Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/praveenarya123/sps-backend/llms.txt

Use this file to discover all available pages before exploring further.

POST /api/auth/login Authenticates a user by email and password. On success, returns a signed JWT and the user’s role. No authentication is required to call this endpoint.

Request body

email
string
required
Email address of the registered user.
password
string
required
Plain-text password. Compared against the stored bcrypt hash.

Response

token
string
Signed JWT. Pass this value in the Authorization header of subsequent requests.
role
string
Role of the authenticated user. One of SUPER_ADMIN, ACADEMIC_ADMIN, STUDENT_ADMIN, FINANCE_ADMIN, OPERATIONS_ADMIN, TEACHER, or STUDENT.

Using the token

The JWT middleware reads the token directly from the Authorization header as a raw string value — not as a Bearer scheme. Set the header as follows: 
Authorization: <your_token>
Do not prefix the token with Bearer . The middleware reads req.headers.authorization directly. Sending Bearer <token> will cause authentication to fail for protected routes.

Error cases

HTTP statusMessageCondition
404User not foundNo account exists for the provided email
400Wrong passwordAccount found but password does not match

Examples

curl --request POST \
  --url http://localhost:5000/api/auth/login \
  --header 'Content-Type: application/json' \
  --data '{
    "email": "priya.sharma@school.edu",
    "password": "SecurePass123"
  }'

{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY0ZjFhMmIzYzRkNWU2ZjdhOGI5YzBkMSIsInJvbGUiOiJURUFDSEVSIiwiaWF0IjoxNjkzNTcyMDAwfQ.abc123signatureXYZ",
  "role": "TEACHER"
}

Authenticating subsequent requests

Once you have the token, include it in the Authorization header of every protected request:
cURL
curl --request GET \
  --url http://localhost:5000/api/student/list \
  --header 'Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
The JWT payload contains the user’s id and role. These are used by downstream middleware to enforce role-based access control on protected routes.

Build docs developers (and LLMs) love

Get started for freeTalk to us