Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Luisangelebp/SCO_Autolavados/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The Users API handles authentication, account creation, profile management, and role-based access control for SCO Autolavados. Three registration paths exist:- Online self-registration — customers create their own account via
POST /api/users/register. - Reception quick-registration — admin staff create walk-in accounts (no email/password required) via
POST /api/users/admin. - Account activation — a previously reception-created user later activates their account online through
POST /api/users/registerusing the samecedula.
Authentication
Protected endpoints require a Bearer JWT token obtained fromPOST /api/users/login. Access tokens expire in 15 minutes; use the refresh token flow to obtain a new one.
Access tokens are valid for 15 minutes. Refresh tokens are valid for 7 days. Use
POST /api/users/refresh with { "refreshToken": "..." } to silently obtain a new access token without requiring the user to log in again.User Object
All user endpoints that return a user return this shape. ThehashPassword field is always stripped from API responses.
UUID primary key of the user.
National ID or tax ID. Must start with
V, E, J, or G (e.g. V12345678).User’s first name.
User’s last name.
Contact phone number (e.g.
04141234567).Unique username. Only set when the account has been activated with email/password.
Unique email address. Only set when the account has been activated with email/password.
Stored filename of the uploaded profile photo, or
null if none.Whether the account is active. Defaults to
true.Only meaningful for
LAUNDRER role — true when the employee has an active shift.Timestamp of account creation.
Embedded role object
{ id, name }.Endpoints
POST /api/users/login
Authenticates a user by email or username and returns a JWT access token and a refresh token.
The user’s registered email address or username (
user field).The user’s plain-text password. Compared against the bcrypt hash stored in the database.
200 OK:
Short-lived JWT access token (expires in 15 minutes). Send as
Authorization: Bearer <token> on protected requests.Long-lived refresh token (expires in 7 days). Use with
POST /api/users/refresh to get a new access token.Partial user object with
id, email, and the nested role object.401 Unauthorized — Invalid credentials or account not yet activated (no password set).
GET /api/users ADMIN
Returns a paginated list of all users in the system, ordered by most recently created. Requires a valid JWT from an ADMIN account.
Number of records per page. Defaults to
10. Must be a positive integer.Page number (1-indexed). Defaults to
1.200 OK:
Array of User objects (see User Object above).
Total count of all users in the database (useful for building pagination UI).
GET /api/users/role/:roleName
Returns all users that belong to a specific role. The lookup is case-insensitive — CUSTOMER, customer, and Customer all match the same role.
Name of the role to filter by. Built-in system roles are
ADMIN, CUSTOMER, and LAUNDRER. The match is case-insensitive.200 OK:
[] if no users match the given role name.
GET /api/users/check/:cedula
Checks whether a cedula (national ID) already exists in the database. Designed for the online registration form auto-fill flow: if the user was pre-created at the reception desk, their name and phone number can be pre-populated.
The cedula or RIF to look up (e.g.
V12345678, J123456789).200 OK — User was found:
404 Not Found — Cedula does not exist:
POST /api/users/register
Online self-registration for customers. Supports two flows:
- New user — Creates a brand-new
CUSTOMERaccount from scratch. - Account activation — If a user was pre-created at the reception desk (via
POST /api/users/admin) and has no email yet, this endpoint activates their account by adding email, username, and a hashed password.
multipart/form-data for optional profile photo upload alongside the JSON fields.
National ID or RIF. Must start with
V, E, J, or G. Used as the unique lookup key to determine new vs. activation flow.User’s first name.
User’s last name.
Contact phone number.
Unique email address.
Desired unique username.
Plain-text password. Hashed with bcrypt (salt rounds: 10) before storage.
Optional profile photo. Send as
multipart/form-data. The stored filename is saved to the photo field.201 Created:
POST /api/users/admin ADMIN
Quick-registration flow for walk-in customers or new staff at the physical reception desk. Does not require email or password — the account can be activated later by the user via POST /api/users/register.
User’s first name.
User’s last name.
UUID of the role to assign. Obtain valid role UUIDs from
GET /api/roles.National ID or RIF. Must start with
V, E, J, or G.Contact phone number.
Optional email address if already known at registration time.
Optional username.
Optional plain-text password (will be hashed). Usually omitted in the quick-registration flow.
201 Created:
The response from
POST /api/users/admin does not include the expanded role object — only the raw roleId. Use GET /api/users/role/:roleName or GET /api/users to retrieve users with their role details.PATCH /api/users/:id ADMIN or same user
Updates one or more fields of an existing user account. An ADMIN can update any user; a CUSTOMER can only update their own profile (enforced server-side by comparing the JWT id claim against the path :id).
Supports both application/json and multipart/form-data (required when uploading a photo).
UUID of the user to update.
New first name.
New last name.
New phone number.
New unique email address.
New unique username.
New plain-text password. Will be hashed with bcrypt before storage.
New profile photo file (multipart only).
Account active/inactive flag. ADMIN only in practice.
UUID of the new role to assign. ADMIN only in practice.
200 OK: Updated User object (see User Object above).
Error 403 Forbidden — A non-admin user attempts to edit another user’s profile:
GET /api/roles
Returns the list of all available roles in the system. No authentication required.
200 OK:
UUID of the role. Use this value as
roleId when creating users via POST /api/users/admin.Role name. System roles are
ADMIN, CUSTOMER, and LAUNDRER.POST /api/users/refresh
Exchanges a valid refresh token for a new short-lived access token, without requiring the user to log in again.
The refresh token previously received from
POST /api/users/login.200 OK:
401 Unauthorized — Refresh token is missing, expired, or invalid.