Skip to main content

Authentication API

The Authentication API provides secure user authentication, email verification, password management, and token handling for your applications.
All endpoints use the base URL: https://jethings-backend.fly.dev (production) or http://localhost:3000 (development)

🔐 Authentication Flow

1

Sign Up

Create account with email verification
2

Verify Email

Enter OTP sent to email
3

Sign In

Get access and refresh tokens
4

Make Requests

Use access token in Authorization header
5

Refresh Token

Get new tokens when access token expires

📝 User Registration

Sign Up

Create a new user account with email verification.
Request Body: Success Response (200):
Error Responses:
  • 409 Conflict: Email already exists
  • 409 Conflict: Phone number already exists
  • 400 Bad Request: Validation errors

Verify Email

Verify user email with the OTP sent during signup.
Request Body: Success Response (200):
Error Responses:
  • 400 Bad Request: Invalid or expired OTP
  • 400 Bad Request: Too many attempts (max 3)
  • OTP expires after 10 minutes
  • Maximum 3 attempts per OTP
  • OTP is automatically deleted after successful verification

🔑 User Authentication

Sign In

Authenticate user and receive access/refresh tokens.
Request Body: Success Response (200):
Error Responses:
  • 401 Unauthorized: Invalid credentials
  • 401 Unauthorized: Email not verified
  • Access token expires in 15 minutes
  • Refresh token expires in 7 days
  • Store refresh token securely (httpOnly cookie recommended)

Get Current User

Retrieve current authenticated user’s profile.
Success Response (200):
Error Responses:
  • 401 Unauthorized: Invalid or expired token
  • 401 Unauthorized: User not found
  • 401 Unauthorized: Account deactivated

🔄 Refresh Token Flow

Overview

Jethings Backend implements a secure refresh token authentication system that provides persistent, secure user sessions without compromising security. Token Types:
  • Access Token: Short-lived JWT (15 minutes) used to authenticate API requests
  • Refresh Token: Long-lived token (7 days) used to obtain new access tokens
Key Features:
  • Automatic token refresh via backend middleware
  • Manual token refresh option
  • Token rotation on each refresh
  • Secure token revocation

Authentication Flow Diagram

Storing Tokens

Store tokens securely on the client. Common approaches: Web Applications:
  • localStorage - Persists across browser sessions
  • sessionStorage - Persists only for current session
  • httpOnly cookies (recommended for refresh tokens)
  • React Context/State Management
Mobile Applications:
  • Secure storage (Keychain on iOS, Keystore on Android)
  • Encrypted shared preferences
Example: Storing tokens after login
The backend middleware automatically refreshes expired access tokens when both tokens are included in the request headers. This is the simplest and recommended approach. How it works:
  1. Include both Authorization: Bearer <accessToken> and x-refresh-token: <refreshToken> headers
  2. If the access token is expired, the backend automatically refreshes it
  3. New tokens are returned in response headers
  4. Update your stored tokens with the new values
Implementation Example:
Response Headers (Automatic Refresh): When automatic token refresh occurs, the backend responds with:

Option 2: Manual Token Refresh

Implement your own refresh logic before making requests. This gives you more control over when tokens are refreshed. Implementation Example:

React Hook Example

For React applications, here’s a custom hook for managing authentication:

Axios Interceptor Example

For applications using Axios, you can use interceptors to handle token refresh automatically:

Sign Out / Token Revocation

Always revoke refresh tokens when the user signs out:

Security Best Practices

Important Security Considerations:
  • Never expose refresh tokens in URLs, client-side logs, or error messages
  • Use HTTPS in production to protect tokens in transit
  • Consider httpOnly cookies for refresh tokens in web applications
  • Implement token rotation - always use new refresh tokens when received
  • Handle token expiration gracefully - redirect to login when refresh fails
  • Store tokens securely - use secure storage mechanisms appropriate for your platform
  • Revoke tokens on logout - always call the revoke endpoint when users sign out
  • Clear tokens on errors - remove stored tokens if refresh fails

🔄 Token Management

Refresh Token

Get new access and refresh tokens when the current access token expires.
Request Body: Success Response (200):
Error Responses:
  • 401 Unauthorized: Invalid or expired refresh token

Revoke Token

Revoke a specific refresh token (logout from one device).
Success Response (200):

Revoke All Tokens

Revoke all refresh tokens for the current user (logout from all devices).
Success Response (200):

Logout

Alias for revoke-all-tokens (logout from all devices).
Success Response (200):

🔒 Password Management

Request Password Reset

Request a password reset OTP to be sent to user’s email.
Request Body: Success Response (200):
Always returns this message to prevent email enumeration attacks.

Verify Password Reset

Reset password using the OTP sent to user’s email.
Request Body: Success Response (200):
Error Responses:
  • 400 Bad Request: Invalid or expired OTP
  • 400 Bad Request: Too many attempts (max 3)

🛠️ Development Endpoints

Create Super Admin (Development Only)

Create a super admin account for development purposes.
This endpoint is only available when NODE_ENV=development
Request Body: Success Response (200):
Error Responses:
  • 403 Forbidden: Endpoint only available in development
  • 409 Conflict: Email already exists
  • 409 Conflict: Phone number already exists

🔧 Error Handling

Common Error Codes

Error Response Format

Handling Errors in Your Code


🚀 Next Steps

Now that you understand the Authentication API, explore the Users API for user management features, or check out our Flutter Integration Guide for mobile development.

Users API

User management, search, and admin operations

Flutter Integration

Complete Flutter implementation guide