Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JReyna217/AutoLog/llms.txt

Use this file to discover all available pages before exploring further.

AutoLog secures all resource endpoints with JWT Bearer authentication. Users register with a valid email address, a full name, and a password; a successful login returns a short-lived access token alongside a long-lived refresh token. Every subsequent request to a protected endpoint must carry the access token in the Authorization header, and a dedicated refresh endpoint lets clients silently rotate both tokens before the access token expires.

Authentication Flow

1

Register a new account

Send a POST request to /api/auth/register with a JSON body containing email, fullName, and password. A successful response returns HTTP 200 with a confirmation message — no tokens are issued at this stage.
{
  "email": "user@example.com",
  "fullName": "Jane Doe",
  "password": "YourSecurePassword123!"
}
Validation rules enforced by the API:
  • email — required, must be a valid e-mail address; duplicate emails are rejected
  • fullName — required string
  • password — required, minimum 6 characters
2

Log in to receive tokens

Send a POST request to /api/auth/login with email and password. On success the server responds with an accessToken and a refreshToken.Request body:
{
  "email": "user@example.com",
  "password": "YourSecurePassword123!"
}
Response body (TokenResponseDto):
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "r8Xv2mKp9T1cQzLwYnDjAeHgBsFuOiNb..."
}
Store the refreshToken securely (e.g., an HttpOnly cookie or secure storage). The accessToken is a signed JWT that encodes the user’s identity and expires after 15 minutes by default.
3

Authorize API requests

Include the accessToken in the Authorization header of every request to a protected endpoint:
Authorization: Bearer <accessToken>
The middleware validates the token’s signature, issuer, audience, and lifetime on every request. Requests that omit the header or supply an invalid/expired token receive HTTP 401 Unauthorized.
4

Refresh tokens when the access token expires

When the access token expires, send both tokens to /api/auth/refresh. The server validates the expired access token’s signature and claims, verifies the refresh token against the database, and returns a brand new pair of tokens. The old refresh token is immediately invalidated.Request body:
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "r8Xv2mKp9T1cQzLwYnDjAeHgBsFuOiNb..."
}
Response body:
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...<new>",
  "refreshToken": "kP3mQx7zTwJvYsNcReLdBfHgAiOuDnXp...<new>"
}

Endpoint Summary

POST /api/auth/register

Creates a new user account. Passwords are hashed with BCrypt before storage. Returns 200 OK on success; 400 if the email is already in use.

POST /api/auth/login

Validates credentials against the stored BCrypt hash and issues a TokenResponseDto containing both an access token and a refresh token.

POST /api/auth/refresh

Accepts an expired access token plus a valid refresh token. Returns a freshly rotated TokenResponseDto; the old refresh token is invalidated immediately.
All API endpoints except /api/auth/register and /api/auth/login require a valid Authorization: Bearer <accessToken> header. Requests without this header are rejected with HTTP 401 Unauthorized.
Access tokens expire 15 minutes after issuance by default. This lifetime is configurable via the JwtSettings:ExpiryMinutes key in appsettings.json (or the corresponding environment variable). See JWT Configuration for the full settings reference.

Auth API Endpoints

Full API reference for all three auth endpoints including request/response schemas and error codes.

JWT Configuration

Configure the JWT secret, issuer, audience, and token lifetimes for AutoLog.

Build docs developers (and LLMs) love