The Maleku System API uses JWT (JSON Web Token) Bearer authentication. When you register or log in, the API returns anDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/IvanchoDev89/maleku-system/llms.txt
Use this file to discover all available pages before exploring further.
access_token and a refresh_token. Include the access token in the Authorization: Bearer header of every request that requires authentication. Access tokens are short-lived (60 minutes by default); use the refresh token to obtain a new access token before expiry without requiring the user to log in again. Tokens are signed with HS256 using a server-side secret and validated on every request. Revoked tokens (after logout or password change) are tracked in a Redis blacklist.
Token Types
| Token | Lifetime | Algorithm | Purpose |
|---|---|---|---|
| Access token | 60 minutes (configurable via ACCESS_TOKEN_EXPIRE_MINUTES) | HS256 | Authenticate API requests via Authorization header |
| Refresh token | 7 days (configurable via REFRESH_TOKEN_EXPIRE_DAYS) | HS256 | Obtain a new access token without re-authenticating |
Token rotation is enforced on refresh: each call to
POST /auth/refresh invalidates the old refresh token and issues a brand new pair. Store the latest refresh token after every refresh call.POST /auth/register
Register a new user account. On success the API returns a token pair and a minimal user object so your client can authenticate immediately — no separate login step required.New accounts are created with
role: "client" and is_verified: false. A verification email is sent automatically. Verified email is required before creating bookings.Request body
A valid email address. Must be unique across all accounts. Stored in lowercase.
The account password. Must be 8–100 characters and satisfy the complexity rules described in the Password Requirements section below.
The user’s full name (2–255 characters). Must not contain the
@ symbol.Optional phone number (up to 20 characters), e.g.
+50612345678.Example request
Response 201 Created
Signed JWT access token. Valid for
ACCESS_TOKEN_EXPIRE_MINUTES minutes (default 60).Signed JWT refresh token. Valid for
REFRESH_TOKEN_EXPIRE_DAYS days (default 7).Always
"bearer".Access token lifetime in seconds (e.g.
3600 for 60 minutes).POST /auth/login
Authenticate an existing user with email and password. Returns a fresh token pair.Request body
The registered email address.
The account password.
Example request
Response 200 OK
| Status | detail | Cause |
|---|---|---|
401 | "Invalid credentials" | Email not found or password incorrect |
403 | "Account is inactive" | Account has been deactivated by an admin |
423 | "Account temporarily locked due to failed attempts" | Too many failed attempts |
Using the Access Token
Pass the access token in theAuthorization header on every authenticated request:
Example — fetching your profile
401 Unauthorized:
POST /auth/refresh
Exchange a valid refresh token for a new access token. Token rotation is applied: the old refresh token is immediately invalidated and a brand new refresh token is returned alongside the new access token.Request body
The refresh token returned by
register, login, or a previous refresh call.Example request
Response 200 OK
POST /auth/logout
Invalidates the current access token by adding it to the Redis-backed token blacklist. The token cannot be used again even if it has not yet expired. Requires:Authorization: Bearer <access_token> header.
Example request
Response 200 OK
Password Reset
Use the two-step flow below to let users reset a forgotten password.Step 1 — POST /auth/forgot-password
Sends a password reset link to the provided email address. The reset token is valid for 1 hour. To prevent email enumeration, the API always returns a success response regardless of whether the email exists.The email address associated with the account.
Step 2 — POST /auth/reset-password
Completes the password reset. Thetoken comes from the link emailed in step 1.
The password reset token extracted from the reset link.
The new password. Must meet the same complexity requirements as registration (8–100 chars, uppercase, lowercase, digit, special character).
Email Verification
After registration, a verification email containing a time-limited token is sent to the user’s address. Tokens are valid for 24 hours.POST /auth/verify-email
The verification token from the email link.
POST /auth/resend-verification
Resend the verification email. Rate-limited to 3 requests per hour. Requires a valid access token.GET /auth/me
Returns the authenticated user’s profile. Use this endpoint to confirm token validity or retrieve current role and verification status. Requires:Authorization: Bearer <access_token> header.
Response 200 OK
User UUID.
Verified email address.
User’s full name.
Phone number, or
null if not set.Current role. One of:
client, vendor, agent, customer_service, admin, super_admin.true if the account is active.true if the email address has been verified.ISO 8601 timestamp of the most recent successful login, or
null.Password Requirements
All passwords — on registration and password reset — are validated by the following rules enforced server-side:Account Locking
After 5 consecutive failed login attempts, the account is automatically locked for 30 minutes. During this period all login attempts return The lock is lifted automatically after 30 minutes or immediately upon a successful password reset. A security event is recorded in the audit log each time an account is locked or unlocked.
423 Locked: