AutoLog secures all resource endpoints with JWT Bearer authentication. Users register with a valid email address, a full name, and a password; a successful login returns a short-lived access token alongside a long-lived refresh token. Every subsequent request to a protected endpoint must carry the access token in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/JReyna217/AutoLog/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header, and a dedicated refresh endpoint lets clients silently rotate both tokens before the access token expires.
Authentication Flow
Register a new account
Send a Validation rules enforced by the API:
POST request to /api/auth/register with a JSON body containing email, fullName, and password. A successful response returns HTTP 200 with a confirmation message — no tokens are issued at this stage.email— required, must be a valid e-mail address; duplicate emails are rejectedfullName— required stringpassword— required, minimum 6 characters
Log in to receive tokens
Send a Response body (Store the
POST request to /api/auth/login with email and password. On success the server responds with an accessToken and a refreshToken.Request body:TokenResponseDto):refreshToken securely (e.g., an HttpOnly cookie or secure storage). The accessToken is a signed JWT that encodes the user’s identity and expires after 15 minutes by default.Authorize API requests
Include the The middleware validates the token’s signature, issuer, audience, and lifetime on every request. Requests that omit the header or supply an invalid/expired token receive HTTP
accessToken in the Authorization header of every request to a protected endpoint:401 Unauthorized.Refresh tokens when the access token expires
When the access token expires, send both tokens to Response body:
/api/auth/refresh. The server validates the expired access token’s signature and claims, verifies the refresh token against the database, and returns a brand new pair of tokens. The old refresh token is immediately invalidated.Request body:Endpoint Summary
POST /api/auth/register
Creates a new user account. Passwords are hashed with BCrypt before storage. Returns
200 OK on success; 400 if the email is already in use.POST /api/auth/login
Validates credentials against the stored BCrypt hash and issues a
TokenResponseDto containing both an access token and a refresh token.POST /api/auth/refresh
Accepts an expired access token plus a valid refresh token. Returns a freshly rotated
TokenResponseDto; the old refresh token is invalidated immediately.Access tokens expire 15 minutes after issuance by default. This lifetime is configurable via the
JwtSettings:ExpiryMinutes key in appsettings.json (or the corresponding environment variable). See JWT Configuration for the full settings reference.Related Pages
Auth API Endpoints
Full API reference for all three auth endpoints including request/response schemas and error codes.
JWT Configuration
Configure the JWT secret, issuer, audience, and token lifetimes for AutoLog.