ContabilidadISV’s authentication system is built on JSON Web Tokens (JWT). The flow is straightforward: the client POSTs credentials toDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Medinaallan/ContabilidadISV/llms.txt
Use this file to discover all available pages before exploring further.
POST /api/auth/login, receives a signed JWT in the response, and stores it in localStorage (frontend) or in your HTTP client’s state. Every subsequent request to a protected endpoint must include the token in the Authorization header in the form Authorization: Bearer <token>. On the server side, the authenticateToken middleware verifies the token signature and confirms that the corresponding user still exists in the database before allowing the request to proceed.
All endpoints except
POST /api/auth/login and POST /api/auth/register require a valid JWT token passed in the Authorization: Bearer <token> header.Obtaining a Token
POST /api/auth/login
Validates the supplied credentials and returns a signed JWT along with the authenticated user’s profile. Failed attempts are recorded in the database and contribute to rate-limiting counters.
Request Body
The account username. Must be at least 3 characters long.
The account password. Cannot be empty.
Response
Human-readable confirmation, e.g.
"Login exitoso".Signed JWT bearer token. Include this value in the
Authorization: Bearer <token> header on all authenticated requests. Expires according to the JWT_EXPIRES_IN environment variable (defaults to 24h).The authenticated user’s profile.
Error Responses
| Status | Meaning |
|---|---|
400 | Validation error — username or password did not pass input validation. The response body contains a details array with field-level messages. |
401 | Invalid credentials — username not found or password mismatch. The response body is { "error": "Credenciales inválidas" }. |
500 | Internal server error. |
Example
Registering a User
POST /api/auth/register
Creates a new user account and immediately returns a JWT so the client can proceed without a separate login step. In most deployments this endpoint is used for initial setup or by administrators to onboard new users.
Request Body
Desired username. Must be between 3 and 30 characters after trimming whitespace.
Valid email address. The value is normalized (lowercased, extraneous dots removed) before storage.
Account password. Minimum 6 characters. Stored as a bcrypt hash (12 salt rounds).
Role to assign. Optional. Must be exactly
"user" or "admin" if provided; defaults to "user".Validation Rules (enforced by express-validator)
| Field | Rule |
|---|---|
username | Trimmed; length 3–30 characters |
email | Must pass isEmail() check; normalized before storage |
password | Minimum 6 characters |
role | Optional; must be "user" or "admin" if present |
Response
Same shape as the login response:"Usuario registrado exitosamente"Signed JWT bearer token for the newly created account.
Error Responses
| Status | Meaning |
|---|---|
400 | Validation error or email already registered. |
500 | Internal server error. |
Example
Token Validation
GET /api/auth/validate
Verifies that the bearer token in the request header is still valid and that the associated user exists in the database. Use this endpoint in client-side route guards or app initialization to quickly check session state.
Requires: Authorization: Bearer <token>
Response
Always
true when the request succeeds (a failed token produces a 401/403 error, not false).Error Responses
| Status | Meaning |
|---|---|
401 | No token provided, or the token’s user no longer exists in the database. |
403 | Token present but signature verification failed (expired or tampered). |
Example
Get Profile
GET /api/auth/profile
Returns the full profile record for the currently authenticated user as stored in the database. Unlike the token payload — which is static for the token’s lifetime — this endpoint reflects any updates made to the user record after the token was issued.
Requires: Authorization: Bearer <token>
Response
Error Responses
| Status | Meaning |
|---|---|
401 | Missing or invalid token. |
404 | User referenced by the token no longer exists. |
500 | Internal server error. |
Example
Logout
POST /api/auth/logout
Records a USER_LOGOUT event in the system log (capturing IP address and User-Agent) and confirms the session has been closed. Because ContabilidadISV uses stateless JWTs, the token is not blocklisted server-side — the client is responsible for deleting it from localStorage.
Requires: Authorization: Bearer <token>
Response
"Logout exitoso"Error Responses
| Status | Meaning |
|---|---|
401 | Missing or invalid token. |
500 | Internal server error (log creation failed). |
Example
Admin Endpoints
The following endpoints require both a valid token and theadmin role. Requests from user-role accounts receive a 403 Forbidden response.
GET /api/auth/login-history
Returns a paginated list of login attempts recorded in the database (both successful and failed).
Requires: Authorization: Bearer <token> · role: admin
Query Parameters
Filter attempts by username (partial or exact, depending on DB implementation).
Filter attempts originating from a specific IP address.
How many hours into the past to look. Defaults to
24.When
"true", return only failed attempts.Response
true on success.Total number of records returned.
Array of login-attempt objects.
Example
GET /api/auth/failed-login-stats
Aggregates failed login attempts by IP address over a configurable time window. Use this to identify brute-force patterns.
Requires: Authorization: Bearer <token> · role: admin
Query Parameters
Narrow results to a specific IP address.
Time window in minutes. Defaults to
30.Response
true on success.Number of distinct IP entries returned.
Example
POST /api/auth/clean-login-attempts
Purges login attempt records older than the specified number of days. Run periodically to keep the login_attempts table lean.
Requires: Authorization: Bearer <token> · role: admin
Request Body
Records older than this many days will be deleted. Defaults to
30.Example
Using the Token
Frontend — Axios interceptor (from api.ts)
The React frontend configures an Axios instance that automatically attaches the stored token to every outgoing request and handles 401 responses by clearing state and redirecting to the login page:
axios-interceptor.ts
localStorage:
store-token.ts
Any HTTP client
You can replicate the same pattern in any language or tool — the only requirement is theAuthorization header:
Related Pages
- Quickstart — end-to-end setup and first login
- Environment Configuration —
JWT_SECRET,JWT_EXPIRES_IN, and other auth-related variables - Security Configuration — rate limiting, CORS, and brute-force protection details
- Audit Logs — how
USER_LOGIN,USER_LOGOUT, andUSER_REGISTERevents are recorded - Users API — managing user accounts after authentication
- Admin API — other admin-only operations