Authentication Flow

Flow

Client                          Rotifex Server
  |                                   |
  |-- POST /auth/register ----------> |  Hash password, create user
  |<- { user } ---------------------- |
  |                                   |
  |-- POST /auth/login -------------> |  Verify password
  |<- { accessToken, refreshToken }-- |
  |                                   |
  |-- GET /api/products               |
  |   Authorization: Bearer <token> > |  Verify JWT, inject x-user-id/x-user-role
  |<- { data: [...] } --------------- |
  |                                   |
  |-- POST /auth/refresh -----------> |  Verify refresh token, issue new pair
  |<- { accessToken, refreshToken }-- |

Token Details

Token	Algorithm	TTL	Secret Env Var
Access Token	HS256	1 hour	`JWT_SECRET`
Refresh Token	HS256	30 days	`JWT_REFRESH_SECRET`

Secrets are auto-generated and saved to .env on first startup if not explicitly set.

Required Headers

Header	Value	Set By
`Authorization`	`Bearer <accessToken>`	Client
`x-user-id`	User UUID	JWT middleware (auto-injected)
`x-user-role`	`user` or `admin`	JWT middleware (auto-injected)

Permission Levels

Role	Access
`user`	Public endpoints, own files, own data records
`admin`	All endpoints including `/admin/api/*`

The JWT middleware skips all /auth/* routes. For /auth/me, the token is manually verified inside the handler.

Flow​

Token Details​

Required Headers​

Permission Levels​

Flow

Token Details

Required Headers

Permission Levels