Page Introduction

Onboarding step guide

This step gives implementation-level instructions for frontend engineers integrating authentication and protected Workshop calls.

Apply this step in your client API layer before feature work.
Use examples directly in local test environment.
Move to the next step only when this one is verified.

Choose next step

Back to onboarding Open workshop auth interactive Open workshop try-it

Onboarding Step 3

Auth API Testing

This page gives you a complete test flow for `Auth` and `EmailVerification`, so you can validate integration before moving into the full Workshop API.

Open Auth Interactive Download Auth OpenAPI Auth namespace docs

1. Set environment variables

# .env.local
MINBIL_API_BASE_URL=http://localhost:5000
MINBIL_API_KEY=replace_with_api_key
MINBIL_TEST_EMAIL=test@example.com
MINBIL_TEST_PASSWORD=replace_with_password

2. Smoke test with Axios (Node.js)

import axios from "axios";

const BASE_URL = process.env.MINBIL_API_BASE_URL ?? "http://localhost:5000";
const API_KEY = process.env.MINBIL_API_KEY ?? "YOUR_API_KEY";
const EMAIL = process.env.MINBIL_TEST_EMAIL ?? "test@example.com";
const PASSWORD = process.env.MINBIL_TEST_PASSWORD ?? "your-password";

async function runAuthFlow() {
  const signIn = await axios.post(
    BASE_URL + "/api/ws/auth/sign-in",
    { email: EMAIL, password: PASSWORD },
    {
      headers: {
        "Content-Type": "application/json",
        "x-api-key": API_KEY,
      },
      withCredentials: true,
    },
  );

  const accessToken = signIn.data?.access_token;

  const me = await axios.get(BASE_URL + "/api/ws/shop?full=true", {
    headers: {
      "Content-Type": "application/json",
      "x-api-key": API_KEY,
      Authorization: "Bearer " + accessToken,
    },
  });

  const refresh = await axios.post(
    BASE_URL + "/api/ws/auth/refresh-token",
    {},
    {
      headers: {
        "Content-Type": "application/json",
        "x-api-key": API_KEY,
      },
      withCredentials: true,
    },
  );

  await axios.post(
    BASE_URL + "/api/ws/auth/logout",
    {},
    {
      headers: {
        "Content-Type": "application/json",
        "x-api-key": API_KEY,
      },
      withCredentials: true,
    },
  );

  console.log({
    signInStatus: signIn.status,
    profileStatus: me.status,
    refreshStatus: refresh.status,
  });
}

runAuthFlow().catch((error) => {
  console.error(error.response?.status, error.response?.data ?? error.message);
});

3. Clean UI test sequence

Open `Auth Interactive` and set `x-api-key` in auth/headers.
Call `POST /api/ws/auth/sign-in`.
Copy `access_token` from the response.
Test a bearer-protected endpoint (`GET /api/ws/shop`).
Test `POST /api/ws/auth/refresh-token` and `POST /api/ws/auth/logout`.

4. Forventede resultater

200 / 201

Valid API key + valid credentials/token.

401 / 403

Missing or invalid API key / token.

429

Rate limit on auth or support-related calls.

5. Troubleshoot 404 against localhost:3000

If you see `POST http://localhost:3000/api/ws/auth/sign-in 404`, your client is targeting the wrong server URL.
The docs portal includes a built-in proxy for `/api/ws/*`, so same-origin requests from Try-It are forwarded to `MINBIL_API_BASE_URL`.
Open `http://localhost:3000/api/openapi/workshop-auth`.
Confirm that `servers[0].url` is `/` (same-origin proxy) and that `servers[1].url` points to backend, for example `http://localhost:5000`.
Set `MINBIL_API_BASE_URL=http://localhost:5000` in `.env.local` and restart the dev server.
Optional: set `MINBIL_OPENAPI_URL=http://localhost:5000/api/ws/swagger-doc` to load OpenAPI directly from backend.