The Yeti Jobs API uses JWT authentication via HTTP-only cookies. The full flow is four steps: create an account, verify your email address with a 6-digit code, log in to receive theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/tech-dipesh/yeti-Jobs/llms.txt
Use this file to discover all available pages before exploring further.
token cookie, then attach that cookie to every subsequent request. Password reset follows a parallel verify-by-code pattern and is rate-limited to protect against abuse.
Authentication Flow
Sign Up
Create a new account by sending your name, education level, email, and password. The account role is assigned automatically by the server — all new accounts default to
RequestResponse The server immediately dispatches a 6-digit verification code to the email address you provided and sets a temporary
guest (job seeker). An admin must later change the role to recruiter if required.| Field | Type | Required | Notes |
|---|---|---|---|
fname | string | Yes | First name, minimum 2 characters |
lname | string | Yes | Last name, minimum 2 characters |
education | string | Yes | One of: Basic, Matrix, High School, Undergraduation, Postgraduation |
email | string | Yes | Must be a valid email with a resolvable mail domain |
password | string | Yes | Must satisfy the server-side password regex |
201 Createdtoken cookie marking the session as unverified. You cannot perform authenticated actions until the email is confirmed.Verify Your Email
After signup the server sends a 6-digit numeric code to your email. Submit that code to activate your account. This endpoint requires you to be logged in as an unverified user — the Response Didn’t receive the code? Resend it with:
isUnverifiedUser middleware enforces this.Request200 OKLog In
Exchange your email and password for a JWT stored in an HTTP-only cookie. The Response The
alreadyLoggedIn middleware will reject this call with 400 if you already have a valid session cookie — log out first if you need to switch accounts.Request200 OKThe server sets the token HTTP-only cookie and returns a confirmation message:-c cookies.txt flag tells curl to save the Set-Cookie header to a file. Pass -b cookies.txt on future requests to replay the cookie automatically, or extract the token value and pass it with --cookie 'token=VALUE'.Make Authenticated Requests
With the cookie in hand, every subsequent request to a protected route is automatically credentialed.Browser / frontend — the cookie is sent automatically because CORS credentials are enabled server-side (Response Log out to clear the cookie server-side:
credentials: true).curl / API clients — attach the cookie explicitly on every call:200 OK (login-status check)Password Reset Flow
If a user forgets their password, a two-step verify-by-code flow resets it without requiring an existing session.Request a Reset Code
Submit the account’s email address. If the address matches a registered user the server sends a 6-digit reset code by email.RequestResponse
201 CreatedVerify the Code and Set a New Password
Submit the reset code, the account email, and the new password together. The endpoint validates the code’s expiry and
RequestResponse After a successful reset, proceed to Step 3 — Log In with the new password to obtain a fresh session cookie.
verified_type before committing the change.| Field | Type | Required | Notes |
|---|---|---|---|
code | number | Yes | The 6-digit code sent to your email |
email | string | Yes | The email address of the account being reset |
newpassword | string | Yes | The replacement password |
201 CreatedToken Lifetime and Expiry
The JWT lifetime is controlled by theMAXAGE environment variable on the server. The token is signed with the JSON_SECRET_KEY environment variable. When the token expires, protected routes return 401 Unauthorized and the client must log in again to receive a new cookie.
Role-Based Access at a Glance
| Role | Description | Key permissions |
|---|---|---|
guest | Job seeker — assigned automatically on signup | Browse & search jobs, apply, bookmark, manage own profile |
recruiter | Company employee — assigned by an admin | Create / edit / delete jobs, view applicants, change applicant status, access company dashboard (requires admin to assign company first) |
admin | Platform administrator | All recruiter actions + assign users to companies, delete companies, access admin dashboard |
isAdmin, isJobSeeker, isOwnerMiddleware). Attempting an action outside your role returns 403 Forbidden.
Common Authentication Errors
| Response | Cause |
|---|---|
401 Unauthorized | No token cookie present, or the JWT has expired |
403 Forbidden | Cookie is valid but the user’s role is not permitted for this route |
400 Bad Request | Calling /login or /signup while already authenticated (blocked by alreadyLoggedIn middleware) |
429 Too Many Requests | More than 2 verify / reset requests within 60 seconds |