Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/geeky-hamster/Quizmaster/llms.txt

Use this file to discover all available pages before exploring further.

Quizmaster uses JSON Web Tokens (JWT) for API authentication. After logging in, you receive a token that you include in the Authorization header of subsequent requests. Tokens are valid for 7 days. Public endpoints (such as browsing subjects or logging in) do not require a token.

Obtaining a token

Send a POST request to /api/auth/login with your credentials in the request body. 
curl --request POST \
  --url http://localhost:5000/api/auth/login \
  --header 'Content-Type: application/json' \
  --data '{
    "username": "your_username",
    "password": "your_password"
  }'
A successful login returns a user object and a signed JWT: 
{
  "user": {
    "id": 1,
    "username": "your_username",
    "fullName": "Jane Smith",
    "qualification": "B.Sc. Computer Science",
    "dob": "1995-06-15",
    "role": "user"
  },
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
The role field is either "user" or "admin". Store the token value — you will need it for all authenticated requests.

Token format and validity

The token is a signed JWT containing the payload { id, role }. It is signed with the server’s JWT_SECRET environment variable and expires after 7 days.
Keep your token secure. Do not commit it to source control, log it to the console in production, or expose it in client-side code that others can read. If a token is compromised, the affected user should log in again after the server rotates or invalidates the token.

Making authenticated requests

Include the token in the Authorization header as a Bearer token on every request that requires authentication: 
curl --request GET \
  --url http://localhost:5000/api/scores \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
The header must follow the exact format Authorization: Bearer <token>. The server extracts the token from the second segment after splitting on a space.

Error responses

Missing or invalid token — 401

If no Authorization header is present, or the token cannot be verified, the server returns 401: 
{
  "message": "No token provided"
}
or 
{
  "message": "Unauthorized"
}
This also occurs if the token has expired or has been tampered with.

Insufficient role — 403

If you send a valid token but your account does not have the admin role, and you attempt to access an admin-only endpoint, the server returns 403: 
{
  "message": "Require Admin Role!"
}
Admin-only endpoints include user management (GET /api/users, DELETE /api/users/:id), all score reporting across users, and all POST, PUT, and DELETE operations on subjects, chapters, quizzes, and questions.

User not found — 404

If the token is valid but the user record has been deleted from the database since the token was issued, the server returns 404: 
{
  "message": "User not found"
}

Summary

1

Log in to get a token

Send your credentials to POST /api/auth/login and copy the token from the response.
2

Attach the token to requests

Add Authorization: Bearer <token> to the headers of any authenticated request.
3

Handle token expiry

Tokens expire after 7 days. When you receive a 401 response, log in again to obtain a new token.

Build docs developers (and LLMs) love

Get started for freeTalk to us