Krafta handles identity with a custom HMAC-SHA256 JWT implementation that runs entirely in Next.js Route Handlers — no third-party auth library is required. Every successful authentication call sets aDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/PloutusLab/krafta-web/llms.txt
Use this file to discover all available pages before exploring further.
krafta-token HttpOnly cookie that the browser sends automatically on subsequent requests. Passwords are hashed with PBKDF2-SHA512 before storage.
POST /api/auth/register
Creates a new user account with the defaultCLIENTE role, signs a JWT, and sets the session cookies immediately so the user is logged in upon registration.
Request body
The user’s email address. Stored in lowercase. Must not already be registered in the system.
Plain-text password. Must be at least 6 characters long. Hashed with PBKDF2-SHA512 before storage; never persisted in plain text.
Response
Always
true on a 200 response.The newly created user object.
Cookies set
| Cookie | Value | Flags |
|---|---|---|
krafta-token | Signed JWT | HttpOnly, SameSite=lax, Secure (prod), 24 h |
krafta-role | CLIENTE | SameSite=lax, 24 h |
Error responses
| Status | Condition |
|---|---|
400 | email or password field is missing from the body |
400 | Email is already registered |
400 | Password is shorter than 6 characters |
POST /api/auth/login
Verifies credentials against the stored PBKDF2-SHA512 hash and, on success, signs a new JWT and sets the session cookies.Request body
The registered email address.
The account password.
Response
true on a successful login.The authenticated user object.
Cookies set
| Cookie | Value | Flags |
|---|---|---|
krafta-token | Signed JWT | HttpOnly, SameSite=lax, Secure (prod), 24 h |
krafta-role | User role string | SameSite=lax, 24 h |
Error responses
| Status | Condition |
|---|---|
400 | email or password field is missing |
401 | Email not found or password does not match |
Example
POST /api/auth/logout
Terminates the current session by expiring both auth cookies. No request body is required.Response
true when the cookies have been cleared.Human-readable confirmation:
"Sesión cerrada correctamente".krafta-token and krafta-role cookies are overwritten with empty values and maxAge: 0, causing browsers to immediately discard them.
GET /api/auth/me
Returns the currently authenticated user’s profile. The endpoint reads thekrafta-token cookie, verifies the JWT signature and expiry, and fetches the fresh user record from the database.
Unlike the login response, this endpoint performs a live database lookup so that any role changes made since the token was issued are reflected in the response.
Response
true when a valid, unexpired token is present and the user exists.Present only when
authenticated is true.{ "authenticated": false } rather than a 401, so client-side session checks are always safe to make.
POST /api/auth/convert-creator
Upgrades the authenticated user fromCLIENTE to the CREADOR role and creates the associated Creator and CreatorStore records. A new JWT with the updated role is re-issued and set on the response cookies.
This endpoint requires a valid krafta-token cookie. Callers that are already CREADOR, ADMIN, or TALLER should not call this endpoint.
Request body
The public-facing name of the creator’s store (e.g.
"Estudio Luna").A URL-friendly handle for the store. Sanitized server-side: lowercased and stripped of characters outside
[a-z0-9-_]. Must be unique across all creator stores.A short description of the creator’s store. Optional.
Response
true on a successful conversion.Updated user object reflecting the new
CREADOR role.Error responses
| Status | Condition |
|---|---|
400 | displayName or slug is missing from the request body |
400 | The sanitized slug is already in use by another creator |
401 | No krafta-token cookie present, or the token is expired/invalid |
How authentication is enforced
Cookie security model
Both cookies are scoped topath: "/" and set with SameSite=lax. The krafta-token cookie carries the HttpOnly flag so JavaScript running in the browser cannot read it. In production (NODE_ENV === "production"), both cookies are also marked Secure, restricting transmission to HTTPS connections only.
JWT structure
Tokens use theHS256 algorithm. The payload contains:
JWT_SECRET environment variable. Tokens expire 24 hours after issuance. There are no refresh tokens; users must re-authenticate once a token expires.
Role-based access control
Server-side route handlers that require a specific role callrequireRole(request, ["ADMIN"]) from src/lib/api-auth.js. This helper:
- Reads the
krafta-tokencookie from the incoming request. - Verifies the JWT signature and expiry.
- Checks that the decoded
roleclaim is in the list of allowed roles. - Returns a
403response if the check fails, or the decoded user payload if it passes.
CLIENTE, ADMIN, TALLER, and CREADOR.