The Stay Sidekick API authenticates requests using JWT HS256 tokens. To call any protected endpoint, you first fetch a CSRF token, then log in to receive a JWT, and include that JWT as anDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/sdurutr436/stay-sidekick/llms.txt
Use this file to discover all available pages before exploring further.
Authorization: Bearer header on all subsequent requests. State-changing operations (POST, PUT, PATCH, DELETE) additionally require the CSRF token in an X-CSRF-Token header.
Step 1: Get a CSRF Token
Before any state-changing request (including login), fetch a CSRF token. The response sets acsrf_token cookie and returns the token value in the JSON body.
The CSRF token is tied to the cookie. Use
-c cookies.txt to save cookies and -b cookies.txt to send them on subsequent requests.Step 2: Log In
CallPOST /api/auth/login with the CSRF token header and cookie. On success, the response contains a signed JWT token.
Endpoint: POST /api/auth/loginRate limit: 10 requests/hour per IP
Auth required: No
The user’s email address.
The user’s password.
Always
true on success.Signed JWT HS256 token. Include this as
Authorization: Bearer <token> on all protected requests.If
true, the user must change their password before using the platform. Redirect them to the password change flow.| Status | Meaning |
|---|---|
400 | Body is not valid JSON |
401 | Invalid credentials (message is intentionally generic — does not reveal whether email exists) |
403 | CSRF token missing or invalid |
422 | Validation error in login payload |
429 | Rate limit exceeded (10/hour per IP) |
Step 3: Use the Token
Pass the JWT as anAuthorization: Bearer header on all protected endpoints:
Token Details
| Property | Value |
|---|---|
| Algorithm | HS256 |
| TTL | Configurable via JWT_ACCESS_TOKEN_HOURS (default: 1 hour) |
| Signing key | JWT_SECRET_KEY environment variable |
| Claim | Description |
|---|---|
sub | Subject — the authenticated user’s email or identifier (standard JWT claim) |
iat | Issued-at timestamp |
exp | Expiry timestamp — token is rejected after this time |
user_id | UUID of the authenticated user |
empresa_id | UUID of the user’s company (used for multi-tenant data scoping) |
rol | User role: operativo or admin |
es_superadmin | Boolean — superadmin can manage all companies |
CSRF Protection Details
Stay Sidekick uses the double-submit cookie pattern:Fetch the CSRF token
Call
GET /api/csrf-token. The server generates a 256-bit random token, sets it as a csrf_token cookie (HttpOnly=False, SameSite=Strict), and returns it in the JSON body. The cookie is intentionally readable by JavaScript so the frontend can copy it into the X-CSRF-Token header.Include both cookie and header
On every POST, PUT, PATCH, or DELETE request, send the
csrf_token cookie (automatically via -b cookies.txt) and include the same value in the X-CSRF-Token header.Internal Token Validation Endpoint
GET /api/auth/validacion is used internally by Nginx’s auth_request module to validate tokens before proxying requests to the Angular SPA. It returns 200 for valid tokens and 401 otherwise.
Do not call
GET /api/auth/validacion directly from client applications. It is an internal Nginx subrequest endpoint and is not designed for external use.
