Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/elecodes/TenderCheck-AI/llms.txt

Use this file to discover all available pages before exploring further.

TenderCheck AI exposes six authentication endpoints, all mounted under the /api/auth prefix. Registration and login are stateless-friendly — every successful auth response includes both a JWT in the body and an HttpOnly cookie so browser-based clients and API consumers are equally supported. The /login and /google/callback endpoints are rate-limited to protect against credential stuffing.

POST /api/auth/register

Creates a new user account and immediately returns a JWT, logging the user in without a second round-trip. Auth required: No

Request body

name
string
required
Display name for the account. Must be at least 2 characters.
email
string
required
A valid email address. Stored in lowercase.
password
string
required
Minimum 8 characters. Must contain at least one uppercase letter, one number, and one special character (non-alphanumeric).
company
string
Optional company or organisation name.

Success response — 201 Created

Sets an HttpOnly cookie named token. The JWT is also returned in the body as a fallback for clients that cannot read cookies.
{
  "message": "User registered successfully",
  "token": "<jwt>",
  "user": {
    "id": "b3f2a1c4-...",
    "email": "alice@example.com",
    "name": "Alice",
    "company": "Acme Ltd"
  }
}

Error responses

StatusReason
400Validation failed — error string describes which rule was violated (e.g. "Password must contain at least one uppercase letter")
500An account with that email already exists
When a duplicate email is submitted, the service throws a plain Error("User already exists") which the global error handler maps to HTTP 500 with the message "Something went wrong". Client code should treat any non-201 response as a registration failure and prompt the user to try a different email or sign in.

POST /api/auth/login

Authenticates an existing user. This endpoint is rate-limited; excessive attempts return 429. Auth required: No

Request body

email
string
required
The account’s email address.
password
string
required
The account’s password.
rememberMe
boolean
When true, the token cookie is set with a maxAge of 30 days. When false or omitted, the cookie is a session cookie (no maxAge) and expires when the browser closes.

Success response — 200 OK

{
  "token": "<jwt>",
  "user": {
    "id": "b3f2a1c4-...",
    "email": "alice@example.com",
    "name": "Alice",
    "company": "Acme Ltd"
  }
}
The token field is included in the response body as a fallback for environments where HttpOnly cookies are unavailable (e.g. cross-origin mobile webviews). Store it in-memory or in localStorage only when cookies cannot be used.

Error responses

StatusReason
400Invalid email or password format (Zod schema validation)
429Rate limit exceeded — try again after the window resets
500Email not found or password incorrect
Incorrect credentials cause AuthService to throw a plain Error("Invalid credentials"), which the global error handler converts to HTTP 500 with the body "Something went wrong". This prevents attackers from distinguishing between unknown emails and wrong passwords.

curl example

curl -X POST https://tendercheckai.elecodes.online/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "alice@example.com",
    "password": "Secure@123",
    "rememberMe": true
  }'

POST /api/auth/google/callback

Completes a Google OAuth 2.0 PKCE flow. The frontend exchanges the authorization code and PKCE verifier for a TenderCheck AI session. Auth required: No
Rate limited: Yes

Request body

code
string
required
The authorization code returned by Google’s OAuth endpoint after the user grants consent.
codeVerifier
string
required
The PKCE code verifier that corresponds to the code_challenge sent in the initial authorization request.

Success response — 200 OK

Sets a persistent token HttpOnly cookie (30-day maxAge, equivalent to rememberMe: true).
{
  "token": "<jwt>",
  "user": {
    "id": "c1d2e3f4-...",
    "email": "alice@gmail.com",
    "name": "Alice Smith",
    "company": null
  }
}

Error responses

StatusReason
400code or codeVerifier missing or malformed
400Google account does not have an associated email
401Google code exchange failed (expired or already-used code)
429Rate limit exceeded
500GOOGLE_CLIENT_ID or GOOGLE_CLIENT_SECRET not configured on the server

POST /api/auth/logout

Clears the token HttpOnly cookie. No request body or authentication header required — the cookie itself is the credential being cleared. Auth required: No

Success response — 200 OK

{
  "message": "Logged out successfully"
}
If your client also stores the JWT in localStorage (the cookie fallback path), remove it client-side after calling this endpoint. The server only clears the cookie; it does not invalidate the JWT itself.

GET /api/auth/me

Returns the currently authenticated user’s profile, derived from the JWT in the token cookie (or Authorization: Bearer <token> header). Used by the frontend to restore a session on page load. Auth required: Yes

Request

No body or query parameters.

Success response — 200 OK

{
  "user": {
    "userId": "b3f2a1c4-..."
  },
  "token": "<current-jwt>"
}
user
object
The JWT payload decoded from the active token. Contains userId — the only claim signed into the token by AuthService.login.
token
string
The token currently stored in the HttpOnly cookie. Returned so browser clients can sync localStorage when a cookie exists but the in-memory token was lost (e.g. after a hard refresh).
Only userId is present in user because AuthService signs tokens with { userId: user.id } only. Full profile fields (name, email) are not included in the JWT payload and are not available via this endpoint. Cache name and email from the login or register response client-side.

Error responses

StatusReason
401No valid token found in cookie or Authorization header

POST /api/auth/reset-password-request

Initiates a password-reset flow for the given email address. To prevent user enumeration, the response is always 200 OK regardless of whether the email exists in the system. Auth required: No

Request body

email
string
required
The email address associated with the account.

Success response — 200 OK

{
  "message": "If email exists, instructions have been sent."
}
This endpoint intentionally returns 200 even when the email is not registered. Do not rely on the response to confirm account existence.

Error responses

StatusReason
400The provided value is not a valid email address

Build docs developers (and LLMs) love