Eme2App enforces a three-tier role model that controls both which API routes a request can reach and which company’s data is visible. Every request after login carries a signed JWT that encodes the user’sDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/eme2dev/Eme2App/llms.txt
Use this file to discover all available pages before exploring further.
rol and, for non-superadmin users, their active empresa_id. Understanding how roles and company assignments interact is the foundation for securely onboarding new teammates and accountants.
Role Overview
- superadmin
- admin
- user
A
superadmin account is a cross-company administrator. Its JWT contains no empresa_id, which grants access to the GET /api/adminapp/* namespace for platform-level management. Superadmins cannot be created through the normal user creation flow and should only exist as system bootstrap accounts.Capabilities:- Access all
/api/adminapp/*routes - Not bound to any single empresa
- Can reset admin passwords in non-production environments via
POST /api/auth/reset-admin
Role Permissions Summary
| Action | superadmin | admin | user |
|---|---|---|---|
| Read empresa profile | — | ✅ | ✅ |
| Edit empresa profile / SMTP / certificates | — | ✅ | ❌ |
| Create / edit / delete users | — | ✅ | ❌ |
| Manage IVA, series, formas de pago | — | ✅ | ❌ |
| Create invoices, quotes, clients | — | ✅ | ✅ |
| Read fiscal catalogs | — | ✅ | ✅ |
| Change own password & theme | ✅ | ✅ | ✅ |
Access /api/adminapp/* | ✅ | ❌ | ❌ |
Multi-Company Support
A single Eme2App user can be assigned to multiple empresas through theusuario_empresas join table. The active empresa is encoded in the JWT payload as empresa_id.
Login Flow
Single empresa — token issued immediately
If the user has exactly one active empresa assignment, the response includes a token with
empresa_id already embedded:Multiple empresas — company selection required
If the user belongs to more than one empresa, the response includes
requiere_seleccion_empresa: true and a list of available companies:The empresa selector can also be used at any time after login to switch between assigned companies without re-entering credentials. Store and replace the token returned by
POST /api/auth/seleccionar-empresa.Managing Users
All user management endpoints live under/api/usuarios and require the admin role, except PUT /api/usuarios/:id, which also allows the authenticated user to update their own record (though only an admin can change roles).
List All Users
Create a User
email— valid email format, must be unique across all userspassword— minimum 6 characters; stored as bcrypt hash (cost 10)nombre— non-empty stringrol— must be"admin"or"user"(not"superadmin")
Update a User
nombre and password (not rol or estado).
Delete (Deactivate) a User
estado = false) rather than removing the database record, preserving referential integrity with historical documents.
Password Management
Change Password (Authenticated)
Use this endpoint when the user knows their current password:Forgot Password Flow
Request a reset link
200 OK regardless of whether the email is registered, to avoid account enumeration.UI Theme Preference
Each user can toggle between light and dark mode independently of other users on the same empresa:"light" or "dark". The preference is stored on the usuarios record and returned in every /api/auth/me response.
Route-Level Protection Summary
| Namespace | Protection |
|---|---|
GET /api/version | Public — no auth required |
POST /api/auth/login | Public |
POST /api/auth/solicitar-reset | Public |
POST /api/auth/reset-password | Public |
GET /api/auth/me | Authenticated (verificarAutenticacion) |
PUT /api/auth/tema | Authenticated |
POST /api/auth/cambiar-password | Authenticated |
POST /api/auth/seleccionar-empresa | Authenticated |
GET /api/usuarios | Authenticated + admin role |
POST /api/usuarios | Authenticated + admin role |
DELETE /api/usuarios/:id | Authenticated + admin role |
PUT /api/usuarios/:id | Authenticated (admin for role changes) |
PUT /api/empresa, POST /api/empresa/certificado, etc. | Authenticated + admin role |
GET /api/adminapp/* | Authenticated + superadmin role |
All other /api/* routes | Authenticated + active empresa_id in JWT |
All routes under
/api/* (except the public ones listed above) validate the JWT and extract empresa_id. Requests without a valid token receive HTTP 401. Requests with a valid token but insufficient role receive HTTP 403.