request interceptor appends
Authorization: Bearer <token>to every outbound request that is not an auth endpoint. - A response interceptor catches
401responses and transparently calls/api/auth/refresh/to obtain a new access token, then retries the original request — all without user intervention. - If the refresh itself fails (e.g. the refresh token has expired), both tokens are cleared from
localStorageand the error is propagated to the caller.
Document-Serving Token Passthrough
GET /api/documents/<filename>/
File serving supports two authentication modes because browsers cannot attach custom headers to <iframe src="..."> or <embed> elements used for inline PDF viewing.
| Mode | How to pass the token |
|---|---|
| Standard API call | Authorization: Bearer <access_token> header |
| PDF iframe / embed | ?token=<access_token> query parameter |
The
?token= parameter enables browsers to navigate directly to a specific page inside the PDF (via the #page=N URL fragment) while still validating the JWT. The server validates the token identically in both modes using JWTAuthentication.