Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/edgar2420/QrPermision/llms.txt

Use this file to discover all available pages before exploring further.

PermisosQR ships an Express.js-powered JSON REST API that serves as the single communication layer between the React/TypeScript frontend and the PostgreSQL database. Every request and response is handled in JSON; every response — whether a success or a failure — is wrapped in a consistent envelope so client code always knows what shape to expect. The server binds to 0.0.0.0:4000 and is reachable locally at http://localhost:4000.

Base URL

http://localhost:4000
All route paths are prefixed with /api. For example, the health check lives at http://localhost:4000/api/health.

Response Format

Every endpoint returns one of three envelope shapes. Success responses carry a success: true flag and a data field. Paginated list endpoints extend the envelope with total, page, limit, and pages. Error responses replace data with a human-readable message.
// Success
{ "success": true, "data": { ... } }

// Success (paginated)
{ "success": true, "data": [...], "total": 100, "page": 1, "limit": 20, "pages": 5 }

// Error
{ "success": false, "message": "Descriptive error message" }
HTTP status codes are used semantically: 200 for success, 201 for created resources, 400 for bad input, 401 for missing/invalid tokens, 403 for insufficient role, 404 for not found, and 500 for unexpected server errors.

Authentication

Protected routes require a JSON Web Token sent as a Bearer credential in the Authorization header. Tokens are issued by POST /api/auth/login and expire after 8 hours by default. For full details on obtaining and using tokens, see the Authentication page.
Authorization: Bearer <your_jwt_token>
Routes marked Super Admin additionally require the authenticated user to hold the super_admin role; requests from admin_operator users will be rejected with 403.

Endpoint Summary

MethodPathAuthDescription
GET/api/healthNoneHealth check
POST/api/auth/loginNoneLogin
GET/api/auth/meBearerCurrent user
POST/api/auth/setupNoneFirst admin setup
GET/api/qrBearerList QR codes
POST/api/qr/generateSuper AdminGenerate QR codes
GET/api/qr/:idBearerGet QR by ID
PATCH/api/qr/:id/disableBearerDisable QR
PATCH/api/qr/:id/reactivateBearerReactivate QR
DELETE/api/qr/:idSuper AdminDelete QR
GET/api/qr/public/:idNonePublic QR info
POST/api/qr/public/:id/enableNonePublic enable
POST/api/qr/public/:id/returnNonePublic return
POST/api/permissions/enableBearerEnable permission
POST/api/permissions/returnBearerReturn permission
GET/api/permissions/historyBearerPermission history
DELETE/api/permissions/:idSuper AdminDelete permission
GET/api/usersSuper AdminList users
GET/api/users/:idBearerGet user by ID
POST/api/usersSuper AdminCreate user
PUT/api/users/:idSuper AdminUpdate user
PATCH/api/users/:id/passwordBearerChange password
PATCH/api/users/:id/reset-passwordSuper AdminReset password
DELETE/api/users/:idSuper AdminDelete user
GET/api/reports/dashboardBearerDashboard stats
GET/api/reports/summaryBearerSummary report

CORS

The API is configured with a permissive CORS policy (origin: '*') so that any origin — including the local React dev server — can reach it without pre-flight issues. In a production deployment you should tighten this to your actual frontend domain.
app.use(cors({ origin: '*', credentials: true }));
Setting origin: '*' is convenient during development but exposes the API to requests from any domain. Replace '*' with your specific frontend origin before deploying to production.

Pagination

List endpoints that may return large datasets support cursor-free offset pagination via two query parameters:
ParameterDefaultDescription
page1The 1-based page number to retrieve
limit20Number of records to return per page
Paginated responses include total (overall record count), pages (total page count), page, and limit alongside the data array so clients can build navigation controls without a second request.
GET /api/qr?page=2&limit=10
GET /api/permissions/history?page=1&limit=50
When limit is set to a large value such as 1000, the response may be sizeable. Keep limit small for interactive UIs and increase it only for export or reporting use cases.

Explore the API

Authentication

Learn how to obtain a JWT token, pass it in requests, and handle token expiry.

Auth Endpoints

Login, fetch the current user, and run first-time admin setup.

QR Codes

Generate, list, inspect, disable, reactivate, and delete QR codes.

Permissions

Enable and return permissions, browse the full permission history.

Users

Manage user accounts, roles, and passwords.

Reports

Pull dashboard statistics and summary reports.

Build docs developers (and LLMs) love