Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Sumitbose5/tktplz/llms.txt

Use this file to discover all available pages before exploring further.

TktPlz uses JWT tokens stored in an HttpOnly cookie for authentication. Tokens are issued after OTP verification or Google OAuth. The cookie is named tktplz_cookie and must be included in every request to a protected endpoint. Requests must set credentials: 'include' (fetch) or withCredentials: true (axios) so the browser includes the cookie automatically.

Login flow

Authentication is a two-step process: request an OTP, then verify it.

Step 1 — request an OTP

OTP requests are rate-limited to one per email per 60 seconds.
User login 
curl -X POST https://api.tktplz.me/api/auth/user-login \
  -H "Content-Type: application/json" \
  -d '{"email": "alice@example.com"}'
Organiser login 
curl -X POST https://api.tktplz.me/api/auth/orgn-login \
  -H "Content-Type: application/json" \
  -d '{"email": "organiser@example.com"}'
Both endpoints return: 
{
  "success": true,
  "message": "OTP sent successfully",
  "email": "alice@example.com"
}

Step 2 — verify the OTP

curl -X POST https://api.tktplz.me/api/auth/verify-otp \
  -H "Content-Type: application/json" \
  -d '{"email": "alice@example.com", "inputOtp": "123456"}'
On success, the server sets the tktplz_cookie HttpOnly cookie and returns: 
{
  "success": true,
  "message": "You are allowed to access user panel",
  "role": "user",
  "userData": {
    "id": "uuid",
    "name": "Alice",
    "email": "alice@example.com",
    "role": "user",
    "isVerified": true
  }
}

Registration

New accounts require the same two-step OTP flow, called through registration endpoints instead.
name
string
required
Display name of the user or organiser.
email
string
required
Email address. An OTP is sent here.
phoneNo
string
Phone number — required for organiser registration only.
User registration 
curl -X POST https://api.tktplz.me/api/auth/user-reg \
  -H "Content-Type: application/json" \
  -d '{"name": "Alice", "email": "alice@example.com"}'
Organiser registration 
curl -X POST https://api.tktplz.me/api/auth/orgn-reg \
  -H "Content-Type: application/json" \
  -d '{"name": "Bob Events", "email": "bob@example.com", "phoneNo": "9876543210"}'
After submitting, call /api/auth/verify-otp with the OTP received by email.

Google OAuth

Redirect the user to: 
https://api.tktplz.me/api/auth/google
Google redirects back to /api/auth/google/callback, where the server sets tktplz_cookie and redirects the browser to the frontend. To retrieve the decoded user after the redirect, call: 
curl -X GET https://api.tktplz.me/api/auth/me \
  --cookie "tktplz_cookie=<token>"

Admin login

Admins authenticate with email, password, and a TOTP token from an authenticator app. 
curl -X POST https://api.tktplz.me/api/auth/admin/login \
  -H "Content-Type: application/json" \
  -d '{"email": "admin@tktplz.me", "password": "secret", "token": "123456"}'

Logout

curl -X GET https://api.tktplz.me/api/auth/logout \
  --cookie "tktplz_cookie=<token>"
The server clears the tktplz_cookie cookie and returns { "success": true, "message": "Logged out successfully" }.

Roles

The JWT payload contains a role field. The three roles are:
RoleAccess level
userBook tickets, manage orders, submit issues
organiserCreate events, view dashboard and analytics, scan QR codes
moderatorFull admin access — manage events, payouts, and admin invites
Endpoints protected by the isOrganiser middleware accept both organiser and moderator roles. The isAdmin middleware accepts only moderator.

Common auth errors

{ "success": false, "message": "Token not found" }

{ "success": false, "message": "Token in invalid" }

{ "success": false, "message": "Permission prohibited, only admin is allowed!" }
StatusCause
401Cookie missing, token expired, or signature invalid
401Role does not satisfy the required permission level
429OTP requested within the last 60 seconds

Build docs developers (and LLMs) love

Get started for freeTalk to us