TenderCheck AI exposes six authentication endpoints, all mounted under theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/elecodes/TenderCheck-AI/llms.txt
Use this file to discover all available pages before exploring further.
/api/auth prefix. Registration and login are stateless-friendly — every successful auth response includes both a JWT in the body and an HttpOnly cookie so browser-based clients and API consumers are equally supported. The /login and /google/callback endpoints are rate-limited to protect against credential stuffing.
POST /api/auth/register
Creates a new user account and immediately returns a JWT, logging the user in without a second round-trip. Auth required: NoRequest body
Display name for the account. Must be at least 2 characters.
A valid email address. Stored in lowercase.
Minimum 8 characters. Must contain at least one uppercase letter, one number, and one special character (non-alphanumeric).
Optional company or organisation name.
Success response — 201 Created
Sets an HttpOnly cookie named token. The JWT is also returned in the body as a fallback for clients that cannot read cookies.
Error responses
| Status | Reason |
|---|---|
400 | Validation failed — error string describes which rule was violated (e.g. "Password must contain at least one uppercase letter") |
500 | An account with that email already exists |
When a duplicate email is submitted, the service throws a plain
Error("User already exists") which the global error handler maps to HTTP 500 with the message "Something went wrong". Client code should treat any non-201 response as a registration failure and prompt the user to try a different email or sign in.POST /api/auth/login
Authenticates an existing user. This endpoint is rate-limited; excessive attempts return429.
Auth required: No
Request body
The account’s email address.
The account’s password.
When
true, the token cookie is set with a maxAge of 30 days. When false or omitted, the cookie is a session cookie (no maxAge) and expires when the browser closes.Success response — 200 OK
The
token field is included in the response body as a fallback for environments where HttpOnly cookies are unavailable (e.g. cross-origin mobile webviews). Store it in-memory or in localStorage only when cookies cannot be used.Error responses
| Status | Reason |
|---|---|
400 | Invalid email or password format (Zod schema validation) |
429 | Rate limit exceeded — try again after the window resets |
500 | Email not found or password incorrect |
Incorrect credentials cause
AuthService to throw a plain Error("Invalid credentials"), which the global error handler converts to HTTP 500 with the body "Something went wrong". This prevents attackers from distinguishing between unknown emails and wrong passwords.curl example
POST /api/auth/google/callback
Completes a Google OAuth 2.0 PKCE flow. The frontend exchanges the authorization code and PKCE verifier for a TenderCheck AI session. Auth required: NoRate limited: Yes
Request body
The authorization code returned by Google’s OAuth endpoint after the user grants consent.
The PKCE code verifier that corresponds to the
code_challenge sent in the initial authorization request.Success response — 200 OK
Sets a persistent token HttpOnly cookie (30-day maxAge, equivalent to rememberMe: true).
Error responses
| Status | Reason |
|---|---|
400 | code or codeVerifier missing or malformed |
400 | Google account does not have an associated email |
401 | Google code exchange failed (expired or already-used code) |
429 | Rate limit exceeded |
500 | GOOGLE_CLIENT_ID or GOOGLE_CLIENT_SECRET not configured on the server |
POST /api/auth/logout
Clears thetoken HttpOnly cookie. No request body or authentication header required — the cookie itself is the credential being cleared.
Auth required: No
Success response — 200 OK
GET /api/auth/me
Returns the currently authenticated user’s profile, derived from the JWT in thetoken cookie (or Authorization: Bearer <token> header). Used by the frontend to restore a session on page load.
Auth required: Yes
Request
No body or query parameters.Success response — 200 OK
The JWT payload decoded from the active token. Contains
userId — the only claim signed into the token by AuthService.login.The token currently stored in the HttpOnly cookie. Returned so browser clients can sync
localStorage when a cookie exists but the in-memory token was lost (e.g. after a hard refresh).Only
userId is present in user because AuthService signs tokens with { userId: user.id } only. Full profile fields (name, email) are not included in the JWT payload and are not available via this endpoint. Cache name and email from the login or register response client-side.Error responses
| Status | Reason |
|---|---|
401 | No valid token found in cookie or Authorization header |
POST /api/auth/reset-password-request
Initiates a password-reset flow for the given email address. To prevent user enumeration, the response is always200 OK regardless of whether the email exists in the system.
Auth required: No
Request body
The email address associated with the account.
Success response — 200 OK
Error responses
| Status | Reason |
|---|---|
400 | The provided value is not a valid email address |