AutoLog uses JWT Bearer authentication backed by ASP.NET Core’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/JReyna217/AutoLog/llms.txt
Use this file to discover all available pages before exploring further.
JwtBearer middleware. When you log in you receive two tokens: an access token (valid for 15 minutes, as set by JwtSettings:ExpiryMinutes) and a refresh token (valid for 7 days, as set by JwtSettings:RefreshExpiryDays). Send the access token in the Authorization: Bearer header on every protected API call. When the access token nears expiry, use the refresh endpoint to obtain a new pair without asking the user to log in again.
Authentication Flow
Register a new account
If you don’t have an account yet, create one with Success response — Registration does not return tokens. Proceed to the login step to obtain them.
POST /api/auth/register. The email field must be a valid email address, fullName is required, and password must be at least 6 characters.200 OK:Log in and obtain tokens
Call Success response — Store both tokens securely. The
POST /api/auth/login with your email and password. On success you receive both tokens.200 OK:accessToken is a signed JWT whose issuer is AutoLog.API and whose audience is AutoLog.AngularClient.Make authenticated requests
Pass the If the token is missing or invalid the API returns
accessToken in the Authorization header of every request to a protected endpoint.401 Unauthorized.Refresh an expiring access token
Before or after receiving a Success response — Replace both stored tokens with the new values returned in this response.
401, call POST /api/auth/refresh with both the expired access token and the current refresh token. The server validates the pair and issues a fresh set.200 OK:Token Expiry Handling
What happens when my access token expires?
What happens when my access token expires?
The API returns
401 Unauthorized on any protected request made with an expired access token. Your client should detect this response and automatically call POST /api/auth/refresh with the current access token and refresh token to obtain a fresh pair, then retry the original request.What happens when my refresh token expires?
What happens when my refresh token expires?
Refresh tokens are valid for 7 days. If the refresh token has also expired,
POST /api/auth/refresh returns 401 Unauthorized. At this point the user’s session cannot be silently renewed — they must call POST /api/auth/login again with their credentials to start a new session.Design your client to detect a 401 response from /api/auth/refresh specifically and redirect the user to the login screen.How do I log out?
How do I log out?
AutoLog does not expose a dedicated logout endpoint. To end a session, discard both tokens client-side (clear them from memory, cookies, or secure storage). The refresh token will expire naturally on the server side after 7 days.
JWT Token Details
AutoLog tokens are validated with the following parameters, configured inappsettings.json under the JwtSettings key:
| Parameter | Value |
|---|---|
| Issuer | AutoLog.API |
| Audience | AutoLog.AngularClient |
| Access token lifetime | 15 minutes (ExpiryMinutes) |
| Refresh token lifetime | 7 days (RefreshExpiryDays) |
| Signing algorithm | HMAC SHA-256 (HS256) |
| Validated claims | Issuer, Audience, Lifetime, Signing Key |
UserId is embedded as a custom UserId claim inside the JWT and is extracted by the API on every protected request to scope resources to the authenticated user.
CORS Policy
AutoLog enforces a strict CORS policy named
AllowAngularClient. Only origins listed in the Cors:AllowedOrigins array in appsettings.json are permitted to make cross-origin requests. In development, http://localhost:4200 (the default Angular dev server) is the pre-configured allowed origin. If your frontend runs on a different origin, add it to the Cors:AllowedOrigins array in your environment’s configuration before deploying.