Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JorLOrT/rappi2/llms.txt

Use this file to discover all available pages before exploring further.

The Auth API handles all identity operations: creating new accounts, exchanging credentials for a JWT token pair, rotating tokens, invalidating sessions, and retrieving the currently authenticated user’s profile. All protected endpoints expect a Bearer token in the Authorization header.

POST /api/auth/register

Create a new user account. If no rol_id is provided the account is assigned the default Cliente role and a linked Cliente record is created automatically. Authentication: none required.

Request body

username
string
required
Unique username. Maximum 50 characters.
email
string
required
Unique email address.
password
string
required
Plain-text password. Hashed with bcrypt before storage.
nombre
string
Display name used for the auto-created Cliente record. Defaults to username when omitted.
telefono
string
Phone number stored on the Cliente record. Only used when the assigned role is Cliente.
rol_id
number
ID of the role to assign. Defaults to the Cliente role when omitted.
cc_id
string
National ID / CC stored on the Cliente record. Only used when the assigned role is Cliente.

Response — 201 Created

Returns a UsuarioResponse object.
id
number
required
Auto-incremented user ID.
username
string
required
Username chosen at registration.
email
string
required
Email address.
rol_id
number
required
ID of the assigned role.
cliente_id
number
ID of the linked Cliente record, or null for non-client roles.
activo
boolean
required
Whether the account is active. Always true on creation.
fecha_registro
string
required
ISO 8601 timestamp of account creation.
rol
object
Embedded role object including its permissions.
curl --request POST \
  --url https://api.example.com/api/auth/register \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "jdoe",
    "email": "jdoe@example.com",
    "password": "s3cr3t",
    "nombre": "Jane Doe",
    "telefono": "+573001234567"
  }'

{
  "id": 42,
  "username": "jdoe",
  "email": "jdoe@example.com",
  "rol_id": 1,
  "cliente_id": 17,
  "activo": true,
  "fecha_registro": "2026-05-22T10:00:00Z",
  "rol": {
    "id": 1,
    "nombre": "Cliente",
    "permisos": []
  }
}

POST /api/auth/login

Exchange credentials for a JWT token pair.
This endpoint uses application/x-www-form-urlencoded encoding (OAuth2 password flow), not JSON. Send username and password as form fields, not a JSON body.
Authentication: none required.

Request body (form-encoded)

username
string
required
The account username.
password
string
required
The account password.

Response — 200 OK

access_token
string
required
Short-lived JWT for authenticating API requests. Send as Authorization: Bearer <token>.
refresh_token
string
required
Long-lived opaque token for obtaining a new token pair via /api/auth/refresh.
token_type
string
required
Always "bearer".
expires_in
number
required
Lifetime of the access token in seconds.
curl --request POST \
  --url https://api.example.com/api/auth/login \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data-urlencode 'username=jdoe' \
  --data-urlencode 'password=s3cr3t'

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
  "token_type": "bearer",
  "expires_in": 900
}

POST /api/auth/refresh

Exchange a valid refresh token for a new token pair. The submitted refresh token is immediately revoked and replaced with a new one (token rotation). Authentication: none required (the refresh token itself is the credential).

Request body

refresh_token
string
required
A non-revoked, non-expired refresh token previously issued by /api/auth/login or this endpoint.

Response — 200 OK

Returns a new TokenPair identical in shape to the login response.
access_token
string
required
New short-lived JWT.
refresh_token
string
required
New long-lived refresh token. The previously submitted token is revoked.
token_type
string
required
Always "bearer".
expires_in
number
required
Lifetime of the new access token in seconds.
curl --request POST \
  --url https://api.example.com/api/auth/refresh \
  --header 'Content-Type: application/json' \
  --data '{"refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."}'

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refresh_token": "bmV3UmVmcmVzaFRva2Vu...",
  "token_type": "bearer",
  "expires_in": 900
}

POST /api/auth/logout

Revoke a refresh token to invalidate the session. The corresponding access token continues to work until it naturally expires; revoke it client-side by discarding it. Authentication: none required (submitting the token to revoke is sufficient).

Request body

refresh_token
string
required
The refresh token to revoke. If it is already revoked or not found the request still returns success.

Response — 200 OK

{ "message": "Logout exitoso" }

curl --request POST \
  --url https://api.example.com/api/auth/logout \
  --header 'Content-Type: application/json' \
  --data '{"refresh_token": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4..."}'

{ "message": "Logout exitoso" }

GET /api/auth/me

Return the full profile of the currently authenticated user, including the embedded role and its permissions. Authentication: Bearer token required.

Response — 200 OK

Returns a UsuarioResponse object. See the register response fields above for the full field list. 
curl --request GET \
  --url https://api.example.com/api/auth/me \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'

{
  "id": 42,
  "username": "jdoe",
  "email": "jdoe@example.com",
  "rol_id": 1,
  "cliente_id": 17,
  "activo": true,
  "fecha_registro": "2026-05-22T10:00:00Z",
  "rol": {
    "id": 1,
    "nombre": "Cliente",
    "permisos": []
  }
}

Build docs developers (and LLMs) love

Get started for freeTalk to us