Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/giangartun/Tis-GOAT-Frontend/llms.txt

Use this file to discover all available pages before exploring further.

The GOAT Portfolio API uses JWT (JSON Web Tokens) for authentication. After a successful login the server returns a signed token that must be included in the Authorization header of every subsequent request to a protected endpoint. Requests that are missing a valid token, or that carry an expired one, receive an HTTP 401 response.

Obtaining a Token

Send a POST request to the login endpoint with the user’s credentials:
POST /api/usuario/login
Request body:
{
  "email": "user@example.com",
  "contrasena": "yourpassword"
}
FieldTypeDescription
emailstringThe user’s registered email address.
contrasenastringThe user’s password.
Success response — HTTP 200:
{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
  "usuario": {
    "id_usuario": "01ABC...",
    "nombre": "Juan",
    "email": "user@example.com",
    "tipo_usuario": "usuario"
  },
  "id_portafolio": "01DEF..."
}
FieldDescription
tokenThe JWT to attach to all subsequent protected requests.
usuarioObject containing the authenticated user’s profile data.
usuario.tipo_usuarioRole of the user — "usuario" or "admin".
id_portafolioThe ID of the user’s portfolio, used to construct portfolio-scoped endpoints.
After a successful login, persist the values you need for the session. The frontend stores them as follows:
localStorage.setItem('token', data.token);
localStorage.setItem('usuario', JSON.stringify(data.usuario));

const idPortafolio = data.id_portafolio ?? data.usuario?.id_portafolio ?? null;

if (idPortafolio) {
  localStorage.setItem('id_portafolio', String(idPortafolio));
}
Store the token in localStorage only if your application is not susceptible to XSS attacks. For higher-security contexts consider using an HttpOnly cookie instead, which prevents JavaScript from reading the token directly. Whichever storage mechanism you use, ensure your application enforces HTTPS in production so the token is never transmitted in plaintext.

Using the Token

Include the token as a Bearer value in the Authorization header of every request to a protected endpoint:
curl -H "Authorization: Bearer <your_token>" \
     -H "Accept: application/json" \
     https://api.example.com/api/portafolio/completo
The frontend Axios instance (src/Services/api.ts) handles this automatically via a request interceptor. For every outgoing request it reads the token from localStorage and injects the header — you never need to set it manually when using the shared api instance:
import axios from "axios";
import type { InternalAxiosRequestConfig } from "axios";

export const api = axios.create({
  baseURL: `${import.meta.env.VITE_API_URL}/api`,
});

api.interceptors.request.use(
  (config: InternalAxiosRequestConfig) => {
    const token = localStorage.getItem("token");

    if (token) {
      config.headers.set("Authorization", `Bearer ${token}`);
    }

    config.headers.set("Accept", "application/json");

    return config;
  },
  (error) => Promise.reject(error)
);
Never log the raw JWT token to the browser console, server logs, or any analytics pipeline. Tokens are bearer credentials — anyone who obtains one can make authenticated requests on behalf of that user until the token expires.

Token Errors

HTTP StatusCauseRecommended action
401 UnauthorizedToken is missing, malformed, or has expired.Clear localStorage (token, usuario, id_portafolio) and redirect the user to /login.
403 ForbiddenThe account associated with the token has been suspended.Display a message informing the user that their account is suspended and to contact the administrator. Do not retry the request automatically.
The frontend handles both cases in Login.tsx:
if (response.status === 403) {
  setError(
    data.message || 'Tu cuenta ha sido suspendida. Contacta al administrador.'
  );
} else if (data.errors) {
  setErrors(data.errors);
} else {
  setError(data.message || t('login.errors.invalid'));
}

Public Endpoints

The following endpoints do not require an Authorization header and are accessible without a token:
MethodEndpointDescription
POST/api/usuario/loginAuthenticate and obtain a JWT token.
POST/api/usuario/pre-registroRegister a new user account.
GET/api/usuario/verificar-email/:tokenVerify a user’s email address via the link sent on registration.
POST/api/usuario/contrasena/olvidoRequest a password-reset email.
GET/api/portafolios/publicosList all publicly visible portfolios.
GET/api/anuncios/homeRetrieve homepage announcements.
All other endpoints require a valid Bearer token. Requests to protected endpoints that do not carry a token — or carry an expired one — will receive an HTTP 401 response.

Build docs developers (and LLMs) love