Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ShohjahonSohibov/repo-for-agent/llms.txt

Use this file to discover all available pages before exploring further.

The UpdaterAgent authentication API provides endpoints for logging in with credentials, refreshing short-lived JWT access tokens, managing active sessions, and changing passwords. All authenticated endpoints across the rest of the API require a valid access token issued by these endpoints. Tokens expire after 1 hour; use the refresh-token endpoint to obtain a new access token without re-entering credentials.

Endpoints

POST /api/auth/login

Authenticate with email and password. Returns a JWT access token, its expiry timestamp, and the session ID. Also sets an HttpOnly refresh-token cookie valid for 7 days. Request body
email
string
required
The user’s email address.
password
string
required
The user’s password.
Response
accessToken
string
required
A signed JWT to include in the Authorization header for subsequent requests. Expires after 1 hour.
expireDate
string
required
ISO 8601 timestamp indicating when the access token expires.
sessionId
number
required
Numeric ID of the created session. Use with DELETE /api/auth/sessions/{id} to revoke it.
curl -X POST https://your-domain.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "password": "securePassword123"}'
A Set-Cookie header is also returned with the HttpOnly refresh token: refresh-token=<token>; HttpOnly; Secure; SameSite=Strict; Max-Age=604800

POST /api/auth/refresh-token

Exchange the refresh-token cookie for a new JWT access token. No request body is required — the refresh token is read automatically from the cookie sent by the browser.
The refresh-token cookie has a 7-day lifetime. If it is absent or expired, the response is 401 Unauthorized and the user must log in again.
No request body required. Response
accessToken
string
required
A new JWT access token valid for 1 hour.
expireDate
string
required
ISO 8601 timestamp indicating when the new access token expires.
sessionId
number
required
The same session ID as the original login.
cURL
curl -X POST https://your-domain.com/api/auth/refresh-token \
  --cookie "refresh-token=<your-refresh-token>"

POST /api/auth/logout

End the current session. Marks the session as inactive, removes the refresh token from the database, and clears the refresh-token cookie. Requires a valid JWT in the Authorization header.
cURL
curl -X POST https://your-domain.com/api/auth/logout \
  -H "Authorization: Bearer <accessToken>"

POST /api/auth/change-password

Change the current user’s password. Requires the existing password for verification. All active sessions for the user are deactivated after a successful password change. Request body
currentPassword
string
required
The user’s current password, used to confirm identity before changing.
newPassword
string
required
The new password. Must be at least 8 characters and include uppercase, lowercase, and a digit.
cURL
curl -X POST https://your-domain.com/api/auth/change-password \
  -H "Authorization: Bearer <accessToken>" \
  -H "Content-Type: application/json" \
  -d '{"currentPassword": "oldPassword123", "newPassword": "newSecurePass456"}'
Changing your password invalidates all active sessions for your account, including the current one. You will need to log in again.

GET /api/auth/sessions

List all active sessions for the currently authenticated user. Returns device name and IP address for each session so you can identify and revoke unfamiliar sessions. Response
id
number
required
Session ID. Pass to DELETE /api/auth/sessions/{id} to revoke.
deviceName
string
The User-Agent string captured when the session was created.
ipAddress
string
Client IP address at the time of login.
lastSeenAt
string
ISO 8601 timestamp of the last token refresh for this session.
createdAt
string
ISO 8601 timestamp when the session was created.
cURL
curl https://your-domain.com/api/auth/sessions \
  -H "Authorization: Bearer <accessToken>"

DELETE /api/auth/sessions/

Revoke a specific session by its ID. After revocation, any access token associated with that session will be rejected on the next authorization check. Path parameters
id
number
required
The session ID to revoke. Retrieve session IDs from GET /api/auth/sessions.
cURL
curl -X DELETE https://your-domain.com/api/auth/sessions/456 \
  -H "Authorization: Bearer <accessToken>"

Using the access token

Include the access token in the Authorization header of every API request: 
Authorization: Bearer <accessToken>
Tokens are valid for 1 hour. When a request returns 401 with code Auth.TokenExpired, call POST /api/auth/refresh-token to get a new token — no credentials needed as long as the refresh-token cookie is valid (7-day lifetime).
Store the access token in memory, not in localStorage, to reduce XSS exposure. The refresh token is already protected in an HttpOnly cookie and cannot be accessed from JavaScript.

Error codes

CodeHTTP StatusDescription
Auth.InvalidCredentials401Email or password is incorrect.
Auth.Unauthorized401Token is missing, invalid, or cannot be validated.
Auth.Forbidden403Token is valid but the user lacks the required permission.
Auth.SessionInactive401The session associated with the token has been revoked.
Auth.TokenExpired401The access token has expired. Refresh using the refresh-token cookie.
All error responses share this shape: 
{
  "error": {
    "code": "Auth.TokenExpired",
    "message": "Invalid or expired token"
  }
}

Build docs developers (and LLMs) love

Get started for freeTalk to us