Authentication

Overview

KAIU uses JWT (JSON Web Tokens) for authenticating admin users. Public endpoints (products, orders, tracking) do not require authentication, but admin endpoints require a valid JWT token.

Authentication is only required for admin dashboard endpoints (/api/admin/*). Public-facing endpoints do not require authentication.

Authenticates a user and returns a JWT token. Request Body

username

string

required

User’s email address (used as username)

password

string

required

User’s password (hashed with bcrypt)

Response

success

boolean

Indicates if login was successful

token

string

JWT token valid for 24 hours

user

object

User information

user.username

string

User’s email

user.role

string

User role: ADMIN, WAREHOUSE, SUPPORT, or CUSTOMER

user.name

string

User’s full name

Example Request

curl -X POST http://localhost:3001/api/admin/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "[email protected]",
    "password": "your_password"
  }'

Example Response

{
  "success": true,
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "username": "[email protected]",
    "role": "ADMIN",
    "name": "Admin User"
  }
}

Using JWT Tokens

Once authenticated, include the JWT token in the Authorization header for subsequent requests to admin endpoints:

curl http://localhost:3001/api/admin/orders \
  -H "Authorization: Bearer YOUR_JWT_TOKEN"

JWT Token Structure

The JWT token contains the following claims:

{
  "userId": "user-uuid",
  "role": "ADMIN",
  "email": "[email protected]",
  "exp": 1234567890
}

Token Expiration

Tokens expire after 24 hours. After expiration, users must log in again to obtain a new token.

Security Configuration

The JWT secret is configured via the JWT_SECRET environment variable. The API uses bcrypt for password hashing with automatic salt generation.

In production, ensure JWT_SECRET is set to a strong, random value and never exposed in client-side code.

Role-Based Access Control

The API supports the following user roles:

Role	Access Level
`ADMIN`	Full access to all admin endpoints
`WAREHOUSE`	Access to inventory and fulfillment endpoints
`SUPPORT`	Access to order viewing and customer support endpoints
`CUSTOMER`	No admin access (public endpoints only)

Error Responses

400 Bad Request

{
  "error": "Faltan credenciales"
}

401 Unauthorized

{
  "error": "Credenciales inválidas"
}

500 Internal Server Error

{
  "error": "Error en servidor"
}

Security Features

Password hashing: bcrypt with automatic salt generation
Timing attack protection: 1-second delay on failed login attempts
Case-insensitive email: Emails are normalized to lowercase
Token expiration: 24-hour token lifetime

Overview

Public API

Admin API

WhatsApp Integration

Payment Integration

Overview

Example Request

Example Response

Using JWT Tokens

JWT Token Structure

Token Expiration

Security Configuration

Role-Based Access Control

Error Responses

400 Bad Request

401 Unauthorized

500 Internal Server Error

Security Features

Build docs developers (and LLMs) love

Overview

Public API

Admin API

WhatsApp Integration

Payment Integration

​Overview

​Login Endpoint

​POST /api/admin/login

​Example Request

​Example Response

​Using JWT Tokens

​JWT Token Structure

​Token Expiration

​Security Configuration

​Role-Based Access Control

​Error Responses

​400 Bad Request

​401 Unauthorized

​500 Internal Server Error

​Security Features

Build docs developers (and LLMs) love

Overview

Login Endpoint

POST /api/admin/login

Example Request

Example Response

Using JWT Tokens

JWT Token Structure

Token Expiration

Security Configuration

Role-Based Access Control

Error Responses

400 Bad Request

401 Unauthorized

500 Internal Server Error

Security Features