TenderCheck AI exposes a JSON REST API built on Express and TypeScript. All endpoints returnDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/elecodes/TenderCheck-AI/llms.txt
Use this file to discover all available pages before exploring further.
application/json responses. Protected routes require an authenticated session via an HttpOnly cookie or an Authorization: Bearer header — the API accepts both so the same backend serves browser clients and programmatic integrations equally.
Base URL
The frontend resolves the API origin from theVITE_API_BASE_URL environment variable. All API endpoints are prefixed with /api.
Authentication
Protected routes require a valid JWT supplied in one of two ways:- HttpOnly cookie — the
tokencookie set by the server on login. Sent automatically by the browser whencredentials: 'include'is used. - Bearer token header —
Authorization: Bearer <token>for environments where cookies are unreliable (native apps, server-to-server calls, cross-origin setups).
authMiddleware checks the cookie first, then falls back to the header. See Authentication for the full flow, token lifecycle, and code examples.
Endpoint Summary
| Method | Path | Auth Required | Description |
|---|---|---|---|
POST | /api/auth/register | No | Register a new user account |
POST | /api/auth/login | No | Login with email + password, sets HttpOnly cookie |
POST | /api/auth/google/callback | No | Exchange Google OAuth PKCE code for a session |
POST | /api/auth/logout | No | Clear the session cookie |
GET | /api/auth/me | Yes | Get the currently authenticated user |
POST | /api/auth/reset-password-request | No | Request a password reset email |
POST | /api/tenders/analyze | Yes | Upload a tender PDF for AI analysis |
POST | /api/tenders/:id/validate-proposal | Yes | Upload a proposal PDF for compliance validation |
GET | /api/tenders | Yes | List the current user’s analysis history |
DELETE | /api/tenders/:id | Yes | Delete an analysis record (owner only) |
Error Format
All errors are serialised by the global error handler into a consistent JSON envelope. Theerror and message fields both contain the human-readable description; status is the string literal "error".
In
development mode the error response also includes a stack field with the full stack trace to aid debugging. This field is never present in production. For non-operational errors (unexpected crashes), the error and message values are always "Something went wrong" regardless of the underlying message, to avoid leaking implementation details.Common Status Codes
| Code | Meaning | Typical Cause |
|---|---|---|
400 | Bad Request | Validation error, missing required field, invalid file type |
401 | Unauthorized | Missing, expired, or invalid JWT |
403 | Forbidden | Authenticated but not the resource owner |
404 | Not Found | Resource does not exist |
429 | Too Many Requests | Login rate limit exceeded |
500 | Internal Server Error | Unexpected server-side failure |
503 | Service Unavailable | Database connection failure |
Rate Limiting
The login endpoints are protected by a sliding-window rate limiter configured inconstants.ts:
| Constant | Value | Meaning |
|---|---|---|
RATE_LIMIT_WINDOW_MS | 60 000 ms (1 minute) | Rolling window duration |
RATE_LIMIT_MAX_ATTEMPTS | 300 | Max requests per window |
POST /api/auth/loginPOST /api/auth/google/callback
RateLimit-*) are included in every response from these endpoints (standardHeaders: true).
File Upload Limits
File uploads are handled viamultipart/form-data using Multer in-memory storage. The following limits apply globally to all upload endpoints:
| Constraint | Value |
|---|---|
| Maximum file size | 50 MB (FILE_UPLOAD_LIMIT_MB = 50) |
| Accepted MIME type | application/pdf only |
CORS
Allowed origins are driven by theALLOWED_ORIGINS environment variable on the backend — a comma-separated list of fully-qualified frontend URLs:
Content-TypeAuthorizationCache-ControlPragmaExpiresX-Requested-With
credentials: true, which means your frontend requests must include credentials: 'include'.
Authentication
Register, login, Google OAuth PKCE, JWT details, and token storage best practices.
Tender Endpoints
Analyze tender documents, validate proposals, manage your analysis history.