Skip to main content
SmartLogix uses token-based authentication. After registering and logging in, you receive a JSON Web Token (JWT) signed with HMAC-SHA. Include that token in the Authorization header of every request to a protected endpoint. The gateway validates the token before forwarding traffic to any downstream service.

Auth flow

1

Register a new account

Send your email and password to create an account. Registration is a one-time step.Endpoint: POST /api/auth/register
email
string
required
The email address that will identify this account. Must be unique across all users.
password
string
required
The account password. Stored as a bcrypt hash; never returned by the API.
curl --request POST \
  --url http://localhost:8080/api/auth/register \
  --header 'Content-Type: application/json' \
  --data '{
    "email": "warehouse@example.com",
    "password": "s3cur3P@ssword"
  }'
A successful response returns HTTP 200 with the plain-text body:
Usuario registrado exitosamente
2

Log in to obtain a token

Exchange your credentials for a JWT token. The response body is the raw token string—no JSON wrapper.Endpoint: POST /api/auth/login
email
string
required
The email address used during registration.
password
string
required
The account password.
curl --request POST \
  --url http://localhost:8080/api/auth/login \
  --header 'Content-Type: application/json' \
  --data '{
    "email": "warehouse@example.com",
    "password": "s3cur3P@ssword"
  }'
The response is the JWT token as a plain string:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ3YXJlaG91c2VAZXhhbXBsZS5jb20iLCJyb2xlIjoiUk9MRV9VU0VSIiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwODY0MDB9.SIGNATURE
The token payload contains the user’s email as the subject (sub) and their role in the role claim. The gateway injects the email as an X-User-Email header when forwarding authenticated requests downstream.
3

Attach the token to API requests

Pass the token in the Authorization header using the Bearer scheme. Every request to /api/inventario/**, /api/pedidos/**, or /api/envios/** requires this header.
curl --request GET \
  --url http://localhost:8080/api/inventario \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiJ9...'
The gateway strips and validates the token, then forwards the request with the X-User-Email header populated.

Token lifetime

Tokens are valid for 24 hours (86,400,000 ms) from the time of issue. After expiry, repeat step 2 to obtain a new token. There is no refresh endpoint; a full login is required.

Error responses

StatusCause
401 Unauthorized"Token requerido"The Authorization header is absent or does not start with Bearer .
401 Unauthorized"Token inválido"The token signature is invalid, the token is expired, or the payload is malformed.
# Example — missing token
curl --request GET \
  --url http://localhost:8080/api/inventario

# Response: 401 Unauthorized
# Body: Token requerido
Do not store tokens in localStorage in production applications. Browser storage is accessible to any JavaScript running on the page, making it vulnerable to XSS attacks. Use an HttpOnly cookie or a secure in-memory store instead.