NexGate Authentication API
NexGate is a social commerce platform that provides secure authentication services with OTP-based verification. This documentation covers the complete authentication API including registration, login,
API Response Standards
All API responses follow a consistent structure to ensure predictable client integration.
Success Response Structure
{
"success": true,
"httpStatus": "OK",
"message": "Operation completed successfully",
"action_time": "2024-09-07T15:30:45",
"data": {
// Response data object
}
}Error Response Structure
{
"success": false,
"httpStatus": "BAD_REQUEST",
"message": "Error description",
"action_time": "2024-09-07T15:30:45",
"data": "Detailed error information or validation errors"
}Response Fields Specification
success
boolean
Indicates if the request was successful
httpStatus
string
HTTP status code as string
message
string
Human-readable message describing the result
action_time
string
ISO 8601 timestamp of when the response was generated
data
object/string
Response payload or error details
Base Configuration
API Base URL
Production: https://apinexgate.glueauth.com/api/v1//auth
Development: http://localhost:8080/api/v1/authRequired Headers
Content-Type: application/json
Accept: application/jsonAuthentication Headers (for protected endpoints)
Authorization: Bearer {access_token}Authentication Flow
The NexGate authentication system follows a secure OTP-based verification process:
Flow Diagram
1. Registration Request → Temp Token + OTP Sent
2. OTP Verification → Access Token + Refresh Token
3. Login Request → Temp Token + OTP Sent
4. Login OTP Verification → Access Token + Refresh Token
5. Token Refresh → New Access TokenKey Security Features
OTP-based verification for all critical operations
JWT tokens with configurable expiration
Rate limiting on OTP requests
Automatic username generation
Multi-channel OTP delivery support
API Endpoints
Endpoint Access Levels
🔓 PUBLIC - No authentication required 🔒 PROTECTED - Requires valid access token
1. User Registration
🔓 PUBLIC ENDPOINT - No authentication required
Endpoint: POST /register
Description: Creates a new user account and sends verification OTP to the specified channel.
Request Specification
POST /api/v1/auth/register
Content-Type: application/json
{
"phoneNumber": "+14155552671",
"password": "PiedPiper2024!",
"email": "richard.hendricks@piedpiper.com",
"firstName": "Richard",
"lastName": "Hendricks",
"middleName": "Thomas",
"verificationChannel": "EMAIL"
}Request Body Schema
phoneNumber
string
E.164 format
✅
International phone number
password
string
Min 8 chars, complexity rules
✅
User password
email
string
Valid email format
✅
User email address
firstName
string
Max 30 characters
✅
User's first name
lastName
string
Max 30 characters
✅
User's last name
middleName
string
Max 30 characters
✅
User's middle name
verificationChannel
enum
See verification channels
✅
OTP delivery method
⚠️ Password Complexity Rules
Minimum 8 characters
At least one uppercase letter (A-Z)
At least one lowercase letter (a-z)
At least one digit (0-9)
At least one special character (@$!%*?&#)
Success Response (200 OK)
{
"success": true,
"httpStatus": "OK",
"message": "Registration successful",
"action_time": "2024-09-07T15:30:45",
"data": {
"tempToken": "eyJhbGciOiJIUzI1NiJ9...",
"message": "OTP has been sent to your email",
"expireAt": "2024-09-07T15:40:45"
}
}Error Responses
User Already Exists (400)
{
"success": false,
"httpStatus": "BAD_REQUEST",
"message": "User with provided credentials already exist, please login",
"action_time": "2024-09-07T15:30:45",
"data": "User with provided credentials already exist, please login"
}Validation Errors (422)
{
"success": false,
"httpStatus": "UNPROCESSABLE_ENTITY",
"message": "Validation failed",
"action_time": "2024-09-07T15:30:45",
"data": {
"email": "Email should be valid",
"password": "Password must be at least 8 characters long, contain at least one uppercase letter, one lowercase letter, one digit, and one special character",
"phoneNumber": "Phone number must be in valid international format (e.g., +1234567890)"
}
}2. Verify Registration OTP
🔓 PUBLIC ENDPOINT - No authentication required
Endpoint: POST /verify-otp
Description: Verifies the OTP sent during registration and completes account setup.
Request Specification
POST /api/v1/auth/verify-otp
Content-Type: application/json
{
"tempToken": "eyJhbGciOiJIUzI1NiJ9...",
"otpCode": "123456"
}Request Body Schema
tempToken
string
Valid JWT token
✅
Temporary token from registration
otpCode
string
Exactly 6 digits
✅
OTP received via verification channel
Success Response (200 OK)
{
"success": true,
"httpStatus": "OK",
"message": "Registration completed successfully. You are now logged in.",
"action_time": "2024-09-07T15:35:45",
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiJ9.ACCESS_TOKEN...",
"refreshToken": "eyJhbGciOiJIUzI1NiJ9.REFRESH_TOKEN...",
"userData": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"userName": "richard-a1B2c3D",
"firstName": "Richard",
"lastName": "Hendricks",
"middleName": "Thomas",
"email": "richard.hendricks@piedpiper.com",
"isVerified": true,
"isEmailVerified": true,
"isPhoneVerified": false,
"roles": ["ROLE_NORMAL_USER"],
"createdAt": "2024-09-07T15:30:45",
"editedAt": "2024-09-07T15:35:45"
}
}
}Error Responses
Invalid OTP (403)
{
"success": false,
"httpStatus": "FORBIDDEN",
"message": "Invalid OTP code",
"action_time": "2024-09-07T15:35:45",
"data": "Invalid OTP code"
}Token Expired (403)
{
"success": false,
"httpStatus": "FORBIDDEN",
"message": "Token has expired",
"action_time": "2024-09-07T15:35:45",
"data": "Token has expired"
}Max Attempts Exceeded (403)
{
"success": false,
"httpStatus": "FORBIDDEN",
"message": "Maximum verification attempts exceeded",
"action_time": "2024-09-07T15:35:45",
"data": "Maximum verification attempts exceeded"
}3. Resend OTP
🔓 PUBLIC ENDPOINT - No authentication required
Endpoint: POST /resend-otp
Description: Resends OTP for registration, login, or password reset operations.
Request Specification
POST /api/v1/auth/resend-otp
Content-Type: application/json
{
"tempToken": "eyJhbGciOiJIUzI1NiJ9..."
}Request Body Schema
tempToken
string
Valid JWT token
✅
Temporary token from previous operation
Success Response (200 OK)
{
"success": true,
"httpStatus": "OK",
"message": "OTP resent successfully",
"action_time": "2024-09-07T15:37:45",
"data": {
"newTempToken": "eyJhbGciOiJIUzI1NiJ9.NEW_TOKEN...",
"message": "OTP has been resent successfully",
"expireAt": "2024-09-07T15:47:45",
"attemptsRemaining": 4,
"nextResendAllowedAt": "2024-09-07T15:39:45"
}
}Error Responses
Rate Limit Exceeded (400)
{
"success": false,
"httpStatus": "BAD_REQUEST",
"message": "Resend limit exceeded. Please wait before requesting again.",
"action_time": "2024-09-07T15:37:45",
"data": "Resend limit exceeded. Please wait before requesting again."
}Invalid Token (403)
{
"success": false,
"httpStatus": "FORBIDDEN",
"message": "Invalid or expired temporary token",
"action_time": "2024-09-07T15:37:45",
"data": "Invalid or expired temporary token"
}4. User Login
🔓 PUBLIC ENDPOINT - No authentication required
Endpoint: POST /login
Description: Authenticates user credentials and sends login OTP.
Request Specification
POST /api/v1/auth/login
Content-Type: application/json
{
"identifier": "dinesh.chugtai@piedpiper.com",
"password": "JavaIsBetter123!"
