Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JReyna217/AutoLog/llms.txt

Use this file to discover all available pages before exploring further.

The Auth API handles the full authentication lifecycle for AutoLog users. It provides endpoints to register new accounts, exchange credentials for a JWT access token and refresh token pair, and silently rotate tokens before they expire — keeping sessions alive without requiring the user to log in again. No Authorization header is required on any of these three endpoints.

POST /api/auth/register

POST /api/auth/register Creates a new AutoLog user account. On success the server returns a plain confirmation message — no token is issued at registration time. The client should immediately follow up with a POST /api/auth/login call to obtain tokens.
Passwords must be at least 6 characters long. Submitting a shorter value will result in a 400 Bad Request with validation details.

Request body

email
string
required
A valid email address that uniquely identifies the user account. Must pass RFC 5322 format validation.
fullName
string
required
The user’s display name shown inside the application.
password
string
required
The account password. Minimum 6 characters. Stored as a bcrypt hash — never in plain text.

Response fields

message
string
A human-readable confirmation string. Value is always "User registered successfully." on success.

Response codes

CodeMeaning
200 OKAccount created.
400 Bad RequestValidation failed (missing field, invalid email, password too short) or email already exists.

Example

curl -X POST https://api.autolog.app/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "email": "maria@example.com",
    "fullName": "Maria González",
    "password": "s3cur3Pass"
  }'
{
  "message": "User registered successfully."
}

POST /api/auth/login

POST /api/auth/login Authenticates a user with their email and password. On success, the server issues a short-lived JWT access token and a long-lived refresh token. The access token should be included as a Bearer token in the Authorization header of all subsequent authenticated requests.
Store the refreshToken securely (e.g., in an HttpOnly cookie or secure storage) and use POST /api/auth/refresh to rotate tokens before the access token expires.

Request body

email
string
required
The email address associated with the account.
password
string
required
The account password in plain text. Transmitted over HTTPS only.

Response fields

accessToken
string
A signed JWT access token. Include this as Authorization: Bearer <accessToken> on all protected endpoints.
refreshToken
string
An opaque refresh token used to obtain a new token pair without re-entering credentials.

Response codes

CodeMeaning
200 OKAuthentication successful. Token pair returned.
400 Bad RequestRequest body validation failed.
401 UnauthorizedCredentials are incorrect or the account does not exist.

Example

curl -X POST https://api.autolog.app/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "maria@example.com",
    "password": "s3cur3Pass"
  }'
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
}

POST /api/auth/refresh

POST /api/auth/refresh Exchanges an expired (or soon-to-expire) access token and a valid refresh token for a brand-new token pair. The old refresh token is invalidated after a successful rotation, so clients must always store the latest pair returned by this endpoint.
Both accessToken and refreshToken must be provided. Submitting a tampered, already-used, or expired refresh token will return 401 Unauthorized.

Request body

accessToken
string
required
The most recently issued JWT access token, even if it has already expired.
refreshToken
string
required
The opaque refresh token paired with the access token above.

Response fields

accessToken
string
A new signed JWT access token.
refreshToken
string
A new opaque refresh token. The previous refresh token is now invalidated.

Response codes

CodeMeaning
200 OKToken pair successfully rotated.
400 Bad RequestOne or both fields are missing from the request body.
401 UnauthorizedRefresh token is invalid, expired, or has already been used.

Example

curl -X POST https://api.autolog.app/api/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."
  }'
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...NEW",
  "refreshToken": "bmV3UmVmcmVzaFRva2Vu..."
}

Build docs developers (and LLMs) love