Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JuanSerna14/Final-lenguaje-Avanzado/llms.txt

Use this file to discover all available pages before exploring further.

The /api/auth prefix groups all authentication endpoints. Requests to these routes do not require a JWT token — with the single exception of GET /api/auth/me, which validates the caller’s access token to return their profile.

POST /api/auth/register

Creates a new user account. The request body is validated by express-validator before the handler runs; if any field fails, a 400 is returned before any database query is made.

Request body

nombre
string
required
Display name for the user. Must be non-empty (validated by express-validator notEmpty()).
email
string
required
Must be a valid email address (validated by express-validator isEmail()). If the address is already registered, a 400 is returned.
password
string
required
Plain-text password. Must be at least 6 characters (isLength({ min: 6 })). Stored as a bcrypt hash (salt rounds: 10).

Example request

curl -X POST http://localhost:8000/api/auth/register \
  -H 'Content-Type: application/json' \
  -d '{"nombre": "Juan Pérez", "email": "juan@example.com", "password": "secret123"}'

Response — 201 Created

{
  "user": {
    "id": 1,
    "nombre": "Juan Pérez",
    "email": "juan@example.com"
  }
}
user
object

Error codes

CodeMeaning
400Email already registered — { errors: [{ msg: "El email ya está registrado" }] }
400Validation failure (invalid email format, password too short, missing nombre) — { errors: [{msg, param, ...}] }
500Internal server error

POST /api/auth/login

Authenticates an existing user and returns a short-lived access token plus a long-lived refresh token. The refresh token is persisted in the users.refresh_token column so it can be validated and revoked.

Request body

email
string
required
The user’s registered email address.
password
string
required
The user’s plain-text password. Compared against the stored bcrypt hash.

Example request

curl -X POST http://localhost:8000/api/auth/login \
  -H 'Content-Type: application/json' \
  -d '{"email": "juan@example.com", "password": "secret123"}'

Response — 200 OK

{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": 1,
    "nombre": "Juan Pérez",
    "email": "juan@example.com"
  }
}
accessToken
string
Signed JWT (HS256). Expires in 15 minutes. Include as Authorization: Bearer <accessToken> on all protected routes.
refreshToken
string
Signed JWT (HS256). Expires in 7 days. Stored in users.refresh_token in the database for server-side validation. Send to POST /api/auth/refresh to obtain a new access token.
user
object

Error codes

CodeMeaning
400Invalid credentials (user not found or wrong password) — { errors: [{ msg: "Credenciales inválidas" }] }
400Validation failure (invalid email format, missing password)
500Internal server error

POST /api/auth/refresh

Exchanges a valid refresh token for a new 15-minute access token. The provided refresh token is verified cryptographically and cross-checked against the value stored in the database — so tokens invalidated via logout are rejected.

Request body

refreshToken
string
required
The refresh token obtained from POST /api/auth/login. Must be a valid, non-expired JWT that matches the value stored in the database.

Example request

curl -X POST http://localhost:8000/api/auth/refresh \
  -H 'Content-Type: application/json' \
  -d '{"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'

Response — 200 OK

{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
accessToken
string
A freshly signed access token with a new 15-minute expiry window.

Error codes

CodeMeaning
401Refresh token not provided in the request body
403Refresh token is invalid, expired, or has been revoked (not found in DB)

POST /api/auth/logout

Invalidates a refresh token by setting users.refresh_token = NULL in the database. Subsequent calls to POST /api/auth/refresh using this token will return 403.
This endpoint only invalidates the refresh token server-side. Your client application is responsible for discarding the stored access token locally, since access tokens are stateless and cannot be revoked before they expire (15 min).

Request body

refreshToken
string
required
The refresh token to revoke. Must be the token currently associated with the user’s session.

Example request

curl -X POST http://localhost:8000/api/auth/logout \
  -H 'Content-Type: application/json' \
  -d '{"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}'

Response — 200 OK

{
  "message": "Logout exitoso"
}
message
string
Confirmation string. Always "Logout exitoso" on success.

Error codes

CodeMeaning
400Refresh token was not included in the request body
500Internal server error

GET /api/auth/me

Returns the profile of the currently authenticated user. The access token is read directly from the Authorization header — no request body is needed.
This is the only /api/auth route that requires a valid Authorization: Bearer <accessToken> header. All other auth routes are unauthenticated.

Request headers

HeaderValue
AuthorizationBearer <accessToken> — the JWT obtained from POST /api/auth/login

Example request

curl http://localhost:8000/api/auth/me \
  -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'

Response — 200 OK

{
  "user": {
    "id": 1,
    "nombre": "Juan Pérez",
    "email": "juan@example.com"
  }
}
user
object

Error codes

CodeMeaning
401No Authorization header, header is malformed, or the token has expired
404Token is valid but the corresponding user no longer exists in the database

Authentication Guide

Understand the JWT flow — how access and refresh tokens work together in PitchPro.

API Overview

See all available endpoints at a glance and learn about base URLs and error formats.

Build docs developers (and LLMs) love

Get started for freeTalk to us