Authentication and user roles in AgroPulse

AgroPulse uses a simple credential-exchange model: you POST your credentials to /api/auth/login and receive a user object back. That object contains everything you need—your role, your assigned greenhouse IDs, and your profile—and you store it client-side. There are no expiring tokens to refresh; identity for privileged operations is asserted via the X-Admin-Email header on requests that need it.

AgroPulse does not issue Bearer tokens. The response to a successful login is a plain JSON user object. Your client is responsible for persisting this object (for example, in localStorage) and reading it back for subsequent requests.

Standard login
Google login

POST to /api/auth/login with a username (or email) and password. The API checks the credential against the stored BCrypt hash and returns the user object on success.

curl -X POST https://your-api.example.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "isabel",
    "password": "s3cr3t"
  }'

You can also log in by email instead of username:

curl -X POST https://your-api.example.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "isabel@farm.com",
    "password": "s3cr3t"
  }'

POST to /api/auth/login with an email and no password (optionally include googleId, name, and avatar). If the email already exists in the database the existing user is returned. If not, a new account is created automatically with the OPERATOR role.

curl -X POST https://your-api.example.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "isabel@gmail.com",
    "googleId": "1098765432109876543",
    "name": "Isabel García",
    "avatar": "https://lh3.googleusercontent.com/a/..."
  }'

Alternatively, use the dedicated sync endpoint if you need to set a specific role at creation time:

curl -X POST https://your-api.example.com/api/auth/sync-google-user \
  -H "Content-Type: application/json" \
  -d '{
    "email": "isabel@gmail.com",
    "username": "isabel",
    "full_name": "Isabel García",
    "avatar": "https://lh3.googleusercontent.com/a/...",
    "role": "OPERATOR"
  }'

Registering a new account

New users can self-register with a username and password. All self-registered accounts receive the OPERATOR role. An admin must promote the role afterwards if needed.

curl -X POST https://your-api.example.com/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "username": "new_user",
    "password": "s3cr3t",
    "fullName": "New User",
    "email": "new@farm.com"
  }'

User object

Both login and register return the same sanitized user object. Passwords are never included in responses.

{
  "id": 42,
  "username": "isabel",
  "fullName": "Isabel García",
  "email": "isabel@farm.com",
  "phone": "+34 600 000 000",
  "avatar": "https://lh3.googleusercontent.com/a/...",
  "role": "OPERATOR",
  "active": true,
  "createdAt": "2024-03-15T10:30:00",
  "greenhouseIds": [1, 3, 5]
}

Field	Type	Description
`id`	integer	Unique user ID
`username`	string	Login username
`fullName`	string	Display name
`email`	string	Email address
`phone`	string	Phone number, used for WhatsApp alerts
`avatar`	string	Profile image URL (populated from Google)
`role`	string	One of `ADMIN`, `OPERATOR`, `AGRONOMIST`, `VIEWER`
`active`	boolean	Whether the account is enabled
`createdAt`	string	ISO-8601 timestamp of account creation
`greenhouseIds`	array	Greenhouse IDs this user has access to

User roles

Role	Capabilities
`ADMIN`	Full access to all endpoints. Can list users, change roles, assign greenhouses, and perform all OPERATOR actions. Admin identity is verified via the `X-Admin-Email` header.
`OPERATOR`	Standard operational access: view sensor readings, manage sensors and greenhouses assigned to them, acknowledge alerts. Default role for all new accounts.
`AGRONOMIST`	Read access to readings and anomalies; intended for agronomists who need data without write access.
`VIEWER`	Read-only access. Cannot modify any resource.

Admin operations

Endpoints that list all users or change roles require you to pass the X-Admin-Email header. The server compares this value against the AGROPULSE_ADMIN_EMAIL environment variable. If they match, the request is treated as admin-authorized.

# List all users
curl https://your-api.example.com/api/auth/users \
  -H "X-Admin-Email: admin@farm.com"

# Promote a user to ADMIN
curl -X PUT https://your-api.example.com/api/auth/users/42/role \
  -H "Content-Type: application/json" \
  -H "X-Admin-Email: admin@farm.com" \
  -d '{"role": "ADMIN"}'

# Assign greenhouses to a user
curl -X PUT https://your-api.example.com/api/auth/users/42/greenhouses \
  -H "Content-Type: application/json" \
  -H "X-Admin-Email: admin@farm.com" \
  -d '{"ids": [1, 3, 5]}'

Set the AGROPULSE_ADMIN_EMAIL environment variable to the email address that should have admin rights.

Get Started

Core Concepts

Guides

Authentication and user roles in AgroPulse

Registering a new account

User object

User roles

Admin operations

Build docs developers (and LLMs) love

Get Started

Core Concepts

Guides

Documentation Index

​Login flows

​Registering a new account

​User object

​User roles

​Admin operations

Build docs developers (and LLMs) love

Login flows

Registering a new account

User object

User roles

Admin operations