POST /auth/login

This endpoint authenticates both clients (clientes) and barbers (barberos) on the EdgeTimer platform. A successful login returns a JWT session containing an accessToken, refreshToken, and expiry time, along with the authenticated user’s profile. The role field is required to distinguish between account types — credentials that match the wrong role are rejected.

Base URL

https://edgetimer-backend.onrender.com

Request

POST /auth/login

Body parameters

role

string

required

The account type to authenticate as. Must be either "cliente" or "barbero".

string

required

Email address associated with the account. Normalized to lowercase before lookup.

password

string

required

Password for the account.

Examples

curl --request POST \
  --url https://edgetimer-backend.onrender.com/auth/login \
  --header 'Content-Type: application/json' \
  --data '{
    "role": "cliente",
    "email": "ana.lopez@example.com",
    "password": "mysecretpass"
  }'

Response

200 OK

message

string

Confirmation message indicating a successful login.

session

object

JWT session credentials. Use the accessToken to authenticate subsequent requests.

Show properties

accessToken

string

JWT access token. Pass this as a Bearer token in the Authorization header of subsequent requests: Authorization: Bearer <accessToken>.

refreshToken

string

Token used to obtain a new access token when the current one expires.

expiresAt

number

Unix timestamp (seconds) indicating when the access token expires.

profile

object

Profile of the authenticated user.

Show properties

string

Unique identifier for the account.

nombre

string

Full name of the user.

usuario

string

Username associated with the account.

string

Email address of the account.

role

string

Account type: "cliente" or "barbero".

foto

string | null

Signed URL for the user’s profile photo. null if no photo has been set.

createdAt

string

ISO 8601 timestamp of when the account was created.

Example response

{
  "message": "Inicio de sesion exitoso",
  "session": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "v1.refresh-token-value",
    "expiresAt": 1748300000
  },
  "profile": {
    "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "nombre": "Ana López",
    "usuario": "ana.lopez",
    "email": "ana.lopez@example.com",
    "role": "cliente",
    "foto": null,
    "createdAt": "2026-01-15T10:30:00.000Z"
  }
}

Using the access token

Include the accessToken from the session response in the Authorization header of all subsequent requests that require authentication:

Authorization: Bearer <accessToken>

Error responses

Status	Description
`401 Unauthorized`	Email or password is incorrect.
`401 Unauthorized`	The provided `role` does not match the account type for these credentials.
`400 Bad Request`	The `role` field contains a value other than `"cliente"` or `"barbero"`.

401 example — wrong credentials

{
  "statusCode": 401,
  "message": "Usuario o contrasena incorrectos"
}

401 example — role mismatch

{
  "statusCode": 401,
  "message": "El rol no coincide con esta cuenta"
}

400 example — invalid role

{
  "statusCode": 400,
  "message": "El rol enviado no es valido"
}

Always pass the correct role for the account type you are authenticating. Providing the wrong role (for example, "barbero" with a client’s credentials) will result in a 401 error even if the email and password are correct.

Authentication

Appointments

Slots & Catalog

Base URL

Request

Body parameters

Examples

Response

200 OK

Using the access token

Error responses

Build docs developers (and LLMs) love

Authentication

Appointments

Slots & Catalog

Documentation Index

​Base URL

​Request

​Body parameters

​Examples

​Response

​200 OK

​Using the access token

​Error responses

Build docs developers (and LLMs) love

Base URL

Request

Body parameters

Examples

Response

200 OK

Using the access token

Error responses