The SCO Autolavados REST API is a Node.js/Express/TypeScript backend that powers the full operations of Multiservicios La Miami — from vehicle reception and service orders through payments, inventory, payroll, and customer reservations. All functionality is exposed over HTTP as a RESTful JSON API with no versioning segment in the URL path; the current version is the only version.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Luisangelebp/SCO_Autolavados/llms.txt
Use this file to discover all available pages before exploring further.
Base URL
All endpoints are prefixed with/api. When running locally the server defaults to port 3000.
PORT environment variable to override the default port. The server will refuse to start if JWT_SECRET is not set.
Authentication
Protected routes require a JWT Bearer token obtained fromPOST /api/users/login. Pass the token in every request to a guarded endpoint via the Authorization header:
POST /api/users/refresh with the refreshToken returned at login to obtain a new access token without re-entering credentials.
See the Authentication guide for the full login flow, token payload details, refresh token usage, and error handling.
Request Format
| Scenario | Content-Type |
|---|---|
| JSON body (most endpoints) | application/json |
User photo upload (PATCH /api/users/:id, POST /api/users/register) | multipart/form-data |
Content-Type: application/json. Requests that include a file upload must use multipart/form-data; the file field name is photo.
Response Format
All responses are JSON. The standard HTTP status codes used throughout the API are:| Status Code | Meaning |
|---|---|
200 OK | Request succeeded; body contains the requested resource or update confirmation |
201 Created | Resource was successfully created; body contains the new resource |
400 Bad Request | Invalid input or business-rule violation (e.g. deleting a type that is in use) |
401 Unauthorized | Missing, malformed, or expired JWT token; or wrong login credentials |
403 Forbidden | Valid token but the authenticated role is not permitted for this action |
404 Not Found | Requested resource does not exist |
500 Internal Server Error | Unexpected server-side error |
error string. Where applicable a second message field provides additional context (for example the specific validation rule that failed):
Available Endpoints
Users
Registration, login, token refresh, profile management, and role lookup.
Vehicles
Vehicle types (
typecars) and individual car registration by plate.Services
Service catalogue — names, prices, and estimated durations.
Service Orders
Operational queue: create, assign to a launderer, and finish wash orders.
Customer Orders
Web-facing order flow for customers: create, pay, approve, and reject orders.
Inventory
Products (
items) and stock management.Payments
Record and approve customer payments across all payment methods.
Expenses
Register company outflows and optionally restock inventory items.
Sales
Finalized invoices linking payments, service orders, and products sold.
Reservations
Customer appointment scheduling with automatic queue enrollment.
Launderers
Shift start/end management for launderer staff.
Payroll
Daily payroll calculation based on the shared pool system.
AutoLavado Config
Company profile, exchange rate, balance, and waiting-time estimate.
Dashboard
Aggregated KPI statistics for the admin dashboard.
Role Authorization
The API uses two middleware layers —verifyToken (validates the JWT) and verifyRole (checks the role claim inside it). Routes fall into four protection tiers:
| Endpoint type | Required role |
|---|---|
| 🔒 ADMIN | JWT with ADMIN role |
| 🔒 CUSTOMER | JWT with CUSTOMER role |
| 🔒 ADMIN / CUSTOMER | JWT with ADMIN or CUSTOMER role |
| Public | No token required |
401; calling it with a token that lacks the required role returns 403.
Note: PATCH /api/users/:id uses an additional ownership check — an ADMIN can edit any user, while any other authenticated user may only edit their own profile (verified by comparing req.user.id against the :id parameter).