Avanzar delegates all authentication to Better Auth, which exposes its own handler atDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/ItsJhonAlex/Ecommerce/llms.txt
Use this file to discover all available pages before exploring further.
/api/auth/*. Authentication is cookie-based, not token-based — there are no Authorization: Bearer headers. When a user signs in, Better Auth sets an HTTP session cookie that the browser (or HTTP client) attaches automatically to every subsequent request. Because the API enables credentials: true in its CORS configuration, clients must also send credentials with cross-origin requests.
Sign Up
Create a new account by sending the user’s name, email, and password to the Better Auth email-and-password endpoint:role field is not accepted from the client at sign-up. Better Auth is configured with input: false on the role field, so it is always set to customer server-side regardless of what the request body contains. Roles can only be changed by staff or admin users after account creation.
Sign In
Exchange credentials for a session cookie:better-auth.session_token cookie in the browser. All subsequent requests from the same browser session are authenticated automatically — no extra headers are required.
Sign Out
Invalidate the current session and clear the session cookie:Making Authenticated Requests
Browsers handle the session cookie transparently once it is set. For server-to-server calls, automated scripts, or CLI testing, pass the cookie explicitly using theCookie header:
<your-token> with the value of the better-auth.session_token cookie captured from a sign-in response.
Admin Access
Routes under/api/v1/admin/ are protected by requireAdmin middleware, which validates that the authenticated user holds the admin or staff role (as defined in the user_role enum: customer, staff, admin).
The first admin account is provisioned by running the seed script:
Better Auth also provides additional endpoints at
/api/auth/* for session management, email verification, password reset, and more. Consult the Better Auth documentation for the complete list of available endpoints and configuration options.Error Responses
Protected routes return one of two error shapes depending on the failure reason: No valid session —401 Unauthorized:
403 Forbidden: