Skip to main content

Overview

The InvestGo platform uses JSON Web Tokens (JWT) for authentication. Users must first obtain a token by providing valid credentials, then include this token in the Authorization header for subsequent API requests.
JWT tokens are valid for 10 hours from the time of generation. After expiration, users must re-authenticate to obtain a new token.

Generate Token

POST /generate-token

Authenticates a user and generates a JWT token for API access.

Request Body

username
string
required
The user’s unique username
password
string
required
The user’s password

Response

token
string
The JWT token to be used for authenticated requests. Include this token in the Authorization header as Bearer {token} for subsequent API calls.

Example Request

cURL
curl -X POST https://api.investgo.com/generate-token \
  -H "Content-Type: application/json" \
  -d '{
    "username": "investor123",
    "password": "securePassword123"
  }'
Request Body
{
  "username": "investor123",
  "password": "securePassword123"
}

Example Response

200 - Success
{
  "token": "eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpbnZlc3RvcjEyMyIsImV4cCI6MTYxNjIzOTAyMiwiaWF0IjoxNjE2MjAzMDIyfQ.8Z..."
}

Error Responses

500 - User Not Found
{
  "timestamp": "2026-03-05T10:15:30.000+00:00",
  "status": 500,
  "error": "Internal Server Error",
  "message": "Usuario no encontrado",
  "path": "/generate-token"
}
500 - Disabled User
{
  "timestamp": "2026-03-05T10:15:30.000+00:00",
  "status": 500,
  "error": "Internal Server Error",
  "message": "Usuario deshabilitado",
  "path": "/generate-token"
}
500 - Invalid Credentials
{
  "timestamp": "2026-03-05T10:15:30.000+00:00",
  "status": 500,
  "error": "Internal Server Error",
  "message": "Credenciales ivalidas",
  "path": "/generate-token"
}
This endpoint throws exceptions for authentication failures including:
  • Usuario no encontrado: User does not exist in the system
  • Usuario deshabilitado: User account has been disabled
  • Credenciales ivalidas: Username or password is incorrect

Get Current User

GET /actual-usuario

Retrieves the complete profile information for the currently authenticated user.

Authentication

Authorization
string
required
Bearer token obtained from the /generate-token endpoint.Format: Bearer {token}

Response

id
long
Unique identifier for the user
nombre
string
User’s first name
apellidoPa
string
User’s paternal last name
apellidoMa
string
User’s maternal last name
telefono
string
User’s phone number
correo
string
User’s email address
username
string
User’s unique username
password
string
Encrypted password (hashed)
foto
string
URL or path to user’s profile photo
fecha
string
User’s registration or birth date in yyyy-MM-dd format (America/Lima timezone)
dni
string
User’s national identification number (DNI)
enable
string
User account status
idTipoUsu
long
User role type identifier
tiporol
object
User’s role information
authorities
array
List of granted authorities for the user based on their role
accountNonExpired
boolean
Indicates if the account is not expired (always true)
accountNonLocked
boolean
Indicates if the account is not locked (always true)
credentialsNonExpired
boolean
Indicates if the credentials are not expired (always true)
enabled
boolean
Indicates if the account is enabled (always true)

Example Request

cURL
curl -X GET https://api.investgo.com/actual-usuario \
  -H "Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpbnZlc3RvcjEyMyIsImV4cCI6MTYxNjIzOTAyMiwiaWF0IjoxNjE2MjAzMDIyfQ.8Z..."

Example Response

200 - Success
{
  "id": 1,
  "nombre": "Juan",
  "apellidoPa": "Pérez",
  "apellidoMa": "García",
  "telefono": "+51987654321",
  "correo": "[email protected]",
  "username": "investor123",
  "password": "$2a$10$slYQmyNdGzTn7ZLBXBChFOC9f6kFjAqPhccnP6DxlWXx2lPk1C3G6",
  "foto": "/uploads/profiles/user1.jpg",
  "fecha": "2025-01-15",
  "dni": "12345678",
  "enable": "true",
  "idTipoUsu": 2,
  "tiporol": {
    "idTipoUsu": 2,
    "tipo": "INVESTOR"
  },
  "authorities": [
    {
      "authority": "INVESTOR"
    }
  ],
  "accountNonExpired": true,
  "accountNonLocked": true,
  "credentialsNonExpired": true,
  "enabled": true
}

Error Responses

401 - Unauthorized
{
  "timestamp": "2026-03-05T10:15:30.000+00:00",
  "status": 401,
  "error": "Unauthorized",
  "message": "Full authentication is required to access this resource",
  "path": "/actual-usuario"
}
403 - Forbidden (Invalid or Expired Token)
{
  "timestamp": "2026-03-05T10:15:30.000+00:00",
  "status": 403,
  "error": "Forbidden",
  "message": "Access Denied",
  "path": "/actual-usuario"
}
The password field in the response is encrypted and cannot be used to authenticate. This is the BCrypt hashed version stored in the database.

Authentication Flow

  1. Obtain Token: Call POST /generate-token with username and password
  2. Store Token: Save the returned JWT token securely on the client side
  3. Use Token: Include the token in the Authorization header for all subsequent requests
  4. Refresh: Generate a new token before the 10-hour expiration period

Token Usage Example

Once you have obtained a token, include it in your API requests: 
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpbnZlc3RvcjEyMyIsImV4cCI6MTYxNjIzOTAyMiwiaWF0IjoxNjE2MjAzMDIyfQ.8Z...
Keep your JWT token secure. Do not expose it in client-side code, logs, or URLs. Treat it like a password.

Security Considerations

  • Tokens are signed using HS512 algorithm
  • Token expiration is set to 10 hours (36,000,000 milliseconds)
  • All authentication endpoints support CORS for cross-origin requests
  • Failed authentication attempts will throw descriptive exceptions
  • User accounts can be disabled to prevent access even with valid credentials

Build docs developers (and LLMs) love

Get started for freeTalk to us