Skip to main content

Login

POST /v1/auth/login
Authenticate a user with email and password. Returns an access token and refresh token pair.

Authentication

None — this is a public endpoint.

Request body

email
string
required
User’s email address.
password
string
required
User’s password.
tenant_slug
string
Tenant slug. Optional when the tenant can be resolved from the request origin.

Example request

curl -X POST https://mind-be.staging.miva.university/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "student@example.com",
    "password": "securepassword",
    "tenant_slug": "demo-university"
  }'

Response

{
  "success": true,
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIs...",
    "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
    "token_type": "bearer",
    "expires_in": 1800
  },
  "message": "Login successful"
}

Error responses

StatusCodeCondition
401AUTHENTICATION_ERRORInvalid email or password
404NOT_FOUNDUser not found
400TENANT_ERRORTenant could not be resolved

Register

POST /v1/auth/register
Create a new student account and return tokens. The user is immediately authenticated.

Authentication

None — this is a public endpoint.

Request body

email
string
required
Email address. Must be unique within the tenant.
password
string
required
Password. Min 8 characters, max 100.
name
string
required
Full name. Min 1 character, max 255.
tenant_slug
string
Tenant slug. Optional when resolvable from origin.

Example request

curl -X POST https://mind-be.staging.miva.university/v1/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "email": "newstudent@example.com",
    "password": "strongpass123",
    "name": "Jane Smith",
    "tenant_slug": "demo-university"
  }'

Response

{
  "success": true,
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIs...",
    "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
    "token_type": "bearer",
    "expires_in": 1800
  },
  "message": "Registration successful"
}

Error responses

StatusCodeCondition
409CONFLICTEmail already registered in this tenant
422VALIDATION_ERRORInvalid email format or password too short
400TENANT_ERRORTenant could not be resolved

Refresh Token

POST /v1/auth/refresh
Exchange a valid refresh token for a new access/refresh token pair.

Authentication

None — uses the refresh token from the request body.

Request body

refresh_token
string
required
A valid refresh token from a previous login or register response.

Example request

curl -X POST https://mind-be.staging.miva.university/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "eyJhbGciOiJIUzI1NiIs..."
  }'

Response

{
  "success": true,
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIs...",
    "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
    "token_type": "bearer",
    "expires_in": 1800
  },
  "message": "Token refreshed successfully"
}

Error responses

StatusCodeCondition
401AUTHENTICATION_ERRORRefresh token is invalid or malformed
401TOKEN_EXPIREDRefresh token has expired

Logout

POST /v1/auth/logout
Log out the current user. The token should be discarded client-side.

Authentication

Requires a valid access token (any role).

Example request

curl -X POST https://mind-be.staging.miva.university/v1/auth/logout \
  -H "Authorization: Bearer <access_token>"

Response

{
  "success": true,
  "data": null,
  "message": "Logout successful"
}

CAS SSO — Get Auth URL

GET /v1/auth/cas/auth-url
Returns the CAS login URL for frontend redirect. The frontend should redirect the user to this URL to begin the SSO flow.

Authentication

None — this is a public endpoint.

Query parameters

service
string
Your frontend’s CAS callback URL. The CAS server will redirect back here after authentication.

Example request

curl "https://mind-be.staging.miva.university/v1/auth/cas/auth-url?service=https://app.example.com/cas/callback"

Response

{
  "success": true,
  "data": {
    "url": "https://cas.university.edu/cas/login?service=https://app.example.com/cas/callback"
  },
  "message": null
}

CAS SSO — Login

POST /v1/auth/cas/login
Validate a CAS ticket and return tokens. Called after CAS redirects back to your app with a ticket parameter.

Authentication

None — this is a public endpoint.

Request body

ticket
string
required
The CAS ticket from the redirect query string.
service
string
required
The same service URL used when generating the auth URL.
tenant_slug
string
required
Tenant slug. Required for CAS login.

Example request

curl -X POST https://mind-be.staging.miva.university/v1/auth/cas/login \
  -H "Content-Type: application/json" \
  -d '{
    "ticket": "ST-12345-abcdef",
    "service": "https://app.example.com/cas/callback",
    "tenant_slug": "demo-university"
  }'

Response

{
  "success": true,
  "data": {
    "access_token": "eyJhbGciOiJIUzI1NiIs...",
    "refresh_token": "eyJhbGciOiJIUzI1NiIs...",
    "token_type": "bearer",
    "expires_in": 1800
  },
  "message": "CAS login successful"
}

Error responses

StatusCodeCondition
401AUTHENTICATION_ERRORCAS ticket validation failed
400TENANT_ERRORTenant not found by slug or SSO not enabled

Accept Invite

POST /v1/auth/invite/accept?token={token}
Accept a user invitation. The token is sent via email when an admin invites a user through the console. Invitations expire after 7 days.

Authentication

None — this is a public endpoint. The token itself authenticates the request.

Query parameters

token
string
required
The invite token from the invitation email link.

Example request

curl -X POST "https://mind-be.staging.miva.university/v1/auth/invite/accept?token=abc123xyz..."

Response

{
  "success": true,
  "data": null,
  "message": "Invite accepted successfully"
}

Error responses

StatusCodeCondition
404NOT_FOUNDInvalid or already-used invite token
400VALIDATION_ERRORInvite has expired (older than 7 days)