The API uses JWT tokens signed with HS256. Every token is signed using theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/gcapella0/agente-inteligente-expedientes/llms.txt
Use this file to discover all available pages before exploring further.
JWT_SECRET_KEY environment variable (defaults to a development placeholder — always override this in production). Tokens expire after 480 minutes (8 hours), as defined by ACCESS_TOKEN_EXPIRE_MINUTES in security.py. Passwords are stored and verified using bcrypt via passlib.
POST /auth/login
Authenticate a user and receive a signed JWT token.| Property | Value |
|---|---|
| Method | POST |
| Path | /auth/login |
| Auth required | No |
| Content-Type | application/json |
Request body
The user’s registered email address.
The user’s plaintext password. Verified against the bcrypt hash stored in MongoDB.
Response 200 — Success
usuario object in the response reflects the UsuarioResponse model — it never includes password_hash.
Error responses
| Status | Detail | Cause |
|---|---|---|
401 | Email o contraseña incorrectos | Email not found in the usuarios collection, or bcrypt verification failed |
403 | Usuario inactivo | User document has activo: false |
cURL example
On first startup, if the
usuarios MongoDB collection is empty, the system automatically inserts a default admin account:
email admin@uneg.edu.ve / password admin123.
Change this credential immediately in any non-development environment.Using the token
All write endpoints require the token in theAuthorization header:
verify_token (in dependencies.py) splits the header on whitespace, asserts the scheme is bearer, then calls decode_token which validates the HS256 signature and checks expiry.
Query-parameter fallback (?token=)
File-serving and SSE endpoints use verify_token_sse instead of verify_token. This dependency reads the token from a ?token= query parameter so browsers can load resources via <img src="...?token=..."> and <iframe> without custom headers.
Extract and reuse a token in shell scripts
POST /auth/crear-usuario
Create a new user account. Requires an authenticated admin.| Property | Value |
|---|---|
| Method | POST |
| Path | /auth/crear-usuario |
| Auth required | Yes — admin role |
| Content-Type | application/json |
Request body
Email address for the new account. Must be unique in the
usuarios collection.Plaintext password. Stored as a bcrypt hash — never persisted in cleartext.
Full display name of the new user.
Role to assign. Must be one of
admin, usuario, or sistema (as defined in UsuarioCreate).Response 201 — Created
Error responses
| Status | Detail | Cause |
|---|---|---|
400 | El email ya está registrado | A document with that email already exists |
403 | Solo administradores pueden realizar esta acción | Caller’s rol is not admin |
POST /auth/cambiar-password
Change the authenticated user’s own password.| Property | Value |
|---|---|
| Method | POST |
| Path | /auth/cambiar-password |
| Auth required | Yes — any authenticated user |
This endpoint identifies the target account from the JWT payload (
sub claim), so a user can only change their own password. There is no admin override path on this endpoint.Query parameters
The user’s current password. Verified against the stored bcrypt hash before any change is made.
The new plaintext password. Will be hashed with bcrypt and stored.
Response 200 — Success
Error responses
| Status | Detail | Cause |
|---|---|---|
401 | Contraseña actual incorrecta | verify_password returned false |
404 | Usuario no encontrado | JWT sub doesn’t match any document |
JWT payload structure
Every token produced bycreate_access_token encodes the following claims:
| Claim | Type | Description |
|---|---|---|
sub | string | User email — the primary identity used by all handlers |
rol | string | User’s assigned role (e.g. admin, usuario, sistema, docente, viewer) — reflects whatever role is stored in the usuarios collection |
exp | integer | Expiration timestamp (Unix epoch, UTC) |
iat | integer | Issued-at timestamp (Unix epoch, UTC) |
Role-based access
Two dependency functions independencies.py gate protected endpoints:
| Dependency | Who can pass | Used by |
|---|---|---|
verify_token | Any user with a valid, unexpired token | /auth/cambiar-password, most read endpoints |
verify_admin | Only users with rol == "admin" | /auth/crear-usuario, /usuarios/*, /admin/auditoria |
verify_admin is called but the token’s rol is not admin, the server returns: