WayFy’s API uses JSON Web Tokens (JWT) issued by Flask-JWT-Extended to authenticate requests. The flow is straightforward: register or log in to receive a signed token, then include that token as a Bearer credential in theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/jhonyes04/new-wayfy/llms.txt
Use this file to discover all available pages before exploring further.
Authorization header of every subsequent request to a protected endpoint. Tokens carry identity claims (user ID, email, admin status) directly in their payload, so the server can authorise requests without an additional database lookup for each call.
Auth Flow
Register a new account
Send a
POST request to /api/users/register with the user’s email, password, password confirmation, and mobility preferences. On success, the API returns a 201 response containing the new user object and a ready-to-use JWT token — no separate login step is needed after registration.Log in to an existing account
Send a
POST request to /api/users/login with email and password. On success, the API returns a 200 response containing the token and the user object.Store the token client-side
Persist the token and its expiration timestamp so you can attach it to subsequent requests. The WayFy web frontend stores these under the localStorage keys
wayfy_token and wayfy_token_expiration.Attach the token to protected requests
Include the token in the
Authorization header as Bearer <token> alongside Content-Type: application/json for every call to a protected endpoint.Register
POST /api/users/register
Creates a new WayFy user account and returns a JWT token immediately. All five fields are required — confirmPassword must match password, and selectedMobility must contain at least one option.
Request body:
The user’s email address. Must be unique across all WayFy accounts.
The user’s chosen password. Must be at least 8 characters. Stored as a bcrypt hash — never in plain text.
Must match
password exactly. The server validates both fields before creating the account.The user’s first name. Returned in the user object and used in the UI.
The user’s last name.
At least one mobility preference string (e.g.
["wheelchair"]). Used to tailor accessibility results across the platform.201 Created:
Login
POST /api/users/login
Authenticates an existing user and returns a JWT token. Returns 401 Unauthorized if the email is not found or the password does not match. Returns 403 Forbidden if the account is inactive.
Request body:
The registered email address for the account.
The account password.
200 OK:
401 Unauthorized:
Using the Token
Once you have a token, include it in every request to a protected endpoint using theAuthorization header:
JavaScript / Fetch Example
The WayFy frontend constructs auth headers using agetAuthHeader helper and processes responses with a handleResponse utility. Here is the canonical pattern used throughout the codebase:
JWT Payload Structure
Every WayFy JWT is created withcreate_access_token(identity=str(user.id), additional_claims={...}). The standard sub claim holds the user’s ID as a string. Use get_jwt_identity() on the backend to retrieve the user ID, and get_jwt() to read the additional claims:
The authenticated user’s unique ID as a string (e.g.
"42"). This is the standard JWT subject claim. Returned by get_jwt_identity() on the backend.The authenticated user’s email address.
The authenticated user’s first name.
The authenticated user’s last name.
The avatar path embedded in the token (e.g.
/api/users/avatar/default_avatar.png).Whether the user account is active.
Whether the user holds admin privileges. Defaults to
false for all standard accounts. Read via get_jwt() on the backend: claims.get('is_admin', False).Token Expiry
Tokens expire after the number of hours specified by theJWT_ACCESS_TOKEN_EXPIRES_HOURS environment variable on the backend (default: 1 hour). The expiresIn field in the login and register responses contains the token lifetime in seconds. After expiry, any request using the old token will receive:
Optional Authentication
Some WayFy endpoints use@jwt_required(optional=True). These endpoints function without a token but may return reduced or public-only data. If you include a valid token, the endpoint will personalise its response (e.g., a private trip is only accessible to its owner).
To call an optionally-authenticated endpoint anonymously, simply omit the Authorization header entirely:
Admin Access
Certain privileged endpoints check theis_admin claim embedded in the token. On the backend, admin status is verified like this:
403 Forbidden.
The avatar serve endpoint (
GET /api/users/avatar/<filename>) requires authentication. Trip cover images (GET /api/trips/cover/<filename>) and accessibility photos (GET /api/accessibility/photos/<filename>) are publicly accessible without a token.