Skip to main content
POST
/
intern
/
login
curl -X POST https://api.demet.com/intern/login \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{
    "email": "[email protected]",
    "password": "123456"
  }'

{
  "auth": true
}

Overview

This endpoint authenticates an employee using their email and password. Upon successful authentication, it returns both an access token and a refresh token via HTTP-only cookies.

Request Body

email
string
required
Employee’s registered email address. Must be a valid email format.
password
string
required
Employee’s password. Must be at least 6 characters long.

Response

auth
boolean
Authentication status. Returns true when login is successful.

Cookies Set

On successful login, the following cookies are automatically set:
access_token
string
JWT token for accessing protected endpoints. Short-lived token.Cookie Settings:
  • httpOnly: false
  • secure: true
  • sameSite: none
refresh_token
string
JWT token for refreshing the access token. Long-lived token.Cookie Settings:
  • httpOnly: false
  • secure: true
  • sameSite: none
curl -X POST https://api.demet.com/intern/login \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{
    "email": "[email protected]",
    "password": "123456"
  }'

{
  "auth": true
}

Authentication Flow

  1. Submit Credentials: Send email and password to the login endpoint
  2. Verification: System verifies email exists and password matches
  3. Token Generation: Access and refresh tokens are generated
  4. Cookie Storage: Tokens are sent as secure HTTP-only cookies
  5. Subsequent Requests: Browser automatically includes cookies in future requests

Validation Rules

Security Features

  • Passwords are compared using bcrypt hashing
  • Tokens are stored in secure cookies (HTTPS only in production)
  • Access tokens expire after a short period (use refresh token to renew)
  • Refresh tokens have a longer expiration time
  • Failed login attempts return generic error messages to prevent user enumeration

Token Payload

The generated tokens contain the following claims: 
{
  "id_employee": 123,
  "rol": "Administrador"
}

Next Steps

After successful login:
  1. Use the access token (automatically included in cookies) to access protected endpoints
  2. When the access token expires, use the refresh endpoint to get a new one
  3. Use the logout endpoint to end the session

Build docs developers (and LLMs) love

Get started for freeTalk to us