Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Kr-Yogsa/ECE-BOT/llms.txt

Use this file to discover all available pages before exploring further.

Logging in verifies the user’s credentials and returns a signed JWT token. Pass this token in the Authorization header on every subsequent request that requires authentication. The token encodes the user’s ID, email, and role, and is valid for 24 hours.

POST /auth/login

Request body

email
string
required
The registered email address.
password
string
required
The account password set during signup.

Responses

message
string
Confirmation that login succeeded.Example: "Login successful."
token
string
A signed JWT to include in the Authorization header of subsequent requests. Valid for 24 hours.
user
object
The authenticated user’s profile.

Error responses

StatusError messageCause
400"Email and password are required."One or both fields are missing from the request body.
401"Invalid email or password."No account found for this email, or the password is incorrect.
403"Complete your invited operator signup first."The operator account exists but has not completed OTP signup yet.
403"Your account is deactivated. Please contact the admin."An admin has deactivated this account.

Example

curl -X POST https://your-app.onrender.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "admin@example.com", "password": "yourpassword"}'

Using the JWT token

All protected endpoints require the token in the Authorization request header using the Bearer scheme. 
Authorization: Bearer <token>
The JWT payload contains three claims used by the server to authorize requests:
ClaimDescription
user_idThe user’s unique identifier.
emailThe user’s email address.
roleThe user’s role (admin, operator, or user).

Example — calling a protected endpoint

cURL
curl -X GET https://your-app.onrender.com/api/some-protected-endpoint \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Tokens expire after 24 hours. When a protected endpoint returns a 401, the client should prompt the user to log in again and obtain a fresh token.
Operators who have not completed the signup OTP flow will receive a 403 response even if their password is correct. Direct them to complete registration at /auth/signup first.

Build docs developers (and LLMs) love

Get started for freeTalk to us