Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Luisangelebp/SCO_Autolavados/llms.txt

Use this file to discover all available pages before exploring further.

The SCO Autolavados REST API is a Node.js/Express/TypeScript backend that powers the full operations of Multiservicios La Miami — from vehicle reception and service orders through payments, inventory, payroll, and customer reservations. All functionality is exposed over HTTP as a RESTful JSON API with no versioning segment in the URL path; the current version is the only version.

Base URL

All endpoints are prefixed with /api. When running locally the server defaults to port 3000.
http://localhost:3000/api
Set the PORT environment variable to override the default port. The server will refuse to start if JWT_SECRET is not set.

Authentication

Protected routes require a JWT Bearer token obtained from POST /api/users/login. Pass the token in every request to a guarded endpoint via the Authorization header:
Authorization: Bearer <your_token_here>
Access tokens expire after 15 minutes. Use POST /api/users/refresh with the refreshToken returned at login to obtain a new access token without re-entering credentials. See the Authentication guide for the full login flow, token payload details, refresh token usage, and error handling.

Request Format

ScenarioContent-Type
JSON body (most endpoints)application/json
User photo upload (PATCH /api/users/:id, POST /api/users/register)multipart/form-data
Requests that include a JSON body must set Content-Type: application/json. Requests that include a file upload must use multipart/form-data; the file field name is photo.

Response Format

All responses are JSON. The standard HTTP status codes used throughout the API are:
Status CodeMeaning
200 OKRequest succeeded; body contains the requested resource or update confirmation
201 CreatedResource was successfully created; body contains the new resource
400 Bad RequestInvalid input or business-rule violation (e.g. deleting a type that is in use)
401 UnauthorizedMissing, malformed, or expired JWT token; or wrong login credentials
403 ForbiddenValid token but the authenticated role is not permitted for this action
404 Not FoundRequested resource does not exist
500 Internal Server ErrorUnexpected server-side error
Error responses always include an error string. Where applicable a second message field provides additional context (for example the specific validation rule that failed):
{
  "error": "Acceso denegado. Token no proporcionado o formato incorrecto."
}
{
  "error": "Error al crear el usuario desde recepción",
  "message": "La cédula o RIF debe comenzar con V, E, J o G"
}

Available Endpoints

Users

Registration, login, token refresh, profile management, and role lookup.

Vehicles

Vehicle types (typecars) and individual car registration by plate.

Services

Service catalogue — names, prices, and estimated durations.

Service Orders

Operational queue: create, assign to a launderer, and finish wash orders.

Customer Orders

Web-facing order flow for customers: create, pay, approve, and reject orders.

Inventory

Products (items) and stock management.

Payments

Record and approve customer payments across all payment methods.

Expenses

Register company outflows and optionally restock inventory items.

Sales

Finalized invoices linking payments, service orders, and products sold.

Reservations

Customer appointment scheduling with automatic queue enrollment.

Launderers

Shift start/end management for launderer staff.

Payroll

Daily payroll calculation based on the shared pool system.

AutoLavado Config

Company profile, exchange rate, balance, and waiting-time estimate.

Dashboard

Aggregated KPI statistics for the admin dashboard.

Role Authorization

The API uses two middleware layers — verifyToken (validates the JWT) and verifyRole (checks the role claim inside it). Routes fall into four protection tiers:
Endpoint typeRequired role
🔒 ADMINJWT with ADMIN role
🔒 CUSTOMERJWT with CUSTOMER role
🔒 ADMIN / CUSTOMERJWT with ADMIN or CUSTOMER role
PublicNo token required
Role comparison is case-insensitive. Calling a guarded route without a token returns 401; calling it with a token that lacks the required role returns 403. Note: PATCH /api/users/:id uses an additional ownership check — an ADMIN can edit any user, while any other authenticated user may only edit their own profile (verified by comparing req.user.id against the :id parameter).

Build docs developers (and LLMs) love