Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/luiss811/Backend-Airguide/llms.txt

Use this file to discover all available pages before exploring further.

AirGuide’s authentication system protects all API routes with JSON Web Tokens (JWT). Every account goes through an admin-approval step before it can log in, and every login requires a two-factor OTP verification before a token is issued. This page explains how accounts work, what roles exist, and how to move through the full flow.

Bearer token usage

After completing the two-factor verification, you receive a JWT token. Include it in the Authorization header of every protected request: 
curl https://your-api.example.com/api/some-endpoint \
  -H "Authorization: Bearer <your_token>"
The middleware rejects requests without a valid token with 401 Unauthorized.

Account states

New accounts start in the pendiente state. An admin must approve each account before it can log in.
StateDescription
pendienteRegistered but not yet approved by an admin.
activoApproved — can log in and receive a JWT.
rechazadoRejected by an admin. Login is blocked.
Accounts with estado: "pendiente" or estado: "rechazado" receive a 403 response on login. Contact an admin to get your account activated.

Roles

The middleware exposes four roles on every authenticated request:
RoleDescription
alumnoDefault role assigned on registration.
profesorFaculty member.
rectorRector-level access.
adminFull administrative access — can approve accounts, list all users, and manage the platform.
Only users with the admin role can access endpoints protected by the requireAdmin middleware (for example, GET /api/auth/pending and PUT /api/auth/validate/:id).

Full authentication flow

1

Register

Send POST /api/auth/register with your email, password, full name, and optional student ID. Your account is created with estado: "pendiente" and rol: "alumno".
2

Wait for admin approval

An admin reviews your account and calls PUT /api/auth/validate/:id to set your estado to activo. You cannot log in until this step is complete.
3

Log in and request an OTP

Send POST /api/auth/login with your email and password. If your credentials are valid and your account is active, a 6-digit OTP is sent to your email address.
4

Verify the OTP

Send POST /api/auth/verify-2fa with your email and the OTP code. The code is single-use and expires after a short window.
5

Receive a JWT token

On successful OTP verification, the response includes a token string and your user object. The token is a signed JWT Bearer token.
6

Use the JWT in requests

Include the token in the Authorization: Bearer <token> header on every subsequent request to protected endpoints.

Explore the auth endpoints

Register

Create a new AirGuide account.

Login

Step 1 — submit credentials and receive an OTP.

Two-factor verification

Step 2 — verify your OTP and receive a JWT.

Password reset

Reset your password via a one-time email code.

Build docs developers (and LLMs) love

Get started for freeTalk to us