Admin panel access — whether you are a platform operator (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/sistemashm24/pagos_hotspot_api/llms.txt
Use this file to discover all available pages before exploring further.
super_admin) or a company operator (cliente_admin) — is protected by short-lived JWT session tokens. You exchange your email and password for a token at login, include that token as a Bearer credential on every subsequent request, and re-authenticate when it expires. This page covers the complete session lifecycle: login, authenticated requests, password changes, logout, and how role enforcement works under the hood.
JWT session tokens are completely separate from Router API Keys. Session tokens are scoped to human admin users and travel in the
Authorization: Bearer header without a prefix. Router API Keys are scoped to MikroTik hardware and also travel in the Authorization: Bearer header but carry a jwt_ prefix before the encoded JWT. The two credentials are signed with different secrets (JWT_SESSION_SECRET vs JWT_APIKEY_SECRET) and validated by different code paths — one cannot substitute for the other.Login
Exchange your credentials for a session token by posting toPOST /api/v1/auth/login.
Request:
access_token is an HS256-signed JWT containing the claims sub (user integer ID), email, nombre, rol, empresa_id, iat (issued-at Unix timestamp), exp (expiry Unix timestamp), and type: "access_token". Store it securely in your admin client (e.g. localStorage, an in-memory store, or an HttpOnly cookie). It is valid for 24 hours from the moment of issuance (controlled by the JWT_SESSION_EXPIRE_HOURS environment variable, which defaults to 24).
Using the Token
Include the token in theAuthorization header on every admin request using the Bearer scheme:
401 Unauthorized. If the token is valid but the endpoint requires a higher-privilege role than the token’s rol claim carries, the API returns 403 Forbidden.
Token Expiry and Re-authentication
Session tokens are not refreshable. When the 24-hour window closes, the next request will return:POST /api/v1/auth/login again with their credentials to obtain a new token. There is no refresh-token endpoint.
Logout
Change Password
A logged-in admin user can update their own password withoutsuper_admin intervention. Both the current password and the desired new password are required.
current_password does not match the stored bcrypt hash, the API returns 400 Contraseña actual incorrecta and the password is not changed.
Changing your password does not invalidate your current session token — it remains valid until its natural expiry. If you suspect your credentials were compromised, coordinate with a
super_admin to deactivate your account while you re-authenticate.Role Enforcement
Every admin endpoint is protected by one of two FastAPI dependency functions defined inapp/core/auth.py:
require_super_admin
require_cliente_admin
AuthHandler.authenticate_user_session first, which:
- Decodes the Bearer token using
JWT_SESSION_SECRETandJWT_ALGORITHM(HS256). - Extracts the
subclaim (the user’s integer ID) and fetches theUsuariorecord from the database. - Confirms the user exists and
usuario.activo == true. - Returns the
Usuarioobject to the role-check dependency.
401 or 403 is raised before the endpoint handler is ever reached.
Session Token Summary
| Property | Value |
|---|---|
| Endpoint | POST /api/v1/auth/login |
| Algorithm | HS256 |
| Secret | JWT_SESSION_SECRET (env var) |
| Default expiry | 24 hours (JWT_SESSION_EXPIRE_HOURS) |
| Refreshable | No — re-login required |
| Usage header | Authorization: Bearer <token> |
| Roles supported | super_admin, cliente_admin |
Auth Endpoint Reference
| Method | Path | Auth required | Description |
|---|---|---|---|
POST | /api/v1/auth/login | None | Exchange credentials for a session token |
POST | /api/v1/auth/logout | Session token | Confirm logout (client must discard token) |
POST | /api/v1/auth/change-password | Session token | Update the authenticated user’s password |