Overview The SIGEAC API uses Bearer token authentication. All authenticated requests must include an Authorization header with a valid Bearer token.
Authentication Flow Login Request To authenticate, send a POST request to the /login endpoint with user credentials.
import axiosInstance from '@/lib/axios' ; const login = async ( credentials : { login : string ; password : string }) => { const response = await axiosInstance . post ( '/login' , credentials , { headers: { 'Content-Type' : 'application/json' }, }); const token = response . headers [ 'authorization' ]; return { user: response . data , token }; };
Request Body Username or email for authentication
Response The authentication token is returned in the Authorization header as a Bearer token.
User object with profile information Whether the user account is active
Array of roles assigned to the user
Array of permissions granted to the user
Companies associated with the user
Employee profile information
Using the Token Once you receive the authentication token, include it in all subsequent API requests:
import axios from 'axios' ; import Cookies from 'js-cookie' ; const axiosInstance = axios . create ({ baseURL: process . env . NEXT_PUBLIC_API_BASE_URL , withCredentials: true , headers: { "skip_zrok_interstitial" : true , }, }); // Request interceptor to add token axiosInstance . interceptors . request . use (( config ) => { const token = Cookies . get ( 'auth_token' ); if ( token ) { const authHeader = token . startsWith ( 'Bearer ' ) ? token : `Bearer ${ token } ` ; config . headers . Authorization = authHeader ; } return config ; });
Token Storage Tokens are typically stored in cookies for web applications:
import Cookies from 'js-cookie' ; // Store token Cookies . set ( 'auth_token' , token ); // Retrieve token const token = Cookies . get ( 'auth_token' ); // Remove token (logout) Cookies . remove ( 'auth_token' );
Error Handling 401 Unauthorized If your token is invalid or expired, the API will return a 401 status code. The client should automatically redirect to the login page:
axiosInstance . interceptors . response . use ( ( response ) => response , ( error ) => { if ( error . response && error . response . status === 401 ) { console . warn ( "⚠️ Sesión inválida: Redirigiendo al login..." ); // Remove invalid tokens Cookies . remove ( 'auth_token' ); Cookies . remove ( 'jwt' ); // Redirect to login if ( typeof window !== 'undefined' ) { window . location . href = '/login?session=expired' ; } } return Promise . reject ( error ); } );
Common Error Responses Error message describing what went wrong
Optional error code or type
Get Current User Retrieve the authenticated user’s profile:
const fetchUser = async () : Promise < User > => { const { data } = await axiosInstance . get < User >( '/user' ); return data ; };
Response Returns a complete User object with all associated roles, permissions, and company information.
Logout To logout, clear the authentication token and session:
const logout = async () => { await deleteSession (); Cookies . remove ( 'auth_token' ); Cookies . remove ( 'jwt' ); window . location . href = '/login' ; };
Security Best Practices
Token Management
Always use HTTPS in production
Store tokens securely (httpOnly cookies recommended)
Never expose tokens in URLs or logs
Implement token refresh mechanism
Clear tokens on logout
Request Headers All authenticated requests should include:
Authorization: Bearer <token>skip_zrok_interstitial: trueContent-Type: application/json (for POST/PUT requests) Rate Limiting The API may implement rate limiting on authentication endpoints to prevent brute force attacks. If you receive a 429 status code, wait before retrying. 