Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/scoria02/marbes2021_backend/llms.txt

Use this file to discover all available pages before exploring further.

Every protected endpoint in Marbes Backend requires a valid credential on each request. There are two authentication modes: standard JWT Bearer tokens for authenticated staff users, and solicitud tokens for public-facing credit application links that are shared with clients. This page explains how to obtain credentials, how to attach them to requests, and what error responses look like.

Standard JWT authentication

Obtain a token

Call POST /api/auth/login with your identifier and password. The identifier can be an email address, a name (username), or a code — exactly one of these three fields is required. 
curl -X POST http://localhost:7780/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your_password"
  }'
You can also log in using a username or a user code instead of an email: 
curl -X POST http://localhost:7780/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"name": "ana.garcia", "password": "your_password"}'

Login response

{
  "success": true,
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "user": {
      "id": "42",
      "nombre": "Ana",
      "apellido": "García",
      "email": "[email protected]",
      "cedula_rif": "V-12345678",
      "telefono": "+58 412 000 0000",
      "cargo": "Analista",
      "departamento": "Crédito",
      "estatus": "activo",
      "last_activity": "2024-01-15T10:29:55.000Z",
      "created_at": "2023-06-01T00:00:00.000Z",
      "updated_at": "2024-01-15T10:29:55.000Z"
    },
    "permisos": []
  }
}

Token payload

The token is a signed HS256 JWT. When decoded, its payload contains:
FieldTypeDescription
idstringInternal user ID
nombrestringUser’s first name
cedula_rifstringNational ID or tax ID
emailstringUser’s email address
iatnumberIssued-at timestamp (Unix seconds)
expnumberExpiry timestamp (Unix seconds)
Tokens expire 12 hours after they are issued. Your client must detect 401 responses with the message "Token inválido o expirado." and prompt the user to log in again.

Attach the token to requests

Include the token in the Authorization header of every protected request using the Bearer scheme: 
Authorization: Bearer <token>

curl http://localhost:7780/api/negocios/aportantes \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
The Bearer prefix (with a trailing space) is required. A header like Authorization: eyJhbG... without the scheme prefix will be rejected with a 401.

Solicitud token authentication

Some endpoints support a second authentication mode for public credit application links. When a link is generated for a client, it carries a one-time token that can be passed instead of a JWT. This allows unauthenticated clients to submit credit applications without needing a staff account. Endpoints that support this mode accept either a JWT Bearer token or a solicitud token. If both are present, the JWT takes precedence.

Pass the solicitud token

Send the token in the X-Solicitud-Token request header: 
curl -X GET http://localhost:7780/api/negocios/actividad_economica \
  -H "X-Solicitud-Token: <solicitud_token>"
Alternatively, include the token in the request body as a field named token.

Solicitud token lifecycle

A solicitud token becomes invalid if any of the following is true:
  • The token was not found in the database
  • The link has already been used (usado: true)
  • The link has expired (past its expira_en timestamp)
The default validity window is controlled by the SOLICITUD_CREDITO_EXPIRA_HORAS environment variable (for example, 72 = 3 days).

Authentication errors

All authentication failures return HTTP 401 with a JSON body. The message field indicates the specific cause:
MessageCause
"Acceso denegado. No se proveyó token."Authorization header is missing or does not start with Bearer
"Token inválido: estructura incorrecta."Token decoded successfully but payload is not a valid object
"Token inválido o expirado."Token signature verification failed or the token has expired
"Credenciales inválidas."Login attempt failed — wrong password or identifier not found
"Token de solicitud no encontrado."The solicitud token does not exist in the database
"Este link ya fue utilizado."The solicitud link was already consumed
"El link ha expirado."The solicitud link’s expira_en date is in the past
Example error response: 
{
  "message": "Token inválido o expirado."
}

Build docs developers (and LLMs) love

Get started for freeTalk to us