Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/edgar2420/QrPermision/llms.txt

Use this file to discover all available pages before exploring further.

The Auth API handles user authentication and session management for PermisosQR. It exposes three endpoints: a login route that issues a JWT, a session-inspect route that decodes the current token and returns fresh user data, and a one-time setup route that seeds the very first Super Admin account when the database is empty. All other API routes require the JWT produced by POST /api/auth/login.

POST /api/auth/login

Authenticates a user with their email and password. On success, returns a signed JWT and a summary of the authenticated user object. The token must be included as a Bearer header on every protected request. Auth required: None
email
string
required
The user’s registered email address.
password
string
required
The user’s plaintext password. Compared against the stored bcrypt hash.
Response 200
{
  "success": true,
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "user": {
      "id": 1,
      "name": "Ana Torres",
      "email": "ana@example.com",
      "role": "super_admin"
    }
  }
}
Error responses
StatusCondition
400email or password field is missing from the request body
401Credentials do not match any user record
403User account exists but is_active is false
{ "success": false, "message": "Email y contraseña requeridos" }

GET /api/auth/me

Returns the full profile of the currently authenticated user by decoding the Bearer token and re-querying the database. Useful for bootstrapping the frontend session after a page refresh. Auth required: Bearer token Response 200
{
  "success": true,
  "data": {
    "id": 1,
    "name": "Ana Torres",
    "email": "ana@example.com",
    "role": "super_admin",
    "is_active": true,
    "created_at": "2024-01-01T10:00:00.000Z"
  }
}
Error responses
StatusCondition
401Authorization header is absent, malformed, or the token has expired
The response from GET /api/auth/me reflects the live database state. If an admin deactivates the account between requests, the user’s is_active field will reflect false on the next call to this endpoint.

POST /api/auth/setup

A one-time bootstrapping endpoint used to create the very first Super Admin account. The request is rejected with an error if any user already exists in the database, making it safe to leave enabled in production without risk of account takeover. Auth required: None
name
string
required
Display name for the initial Super Admin.
email
string
required
Email address for the initial Super Admin account.
password
string
required
Plaintext password. Stored as a bcrypt hash. Minimum 6 characters.
Response 201
{
  "success": true,
  "data": {
    "id": 1,
    "name": "Ana Torres",
    "email": "ana@example.com",
    "role": "super_admin"
  }
}
Error responses
StatusCondition
400One or more required fields are missing, or password is shorter than 6 characters
403At least one user record already exists — setup is disabled
This endpoint becomes permanently inert once the first user is created. If you need to reset the system, you must manually truncate the users table in the database.

Build docs developers (and LLMs) love