PermisosQR ships an Express.js-powered JSON REST API that serves as the single communication layer between the React/TypeScript frontend and the PostgreSQL database. Every request and response is handled in JSON; every response — whether a success or a failure — is wrapped in a consistent envelope so client code always knows what shape to expect. The server binds toDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/edgar2420/QrPermision/llms.txt
Use this file to discover all available pages before exploring further.
0.0.0.0:4000 and is reachable locally at http://localhost:4000.
Base URL
/api. For example, the health check lives at http://localhost:4000/api/health.
Response Format
Every endpoint returns one of three envelope shapes. Success responses carry asuccess: true flag and a data field. Paginated list endpoints extend the envelope with total, page, limit, and pages. Error responses replace data with a human-readable message.
HTTP status codes are used semantically:
200 for success, 201 for created resources, 400 for bad input, 401 for missing/invalid tokens, 403 for insufficient role, 404 for not found, and 500 for unexpected server errors.Authentication
Protected routes require a JSON Web Token sent as a Bearer credential in theAuthorization header. Tokens are issued by POST /api/auth/login and expire after 8 hours by default. For full details on obtaining and using tokens, see the Authentication page.
super_admin role; requests from admin_operator users will be rejected with 403.
Endpoint Summary
| Method | Path | Auth | Description |
|---|---|---|---|
GET | /api/health | None | Health check |
POST | /api/auth/login | None | Login |
GET | /api/auth/me | Bearer | Current user |
POST | /api/auth/setup | None | First admin setup |
GET | /api/qr | Bearer | List QR codes |
POST | /api/qr/generate | Super Admin | Generate QR codes |
GET | /api/qr/:id | Bearer | Get QR by ID |
PATCH | /api/qr/:id/disable | Bearer | Disable QR |
PATCH | /api/qr/:id/reactivate | Bearer | Reactivate QR |
DELETE | /api/qr/:id | Super Admin | Delete QR |
GET | /api/qr/public/:id | None | Public QR info |
POST | /api/qr/public/:id/enable | None | Public enable |
POST | /api/qr/public/:id/return | None | Public return |
POST | /api/permissions/enable | Bearer | Enable permission |
POST | /api/permissions/return | Bearer | Return permission |
GET | /api/permissions/history | Bearer | Permission history |
DELETE | /api/permissions/:id | Super Admin | Delete permission |
GET | /api/users | Super Admin | List users |
GET | /api/users/:id | Bearer | Get user by ID |
POST | /api/users | Super Admin | Create user |
PUT | /api/users/:id | Super Admin | Update user |
PATCH | /api/users/:id/password | Bearer | Change password |
PATCH | /api/users/:id/reset-password | Super Admin | Reset password |
DELETE | /api/users/:id | Super Admin | Delete user |
GET | /api/reports/dashboard | Bearer | Dashboard stats |
GET | /api/reports/summary | Bearer | Summary report |
CORS
The API is configured with a permissive CORS policy (origin: '*') so that any origin — including the local React dev server — can reach it without pre-flight issues. In a production deployment you should tighten this to your actual frontend domain.
Pagination
List endpoints that may return large datasets support cursor-free offset pagination via two query parameters:| Parameter | Default | Description |
|---|---|---|
page | 1 | The 1-based page number to retrieve |
limit | 20 | Number of records to return per page |
total (overall record count), pages (total page count), page, and limit alongside the data array so clients can build navigation controls without a second request.
Explore the API
Authentication
Learn how to obtain a JWT token, pass it in requests, and handle token expiry.
Auth Endpoints
Login, fetch the current user, and run first-time admin setup.
QR Codes
Generate, list, inspect, disable, reactivate, and delete QR codes.
Permissions
Enable and return permissions, browse the full permission history.
Users
Manage user accounts, roles, and passwords.
Reports
Pull dashboard statistics and summary reports.