Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Manuelfg1985/Proyecto_Final_26/llms.txt

Use this file to discover all available pages before exploring further.

The Agencia de Habilidades para el Futuro API uses stateless JWT (JSON Web Token) authentication. There is no session store or cookie — each protected request must carry a signed token in its Authorization header. Tokens are issued through a single login endpoint using fixed admin credentials stored in environment variables, and they expire after 1 hour. Once a token expires, a new one must be requested by logging in again.
This API follows a single-admin model. There is no user database for authentication purposes — the valid email and password are set via the ADMIN_EMAIL and ADMIN_PASSWORD environment variables on the server. Only one set of credentials exists at any time.

How it works

1

Log in to receive a token

Send a POST /api/auth/login request with a JSON body containing email and password. If the credentials match the server’s environment variables, the API returns a signed JWT.
2

Store the token client-side

Save the token returned in the response (token field). It is valid for 1 hour from the moment it was issued.
3

Attach the token to every protected request

Include the token in the Authorization header of each request that requires authentication, using the Bearer scheme:
Authorization: Bearer <your-jwt-token>
4

Middleware verifies the token

The authMiddleware reads the Authorization header, strips the Bearer prefix, and calls jwt.verify() with the server’s JWT_SECRET. If the token is valid and not expired, the decoded payload is attached to req.user and the request proceeds to the route handler.
5

Request is fulfilled

The route handler processes the request and returns the appropriate response. If the token is missing or invalid, the middleware returns a 401 or 403 error before the handler is ever reached.

Protected vs public routes

Not all routes require authentication. Read-only operations on postulants and the public auth test endpoint are openly accessible, while any operation that creates, modifies, or deletes data requires a valid token.
RouteMethodAuth required?
GET /api/postulantesGET❌ Public
GET /api/postulantes/:idGET❌ Public
GET /api/auth/publicGET❌ Public
GET /upGET❌ Public
POST /api/postulantesPOST✅ Token required
PUT /api/postulantes/:idPUT✅ Token required
DELETE /api/postulantes/:idDELETE✅ Token required
GET /api/auth/privateGET✅ Token required

Token format

All protected requests must include the JWT in the Authorization header using the standard Bearer scheme. No other header names or formats are accepted.
Authorization: Bearer <your-jwt-token>
Example curl request to a protected route:
curl -X GET https://your-api-host/api/auth/private \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
If the header is absent or does not begin with Bearer , the middleware immediately returns a 401 Unauthorized response.

Token expiry

Tokens are signed with expiresIn: '1h', meaning they become invalid 60 minutes after they are issued. This value is set directly in the jwt.sign() call inside controllers/auth.js and is not configurable at runtime. What happens when a token expires:
  • The middleware calls jwt.verify(), which throws an error for expired tokens.
  • The API returns a 403 Forbidden response with the message Token inválido o expirado.
  • The request is rejected and no route handler is executed.
How to get a new token: Call POST /api/auth/login again with the admin credentials. A fresh token with a new 1-hour window will be returned immediately.
curl -X POST https://your-api-host/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]", "password": "your-password"}'
There is no token refresh endpoint. When a token expires, the only way to obtain a new one is to log in again via POST /api/auth/login.
For a deep dive into how tokens are signed and how the middleware is implemented, see the JWT Implementation details.

Build docs developers (and LLMs) love