VideoHub authenticates every request with a dual-token strategy: a short-lived access token (valid for the duration set byDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/barcode8/VideoHub/llms.txt
Use this file to discover all available pages before exploring further.
ACCESS_TOKEN_EXPIRY, defaulting to 1 day) and a long-lived refresh token (defaulting to 10 days). The access token is used on every protected API call. The refresh token exists solely to obtain a new access token once the current one expires, without forcing the user to log in again.
How Tokens Work
Access Token
The access token is a signed JWT that embeds enough identity information for the server to authorise a request without a database round-trip:- Signed with
ACCESS_TOKEN_SECRET - Expires after
ACCESS_TOKEN_EXPIRY - Not persisted in the database — validity is determined purely by signature and expiry
Refresh Token
The refresh token carries only the user’s_id and is stored in the database on the User document:
- Signed with
REFRESH_TOKEN_SECRET - Expires after
REFRESH_TOKEN_EXPIRY - Saved to
User.refreshTokenin MongoDB — invalidating it (on logout or token rotation) immediately revokes the session
Obtaining Tokens (Login)
Send aPOST request to /api/v1/users/login with the user’s credentials. Both email and password are required.
accessToken and refreshToken as HttpOnly cookies with the following options, and returns them in the response body so that non-browser clients can store them explicitly:
Passing the Access Token
Every request to a protected endpoint must supply the access token in one of two ways: Option 1 — Cookie (recommended for browser clients) If your client is a browser and you setcredentials: 'include' on every fetch/axios call, the cookie is attached automatically after login. No extra headers are required.
verifyJwt middleware checks req.cookies?.accessToken first, then falls back to the Authorization header:
Refreshing the Access Token
When the access token expires, callPOST /api/v1/users/refresh-token. Supply the refresh token either as a cookie (automatic in browsers) or in the request body:
newRefreshToken (not refreshToken) for the rotated token:
Auth Middleware Reference
VideoHub exposes two auth middleware functions fromauth.middleware.js:
| Middleware | Behaviour |
|---|---|
verifyJwt | Strict. Requires a valid token. Returns 401 Please login first to perform this action if no token is present, or 401 Invalid or expired access token if the token fails verification. Attaches the resolved user to req.user. |
verifyJWTIfAvailable | Optional. Attempts to verify the token if one is present. On failure — whether missing, expired, or tampered — it silently calls next() and treats the caller as a guest. If verification succeeds, attaches req.user for the controller to use. |
Public vs. Protected Endpoints
Public — no token requiredGET /api/v1/healthcheckPOST /api/v1/users/registerPOST /api/v1/users/loginPOST /api/v1/users/refresh-tokenGET /api/v1/videos(feed — usesverifyJWTIfAvailableto optionally personalise)GET /api/v1/videos/:videoId(usesverifyJWTIfAvailableto surfaceisLikedfor the caller)GET /api/v1/dashboard/stats/:channelId(channel statistics — no auth middleware)
verifyJwt)
POST /api/v1/users/logoutGET /api/v1/users/current-userPATCH /api/v1/users/update-accountPATCH /api/v1/users/change-passwordPATCH /api/v1/users/avatarPATCH /api/v1/users/cover-image- All write operations on
/api/v1/videos,/api/v1/likes,/api/v1/comments,/api/v1/subscriptions,/api/v1/playlist
Logging Out
POST /api/v1/users/logout performs two actions atomically:
- Sets
refreshTokentoundefinedon theUserdocument in MongoDB via$set: { refreshToken: undefined }, invalidating the session server-side - Clears the
accessTokenandrefreshTokencookies on the client