AutoPart Pro uses JSON Web Tokens (JWT) for stateless authentication. Every protected endpoint validates the token you supply, extracts your user ID and role from it, and uses that information to enforce access control — without an additional database round-trip on each request. This page explains how to obtain a token, how to attach it to requests, what the token contains, how long it lasts, and how the frontend manages it.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/JFKoryy/autopart-pro/llms.txt
Use this file to discover all available pages before exploring further.
How It Works
The server signs tokens using the HS256 algorithm with a secret stored in theJWT_SECRET environment variable. The decoded payload embedded in every token contains exactly two claims:
id— the numeric primary key of the user in the database.role— one ofadmin,employee, orclient, assigned at registration or updated by an admin later.
protect middleware in authMiddleware.js verifies the signature and injects the decoded payload into req.user so downstream route handlers and role checks can read it directly.
Token Lifetime
Tokens expire 1 hour after they are issued. After expiry the server rejects the token with a401 response and the client must re-authenticate.
Obtaining a Token: Registration and Login Flow
Register a new account
Send a Response
POST request to /api/auth/register with name, email, and password in the JSON body. A successful response returns a token immediately — the user is authenticated right away.201 Created:The
user.role field in the register response body is always "user". The JWT payload itself encodes client as the default role. An admin can later promote the account to employee or admin using PUT /api/users/:id/role.Log in to an existing account
Send a Response Store the
POST request to /api/auth/login with email and password. The server verifies the bcrypt-hashed password against the database record and, if it matches, returns a fresh token.200 OK:token value — you will pass it with every subsequent protected request.Attach the token to protected requests
Include the token as a Bearer credential in the Example — fetch low-stock products:The server extracts the token from the header, verifies the signature, and proceeds with the request if it is valid and unexpired.
Authorization header of every request that requires authentication.Passing the Token
TheAuthorization header must follow the Bearer scheme exactly. The protect middleware checks that the header is present and starts with the literal string Bearer (including the trailing space) before attempting to verify the token:
Bearer — causes the middleware to respond immediately with 401.
Validating a Stored Token
TheGET /api/auth/me endpoint lets the frontend confirm that a token stored in localStorage is still valid. It re-fetches the user record from the database using the ID from the token payload and returns the up-to-date user object.
200 OK:
401 or 404 respectively.
Frontend Usage
The React frontend (frontend/src/services/api.js) stores the JWT in localStorage under the key token and retrieves it via a getAuthHeader() helper that automatically builds the correct headers object for every authenticated fetch call:
headers option on all authenticated requests, for example:
validateToken() function in the same file calls GET /api/auth/me, removes the token from localStorage if the server returns a non-OK status, and returns null to signal that re-authentication is needed:
Error Reference
Missing or Malformed Token — 401
Returned when the Authorization header is absent or does not start with Bearer .
Invalid or Expired Token — 401
Returned when the token fails JWT verification — either the signature is wrong or the token has passed its 1-hour expiry.
Insufficient Role — 403
Returned by the authorize role middleware when the authenticated user’s role is not in the list of roles permitted for that endpoint (for example, a client trying to delete a product).
Role Summary
| Role | Description |
|---|---|
admin | Full access to all endpoints including user management and product mutations |
employee | Can view and interact with inventory and sales, but cannot manage users or delete products |
client | Can browse the product catalog, complete checkouts, and view their own sales history |