}Request Body Schema
identifier
string
Email, username, or phone
✅
User identifier
password
string
User's password
✅
Account password
Success Response (200 OK)
{
"success": true,
"httpStatus": "OK",
"message": "Login successful",
"action_time": "2024-09-07T16:00:45",
"data": {
"tempToken": "eyJhbGciOiJIUzI1NiJ9...",
"message": "OTP has been sent to your email",
"expireAt": "2024-09-07T16:10:45"
}
}Error Responses
User Not Found (404)
{
"success": false,
"httpStatus": "NOT_FOUND",
"message": "User not found",
"action_time": "2024-09-07T16:00:45",
"data": "User not found"
}Invalid Credentials (401)
{
"success": false,
"httpStatus": "UNAUTHORIZED",
"message": "Invalid credentials",
"action_time": "2024-09-07T16:00:45",
"data": "Invalid credentials"
}5. Request Password Reset
🔓 PUBLIC ENDPOINT - No authentication required
Endpoint: POST /psw-reset-otp
Description: Initiates password reset process by sending OTP to user's email.
Request Specification
POST /api/v1/auth/psw-reset-otp
Content-Type: application/json
{
"email": "gilfoyle@piedpiper.com"
}Request Body Schema
email
string
Valid email format
✅
Registered email address
Success Response (200 OK)
{
"success": true,
"httpStatus": "OK",
"message": "Password reset OTP sent successfully",
"action_time": "2024-09-07T16:15:45",
"data": {
"tempToken": "eyJhbGciOiJIUzI1NiJ9...",
"message": "Password reset OTP has been sent to your email",
"expireAt": "2024-09-07T16:25:45"
}
}Error Responses
Account Not Found (404)
{
"success": false,
"httpStatus": "NOT_FOUND",
"message": "No account found with this email",
"action_time": "2024-09-07T16:15:45",
"data": "No account found with this email"
}Account Not Verified (403)
{
"success": false,
"httpStatus": "FORBIDDEN",
"message": "Account is not verified. Please complete registration first.",
"action_time": "2024-09-07T16:15:45",
"data": "Account is not verified. Please complete registration first."
}6. Reset Password
🔓 PUBLIC ENDPOINT - No authentication required
Endpoint: POST /reset-password
Description: Completes password reset using OTP verification.
Request Specification
POST /api/v1/auth/reset-password
Content-Type: application/json
{
"tempToken": "eyJhbGciOiJIUzI1NiJ9...",
"code": "123456",
"newPassword": "NewSecurePass123!"
}Request Body Schema
tempToken
string
Valid JWT token
✅
Token from password reset request
code
string
6-digit OTP
✅
OTP received via email
newPassword
string
Password complexity rules
✅
New password
Success Response (200 OK)
{
"success": true,
"httpStatus": "OK",
"message": "Password reset successfully",
"action_time": "2024-09-07T16:20:45",
"data": "Your password has been updated. You can now login with your new password."
}Error Responses
Invalid OTP (403)
{
"success": false,
"httpStatus": "FORBIDDEN",
"message": "Invalid OTP code",
"action_time": "2024-09-07T16:20:45",
"data": "Invalid OTP code"
}Password Validation Error (422)
{
"success": false,
"httpStatus": "UNPROCESSABLE_ENTITY",
"message": "Validation failed",
"action_time": "2024-09-07T16:20:45",
"data": {
"newPassword": "Password must be at least 8 characters long, contain at least one uppercase letter, one lowercase letter, one digit, and one special character"
}
}7. Refresh Token
🔓 PUBLIC ENDPOINT - No authentication required
Endpoint: POST /refreshToken
Description: Generates a new access token using a valid refresh token.
Request Specification
POST /api/v1/auth/refreshToken
Content-Type: application/json
{
"refreshToken": "eyJhbGciOiJIUzI1NiJ9.REFRESH_TOKEN..."
