Skip to main content
GET
/
api
/
health
Session Validation
curl --request GET \
  --url https://api.example.com/api/health \
  --header 'Content-Type: application/json' \
  --data '
{
  "id": 123,
  "nombre": "<string>",
  "apellido": "<string>",
  "gafete": "<string>",
  "tipo": "<string>",
  "area": "<string>",
  "iat": 123,
  "exp": 123
}
'

Overview

While there’s no dedicated session validation endpoint, you can validate your session by making authenticated requests to any protected endpoint. The authentication middleware validates the JWT token on every request.
All authenticated endpoints automatically validate the JWT token through the authMiddleware.

Authentication Middleware

The authentication middleware (authMiddleware) is applied to all protected routes and performs the following validations:
  1. Checks for Authorization header
  2. Verifies the header format: Bearer <token>
  3. Validates JWT signature and expiration
  4. Decodes user information from token
  5. Attaches user object to request

Token Format

Request Header

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Token Payload

The JWT token contains the following user information: 
{
  "id": 1,
  "nombre": "Juan",
  "apellido": "Pérez",
  "gafete": "admin",
  "tipo": "admin",
  "area": "Ensamble",
  "iat": 1699999999,
  "exp": 1700043199
}
id
number
User’s unique identifier
nombre
string
User’s first name
apellido
string
User’s last name
gafete
string
User’s badge number
tipo
string
User role: admin, calidad, supervisor, or operador
area
string
Assigned production area
iat
number
Issued at timestamp (Unix epoch)
exp
number
Expiration timestamp (Unix epoch, 12 hours after iat)

Testing Token Validity

You can test if your token is still valid by making a request to any authenticated endpoint, such as the user list: 
curl -X GET http://localhost:3001/api/users \
  -H "Authorization: Bearer YOUR_TOKEN_HERE"

Error Responses

401 Unauthorized - Missing Token

{
  "error": "Token requerido"
}

401 Unauthorized - Invalid or Expired Token

{
  "error": "Token inválido o expirado"
}

Role-Based Access Control

Some endpoints require specific roles. The requireRole middleware checks if the authenticated user has the necessary permissions.

Role Hierarchy

admin

Full system access, can manage users, roles, and all data

calidad

Quality control access, can manage catalogs and view all reports

supervisor

Can register scrap, edit today’s records, view area reports

operador

Basic access, can register scrap and view own records

403 Forbidden - Insufficient Permissions

Returned when the authenticated user’s role doesn’t match the required roles: 
{
  "error": "Sin permisos suficientes"
}

Session Management

Sessions are stored in the sesiones table with the following information:
  • usuario_id: User ID
  • token: JWT token
  • ip: Client IP address
  • expires_at: Expiration timestamp (12 hours from login)
Security Best Practices:
  • Store tokens securely (sessionStorage/localStorage in browser)
  • Never expose tokens in URLs or logs
  • Implement automatic logout on token expiration
  • Clear tokens on manual logout

Implementation Example

Frontend Token Storage

// Store token after login
const storeSession = (token: string, user: Usuario) => {
  const session = { token, user, loginTime: new Date().toISOString() };
  sessionStorage.setItem('aptiv_session', JSON.stringify(session));
};

// Retrieve token for API calls
const getToken = (): string | null => {
  try {
    const session = sessionStorage.getItem('aptiv_session');
    if (session) {
      const parsed = JSON.parse(session);
      return parsed.token || null;
    }
  } catch { /* ignore */ }
  return null;
};

// Add to API request headers
const headers = {
  'Content-Type': 'application/json',
  'Authorization': `Bearer ${getToken()}`
};

Build docs developers (and LLMs) love

Get started for freeTalk to us