Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/hack4impact-umd/breastfeeding-center-gw/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The BCGW API uses Firebase Auth ID tokens (JWTs) for authentication. Every request to a protected endpoint must include a valid token in the Authorization header. The only public endpoints are POST /auth/register/root and POST /auth/register/invite/:inviteId.

Getting a Token

Sign in with the Firebase Auth SDK on the client, then call getIdToken() to retrieve the current token: 
import { getAuth } from "firebase/auth";

const auth = getAuth();
const user = auth.currentUser;

// Returns the current valid token (refreshes automatically if near expiry)
const idToken = await user.getIdToken();

// Force-refresh the token (e.g. after a role change)
const freshToken = await user.getIdToken(true);
Tokens are valid for 1 hour. Pass true to getIdToken() to force a refresh before the token expires.

Passing the Token

Include the token as a Bearer value in the Authorization header on every authenticated request: 
Authorization: Bearer <id_token>

Example cURL request

curl https://us-east4-breastfeeding-center-gw.cloudfunctions.net/api/users/all \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..."

Role-Based Access Control

Some endpoints require elevated roles. Roles are stored as custom claims on the Firebase Auth JWT and are enforced server-side by the hasRoles middleware.
RoleLevelDescription
VOLUNTEER0Read-only access to most data
ADMIN1Can manage data and delete lower-level users
DIRECTOR2Full access; can manage all users and roles
Role restrictions are documented on each individual endpoint page. The server verifies claims on every request — updating a claim on the client has no effect until the token is refreshed.

Error Responses

StatusMeaning
403Token is missing, malformed, expired, or the user’s role is insufficient for the requested operation
The BCGW API always returns 403 for authentication and authorization failures — it never returns 401. This applies both when the token is absent or invalid and when the user’s role is too low for the requested endpoint. Treat any 403 on an authenticated endpoint as a signal to re-authenticate.

Build docs developers (and LLMs) love

Get started for freeTalk to us