Skip to main content

Authentication

All Admin API endpoints require JWT authentication using the Bearer token scheme.

How Authentication Works

  1. Login: Obtain a JWT token via /api/admin/login
  2. Authorization Header: Include the token in all subsequent requests:
Authorization: Bearer <your_jwt_token>
  1. Token Validation: The server validates the JWT signature using JWT_SECRET environment variable
  2. Token Expiry: Tokens expire after 24 hours

Login Endpoint

POST /api/admin/login

Authenticate admin users and obtain JWT token

Request Body

username
string
required
Admin email address (used as username)
password
string
required
Admin account password (bcrypt hashed in database)

Response

success
boolean
Indicates authentication success
token
string
JWT token valid for 24 hours
user
object

Example Request

const response = await fetch('https://api.kaiucol.com/api/admin/login', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    username: '[email protected]',
    password: 'your-secure-password'
  })
});

const { token, user } = await response.json();

Example Response

{
  "success": true,
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "username": "[email protected]",
    "role": "ADMIN",
    "name": "Admin User"
  }
}

Implementation Details

From login.js:33-47: 
const user = await prisma.user.findUnique({
  where: { email: username.toLowerCase().trim() }
});

if (!user) {
  await new Promise(resolve => setTimeout(resolve, 1000)); // Anti-timing attack
  return res.status(401).json({ error: 'Credenciales inválidas' });
}

const validPassword = await bcrypt.compare(password, user.password);
if (!validPassword) {
  await new Promise(resolve => setTimeout(resolve, 1000));
  return res.status(401).json({ error: 'Credenciales inválidas' });
}
Security Features:
  • Passwords are hashed using bcrypt
  • 1-second delay on failed attempts (anti-timing attack)
  • Generic error messages (don’t reveal if user exists)
  • JWT tokens signed with JWT_SECRET environment variable

Role-Based Access Control

The Admin API supports three user roles:

ADMIN

Full system access

WAREHOUSE

Inventory and fulfillment

SUPPORT

Customer service operations
Role validation is handled by the frontend ProtectedRoute component. All authenticated users with valid JWT tokens can access Admin API endpoints.

Error Responses

All endpoints return consistent error formats: 
{
  "error": "Unauthorized"
}

API Endpoints

Orders

Manage customer orders, confirmations, and shipping

Inventory

Product catalog and stock management

Knowledge Base

RAG content for AI assistant

Dashboard Stats

Business metrics and analytics

Build docs developers (and LLMs) love

Get started for freeTalk to us