The Banco Alimentos API uses JSON Web Tokens (JWT) to protect its endpoints. Every request — except the login endpoint itself — must carry a valid JWT in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/alvarezlautaro/BancoAlimentos/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header. The API is entirely stateless: no sessions are stored server-side. Each incoming request is verified independently by the JwtAuthenticationFilter, which intercepts the Authorization header, validates the token’s signature and expiry, and loads the associated user’s roles and permissions before the request reaches any controller.
How authentication works
Send your credentials to the login endpoint
Make a A successful response returns a single
POST request to /api/auth/login with a JSON body containing your username and password. This is the only public endpoint in the API — no token is required to call it.token field:Include the token in subsequent requests
Attach the token as a For example, to list all donations:
Bearer value in the Authorization header on every protected request:Token configuration
The JWT signing secret and lifetime are controlled by two environment variables read at startup. If neither variable is set, the application falls back to the defaults defined inapplication.yaml.
JWT_SECRET
A Base64-encoded HMAC-SHA secret used to sign and verify every token. Override the default in production by setting this environment variable to a cryptographically strong value.
JWT_EXPIRATION
Token lifetime in milliseconds. The default is
86400000 — exactly 24 hours. Reduce this value in high-security environments.Public vs. protected endpoints
Only a small set of paths are accessible without a token. Everything else requires a valid, non-expired JWT.| Path pattern | Access |
|---|---|
/api/auth/** | Public — no token required |
/swagger-ui/**, /v3/api-docs/** | Public — Swagger UI |
/api/debug/** | Public — debug utilities |
/error | Public — Spring error handler |
All other /api/** paths | Requires authentication |
Role-based restrictions apply on top of authentication. For example,
/api/donaciones/** requires not only a valid token but also the ROLE_USER_DEPOSITO role. See Roles & Permissions for the full breakdown.How the JWT filter works
On every incoming request theJwtAuthenticationFilter runs before Spring Security’s standard username/password filter. It performs the following checks in order:
- Reads the
Authorizationheader. If the header is absent or does not start withBearer, the request passes through unauthenticated (and will be blocked later if the endpoint is protected). - Extracts the raw token string (characters after
Bearer). - Parses the token to extract the
subjectclaim (the username). - Loads the
CredentialsEntityfor that username from the database. - Calls
JwtService.isTokenValid()— verifies the HMAC signature and checks that the expiry date has not passed. - If valid, constructs a
UsernamePasswordAuthenticationTokenpopulated with the user’s full authority set (roles and fine-grained permissions) and stores it in theSecurityContextHolder.