Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JReyna217/AutoLog/llms.txt

Use this file to discover all available pages before exploring further.

AutoLog uses JWT Bearer authentication backed by ASP.NET Core’s JwtBearer middleware. When you log in you receive two tokens: an access token (valid for 15 minutes, as set by JwtSettings:ExpiryMinutes) and a refresh token (valid for 7 days, as set by JwtSettings:RefreshExpiryDays). Send the access token in the Authorization: Bearer header on every protected API call. When the access token nears expiry, use the refresh endpoint to obtain a new pair without asking the user to log in again.
Never store tokens in localStorage for high-security applications. Tokens stored in localStorage are accessible to any JavaScript running on the page, making them vulnerable to XSS attacks. Prefer httpOnly cookies or an in-memory store that is cleared on tab close.

Authentication Flow

1

Register a new account

If you don’t have an account yet, create one with POST /api/auth/register. The email field must be a valid email address, fullName is required, and password must be at least 6 characters.
curl -X POST https://api.yourdomain.com/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "email": "jane@example.com",
    "fullName": "Jane Doe",
    "password": "s3cur3P@ss"
  }'
Success response — 200 OK:
{
  "message": "User registered successfully."
}
Registration does not return tokens. Proceed to the login step to obtain them.
2

Log in and obtain tokens

Call POST /api/auth/login with your email and password. On success you receive both tokens.
curl -X POST https://api.yourdomain.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "jane@example.com",
    "password": "s3cur3P@ss"
  }'
Success response — 200 OK:
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "dGhpcyBpcyBhIHNhbXBsZSByZWZyZXNoIHRva2Vu..."
}
Store both tokens securely. The accessToken is a signed JWT whose issuer is AutoLog.API and whose audience is AutoLog.AngularClient.
3

Make authenticated requests

Pass the accessToken in the Authorization header of every request to a protected endpoint.
curl -X GET https://api.yourdomain.com/api/vehicles \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
If the token is missing or invalid the API returns 401 Unauthorized.
4

Refresh an expiring access token

Before or after receiving a 401, call POST /api/auth/refresh with both the expired access token and the current refresh token. The server validates the pair and issues a fresh set.
curl -X POST https://api.yourdomain.com/api/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "dGhpcyBpcyBhIHNhbXBsZSByZWZyZXNoIHRva2Vu..."
  }'
Success response — 200 OK:
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...<new>",
  "refreshToken": "dGhpcyBpcyBhIG5ldyByZWZyZXNoIHRva2Vu...<new>"
}
Replace both stored tokens with the new values returned in this response.

Token Expiry Handling

The API returns 401 Unauthorized on any protected request made with an expired access token. Your client should detect this response and automatically call POST /api/auth/refresh with the current access token and refresh token to obtain a fresh pair, then retry the original request.
# Original request fails with 401
curl -X GET https://api.yourdomain.com/api/fuellogs/vehicle/1 \
  -H "Authorization: Bearer <expired-access-token>"

# Refresh to get new tokens
curl -X POST https://api.yourdomain.com/api/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "accessToken": "<expired-access-token>",
    "refreshToken": "<valid-refresh-token>"
  }'
Refresh tokens are valid for 7 days. If the refresh token has also expired, POST /api/auth/refresh returns 401 Unauthorized. At this point the user’s session cannot be silently renewed — they must call POST /api/auth/login again with their credentials to start a new session.Design your client to detect a 401 response from /api/auth/refresh specifically and redirect the user to the login screen.
AutoLog does not expose a dedicated logout endpoint. To end a session, discard both tokens client-side (clear them from memory, cookies, or secure storage). The refresh token will expire naturally on the server side after 7 days.
For immediate invalidation in high-security scenarios, consider implementing a server-side refresh token denylist in a future version of the API.

JWT Token Details

AutoLog tokens are validated with the following parameters, configured in appsettings.json under the JwtSettings key:
ParameterValue
IssuerAutoLog.API
AudienceAutoLog.AngularClient
Access token lifetime15 minutes (ExpiryMinutes)
Refresh token lifetime7 days (RefreshExpiryDays)
Signing algorithmHMAC SHA-256 (HS256)
Validated claimsIssuer, Audience, Lifetime, Signing Key
The UserId is embedded as a custom UserId claim inside the JWT and is extracted by the API on every protected request to scope resources to the authenticated user.

CORS Policy

AutoLog enforces a strict CORS policy named AllowAngularClient. Only origins listed in the Cors:AllowedOrigins array in appsettings.json are permitted to make cross-origin requests. In development, http://localhost:4200 (the default Angular dev server) is the pre-configured allowed origin. If your frontend runs on a different origin, add it to the Cors:AllowedOrigins array in your environment’s configuration before deploying.

Build docs developers (and LLMs) love