Skip to main content

Authentication

upLegal uses Supabase authentication for user management. Authentication is required for most endpoints and is handled through session tokens.

Authentication Methods

Email/Password Login

Standard email and password authentication. 
const { data, error } = await supabase.auth.signInWithPassword({
  email: '[email protected]',
  password: 'password123'
});
Passwordless authentication via email magic link. 
const { data, error } = await supabase.auth.signInWithOtp({
  email: '[email protected]',
  options: {
    emailRedirectTo: 'https://legalup.cl/dashboard'
  }
});

Session Management

Get Current Session

Retrieve the current user session. 
const { data: { session }, error } = await supabase.auth.getSession();
Response
session
object
Current session object
user
object
Authenticated user information
id
string
User ID (UUID)
email
string
User email address
user_metadata
object
User metadata including role, name, etc.
access_token
string
JWT access token for API requests
refresh_token
string
Token for refreshing the session
expires_at
number
Session expiration timestamp

Refresh Session

Refresh an expired session using the refresh token. 
const { data, error } = await supabase.auth.refreshSession();

Sign Out

End the current user session. 
const { error } = await supabase.auth.signOut();

User Roles

upLegal supports two user roles:
  • client: Standard users seeking legal services
  • lawyer: Legal professionals offering services
Roles are stored in user_metadata.role and synchronized to the profiles table.

Protected Routes

Most API endpoints require authentication. Include the session token in your requests: 
const { data: { session } } = await supabase.auth.getSession();

fetch('https://api.legalup.cl/api/endpoint', {
  headers: {
    'Authorization': `Bearer ${session?.access_token}`,
    'Content-Type': 'application/json'
  }
});

Error Responses

error
object
Error details
message
string
Human-readable error message in Spanish
status
number
HTTP status code

Common Authentication Errors

Status CodeError MessageDescription
401Invalid login credentialsWrong email or password
401Email not confirmedUser hasn’t verified their email
403UnauthorizedMissing or invalid access token
429Too many requestsRate limit exceeded

Security Notes

  • Sessions expire after 1 hour of inactivity
  • Refresh tokens are valid for 30 days
  • All authentication endpoints use HTTPS only
  • Row Level Security (RLS) policies enforce data access control

Build docs developers (and LLMs) love

Get started for freeTalk to us