The Agencia de Habilidades para el Futuro API uses stateless JWT (JSON Web Token) authentication. There is no session store or cookie — each protected request must carry a signed token in itsDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Manuelfg1985/Proyecto_Final_26/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header. Tokens are issued through a single login endpoint using fixed admin credentials stored in environment variables, and they expire after 1 hour. Once a token expires, a new one must be requested by logging in again.
This API follows a single-admin model. There is no user database for authentication purposes — the valid email and password are set via the
ADMIN_EMAIL and ADMIN_PASSWORD environment variables on the server. Only one set of credentials exists at any time.How it works
Log in to receive a token
Send a
POST /api/auth/login request with a JSON body containing email and password. If the credentials match the server’s environment variables, the API returns a signed JWT.Store the token client-side
Save the token returned in the response (
token field). It is valid for 1 hour from the moment it was issued.Attach the token to every protected request
Include the token in the
Authorization header of each request that requires authentication, using the Bearer scheme:Middleware verifies the token
The
authMiddleware reads the Authorization header, strips the Bearer prefix, and calls jwt.verify() with the server’s JWT_SECRET. If the token is valid and not expired, the decoded payload is attached to req.user and the request proceeds to the route handler.Protected vs public routes
Not all routes require authentication. Read-only operations on postulants and the public auth test endpoint are openly accessible, while any operation that creates, modifies, or deletes data requires a valid token.| Route | Method | Auth required? |
|---|---|---|
GET /api/postulantes | GET | ❌ Public |
GET /api/postulantes/:id | GET | ❌ Public |
GET /api/auth/public | GET | ❌ Public |
GET /up | GET | ❌ Public |
POST /api/postulantes | POST | ✅ Token required |
PUT /api/postulantes/:id | PUT | ✅ Token required |
DELETE /api/postulantes/:id | DELETE | ✅ Token required |
GET /api/auth/private | GET | ✅ Token required |
Token format
All protected requests must include the JWT in theAuthorization header using the standard Bearer scheme. No other header names or formats are accepted.
Bearer , the middleware immediately returns a 401 Unauthorized response.
Token expiry
Tokens are signed withexpiresIn: '1h', meaning they become invalid 60 minutes after they are issued. This value is set directly in the jwt.sign() call inside controllers/auth.js and is not configurable at runtime.
What happens when a token expires:
- The middleware calls
jwt.verify(), which throws an error for expired tokens. - The API returns a
403 Forbiddenresponse with the messageToken inválido o expirado. - The request is rejected and no route handler is executed.
POST /api/auth/login again with the admin credentials. A fresh token with a new 1-hour window will be returned immediately.
There is no token refresh endpoint. When a token expires, the only way to obtain a new one is to log in again via
POST /api/auth/login.