The SCO Autolavados API uses JSON Web Tokens (JWT) for stateless authentication. The flow is straightforward: call the login endpoint with valid credentials, receive a signed access token and a refresh token, then include the access token in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Luisangelebp/SCO_Autolavados/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header of every request to a protected route. No session state is kept on the server — each request is authenticated independently by verifying the token’s signature against JWT_SECRET.
Obtain a Token
Send aPOST request to /api/users/login with an identifier (either the user’s registered email address or their user username field) and their password.
200 OK:
token, valid for 15 minutes) and a long-lived refresh token (refreshToken, valid for 7 days). Store both values — use token to authenticate API calls and refreshToken to silently obtain a new access token once it expires.
The identifier field accepts either the user’s email or user (username) — the login controller resolves both automatically.
Using the Token
Include the access token as a Bearer credential in theAuthorization header:
Bearer <token>. Any other format (missing scheme, extra whitespace, etc.) will be rejected with 401.
Refreshing an Expired Token
When the access token expires (after 15 minutes), callPOST /api/users/refresh with the refresh token to obtain a new access token without re-entering credentials.
200 OK:
token (access token). The refresh token itself is not rotated — the same refreshToken from the original login remains valid until it expires after 7 days.
Error responses:
| Status | Scenario |
|---|---|
401 | refreshToken field is missing from the request body |
401 | Refresh token signature is invalid or it has expired |
401 | The user account associated with the refresh token is inactive |
{ id, isRefresh: true }. The server validates the isRefresh flag; supplying a regular access token to this endpoint will be rejected with 401.
Token Payload
When theverifyToken middleware receives a request it:
- Reads the
Authorizationheader and checks that it starts withBearer. - Extracts the token string after the space.
- Calls
jwt.verify(token, process.env.JWT_SECRET)to validate the signature and expiry. - Attaches the decoded payload to
req.userso downstream controllers can read it.
| Claim | Description |
|---|---|
id | UUID of the authenticated user |
email | Email address of the authenticated user (may be null for reception-created accounts) |
cedula | National ID / RIF of the authenticated user |
role | Role name string (e.g. "ADMIN", "CUSTOMER", "LAUNDRER") |
exp | Unix timestamp of token expiry (15 minutes after issuance) |
iat | Unix timestamp of token issuance |
verifyToken responds immediately with 401 and does not call next():
Role Enforcement
Routes that require a specific role are additionally guarded byverifyRole(allowedRoles). After verifyToken attaches req.user, verifyRole checks that req.user.role (case-insensitive) is in the allowedRoles array passed to the middleware.
403:
req.user or req.user.role is absent after token verification, the middleware returns 403:
Error Responses
| Status | Scenario |
|---|---|
401 | Authorization header is missing or does not start with Bearer |
401 | Token signature is invalid or the token has expired |
401 | Wrong credentials supplied to POST /api/users/login |
401 | Missing or invalid refreshToken supplied to POST /api/users/refresh |
403 | Valid token, but the user’s role is not permitted for the requested endpoint |
Token Storage
The SCO Autolavados frontend stores the JWT in
localStorage after a successful login. This makes the token available across page refreshes and browser tabs. For production deployments that require higher security guarantees, consider migrating to httpOnly cookies so the token is not accessible from JavaScript, reducing exposure to XSS attacks.Environment Configuration
Set the variable in your.env file at the project root: