The Auth API handles the full authentication lifecycle for AutoLog users. It provides endpoints to register new accounts, exchange credentials for a JWT access token and refresh token pair, and silently rotate tokens before they expire — keeping sessions alive without requiring the user to log in again. NoDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/JReyna217/AutoLog/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header is required on any of these three endpoints.
POST /api/auth/register
POST /api/auth/register
Creates a new AutoLog user account. On success the server returns a plain confirmation message — no token is issued at registration time. The client should immediately follow up with a POST /api/auth/login call to obtain tokens.
Request body
A valid email address that uniquely identifies the user account. Must pass RFC 5322 format validation.
The user’s display name shown inside the application.
The account password. Minimum 6 characters. Stored as a bcrypt hash — never in plain text.
Response fields
A human-readable confirmation string. Value is always
"User registered successfully." on success.Response codes
| Code | Meaning |
|---|---|
200 OK | Account created. |
400 Bad Request | Validation failed (missing field, invalid email, password too short) or email already exists. |
Example
POST /api/auth/login
POST /api/auth/login
Authenticates a user with their email and password. On success, the server issues a short-lived JWT access token and a long-lived refresh token. The access token should be included as a Bearer token in the Authorization header of all subsequent authenticated requests.
Request body
The email address associated with the account.
The account password in plain text. Transmitted over HTTPS only.
Response fields
A signed JWT access token. Include this as
Authorization: Bearer <accessToken> on all protected endpoints.An opaque refresh token used to obtain a new token pair without re-entering credentials.
Response codes
| Code | Meaning |
|---|---|
200 OK | Authentication successful. Token pair returned. |
400 Bad Request | Request body validation failed. |
401 Unauthorized | Credentials are incorrect or the account does not exist. |
Example
POST /api/auth/refresh
POST /api/auth/refresh
Exchanges an expired (or soon-to-expire) access token and a valid refresh token for a brand-new token pair. The old refresh token is invalidated after a successful rotation, so clients must always store the latest pair returned by this endpoint.
Request body
The most recently issued JWT access token, even if it has already expired.
The opaque refresh token paired with the access token above.
Response fields
A new signed JWT access token.
A new opaque refresh token. The previous refresh token is now invalidated.
Response codes
| Code | Meaning |
|---|---|
200 OK | Token pair successfully rotated. |
400 Bad Request | One or both fields are missing from the request body. |
401 Unauthorized | Refresh token is invalid, expired, or has already been used. |