Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ShohjahonSohibov/repo-for-agent/llms.txt

Use this file to discover all available pages before exploring further.

UpdaterAgent uses JWT-based authentication with short-lived access tokens and long-lived refresh tokens stored in HttpOnly cookies. Every protected endpoint requires a valid Bearer token. Authorization is permission-based: each user is assigned a role, and each role carries a set of granular permissions that are embedded directly in the JWT.

Access token

After a successful login, you receive a JWT access token valid for 1 hour. Token lifetime: 1 hour (JwtOptions.ExpiryMinutes: 60) Claims embedded in the token:
ClaimValueDescription
subUser IDIdentifies the authenticated user
emailuser@example.comUser’s email address
tenantIdTenant IDDetermines which tenant’s data the user can access
sessionIdSession IDLinks the token to a specific session for revocation
permissions["Loads.View", "Loads.Create", ...]Flattened list of all granted permissions
iatUnix timestampWhen the token was issued
expUnix timestampWhen the token expires
Example decoded payload: 
{
  "sub": "123",
  "email": "user@example.com",
  "tenantId": "1",
  "sessionId": "456",
  "permissions": ["Loads.View", "Loads.Create", "Drivers.View"],
  "iat": 1234567890,
  "exp": 1234571490
}

Refresh token

A refresh token is issued alongside the access token and stored as an HttpOnly cookie named refresh-token. It cannot be read by JavaScript, which prevents XSS attacks from stealing it. Cookie name: refresh-token
Token lifetime: 7 days (JwtOptions.RefreshTokenExpiryDays: 7)
Cookie flags: HttpOnly; Secure; SameSite=Strict

How to authenticate

Send a POST request with your email and password: 
POST /api/auth/login
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "securePassword123"
}
On success you receive: 
{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "expireDate": "2025-01-15T14:30:00Z",
  "sessionId": 456
}
The refresh-token cookie is set automatically by the server response. Store the accessToken in memory (not in localStorage) to minimize XSS exposure.

How to use the token

Include the access token in the Authorization header of every API request: 
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Refreshing the token

When the access token expires, request a new one. No request body is required — the server reads the refresh-token cookie automatically: 
POST /api/auth/refresh-token
On success, you receive a new accessToken with a fresh 1-hour expiry. The refresh token itself remains valid for the remainder of its 7-day window.
Implement automatic token refresh in your client by intercepting 401 responses: attempt one refresh call, then retry the original request with the new token. If the refresh also returns 401, redirect the user to the login page.

Permission-based access control

Every API endpoint that modifies or reads sensitive data is guarded by the [HasPermission] attribute. Permissions are resolved from JWT claims on each request — no database call is required for authorization checks. Permissions are organized into groups by feature area:
GroupExample permissions
LoadsLoads.View, Loads.Create, Loads.Update, Loads.Delete, Loads.Export
DriversDrivers.View, Drivers.Create, Drivers.Update, Drivers.Delete
UsersUsers.View, Users.Create, Users.Update, Users.Delete
ReportsReports.View, Reports.Export
TicketsTickets.View, Tickets.Create, Tickets.Update
If your token does not include the required permission, the server returns 403 Forbidden.

Common authentication errors

HTTP statusError codeCause
401Auth.InvalidCredentialsEmail or password is incorrect
401Auth.UnauthorizedToken is missing, malformed, or expired
401Auth.TokenExpiredAccess token has expired — refresh it
401Auth.SessionInactiveThe session was revoked (logout or password change)
403Auth.ForbiddenToken is valid but lacks the required permission

Session management

Each login creates a session record that tracks the device name (User-Agent) and IP address. You can list and revoke sessions:
ActionEndpoint
List active sessionsGET /api/auth/sessions
Revoke a specific sessionDELETE /api/auth/sessions/{id}
Log out (current session)POST /api/auth/logout
Revoking a session immediately invalidates any refresh token linked to that session. The associated access token remains valid until it expires naturally (max 1 hour), so clients should also discard the token locally on logout.

Security features

Passwords are hashed with BCrypt before storage. Plain-text passwords are never logged or persisted. Password validation requires a minimum of 8 characters with configurable complexity rules.
Tokens are signed with HMAC-SHA256 using a secret key configured in JwtOptions.SecretKey. Tokens with invalid signatures are rejected before claims are read.
CORS is configured with an explicit allow-list of origins. All production traffic must travel over HTTPS. Security headers including Content-Security-Policy and X-Frame-Options are applied by middleware.

Build docs developers (and LLMs) love

Get started for freeTalk to us