}Request Body Schema
refreshToken
string
Valid JWT refresh token
✅
Refresh token from login
Success Response (200 OK)
{
"success": true,
"httpStatus": "OK",
"message": "Token refreshed successful",
"action_time": "2024-09-07T17:00:45",
"data": {
"newToken": "eyJhbGciOiJIUzI1NiJ9.NEW_ACCESS_TOKEN..."
}
}Error Responses
Invalid Refresh Token (401)
{
"success": false,
"httpStatus": "UNAUTHORIZED",
"message": "Invalid token",
"action_time": "2024-09-07T17:00:45",
"data": "Invalid token"
}Expired Refresh Token (401)
{
"success": false,
"httpStatus": "UNAUTHORIZED",
"message": "Refresh token has expired. Please login again",
"action_time": "2024-09-07T17:00:45",
"data": "Refresh token has expired. Please login again"
}Data Models
AccountResponse Schema
{
"id": "string (UUID)",
"userName": "string (auto-generated)",
"firstName": "string (max 30 chars)",
"lastName": "string (max 30 chars)",
"middleName": "string (max 30 chars)",
"email": "string (email format)",
"isVerified": "boolean",
"isEmailVerified": "boolean",
"isPhoneVerified": "boolean",
"roles": ["string array"],
"createdAt": "string (ISO 8601)",
"editedAt": "string (ISO 8601)"
}Token Response Schema
{
"accessToken": "string (JWT)",
"refreshToken": "string (JWT)"
}Temporary Token Response Schema
{
"tempToken": "string (JWT)",
"message": "string",
"expireAt": "string (ISO 8601)",
"attemptsRemaining": "number (optional)",
"nextResendAllowedAt": "string (ISO 8601, optional)"
}Verification Channels Enum
[
"EMAIL",
"SMS",
"WHATSAPP",
"VOICE_CALL",
"PUSH_NOTIFICATION",
"EMAIL_AND_SMS",
"SMS_AND_WHATSAPP",
"ALL_CHANNELS"
]User Roles Enum
[
"ROLE_SUPER_ADMIN",
"ROLE_STAFF_ADMIN",
"ROLE_NORMAL_USER"
]ℹ️ Username Generation Rules
Format:
{emailPrefix}-{randomSuffix}Email prefix extracted before @ symbol
Random suffix: 7 characters (alphanumeric)
Example:
richard.hendricks@piedpiper.com→richard-a1B2c3DAuto-generated to ensure uniqueness
Error Handling
HTTP Status Codes
200
OK
Successful operations
400
Bad Request
Rate limits, business logic errors
401
Unauthorized
Invalid/expired tokens
403
Forbidden
Verification errors, permissions
404
Not Found
User/resource not found
422
Unprocessable Entity
Validation errors
500
Internal Server Error
Server-side errors
Error Response Patterns
Validation Errors (422)
Structure:
datacontains field-specific error messagesFormat:
{"fieldName": "Error message"}Usage: Form validation failures
⚠️ Validation Error Example
{
"success": false,
"httpStatus": "UNPROCESSABLE_ENTITY",
"message": "Validation failed",
"action_time": "2024-09-07T15:30:45",
"data": {
"email": "Email should be valid",
"password": "Password requirements not met"
}
}Authentication Errors (401/403)
Structure:
datacontains error description stringFormat: Simple string message
Usage: Token validation, OTP verification
Rate Limiting Errors (400)
Structure:
datacontains rate limit informationFormat: String with retry information
Usage: Too many requests
Business Logic Errors (400/404)
Structure:
datacontains descriptive error messageFormat: String explanation
Usage: User not found, account states
Rate Limiting
OTP Request Limits
Registration OTP
5 requests
10 minutes
N/A
Login OTP
5 requests
10 minutes
N/A
Password Reset OTP
5 requests
10 minutes
N/A
Resend OTP
5 requests
10 minutes
2 minutes
OTP Verification Limits
OTP Verification
3 attempts
Token invalidated
Temp Token Usage
1 use
Token invalidated
Token Expiration Times
Access Token
1 hour
Yes (via refresh)
Refresh Token
365 days
No
Temporary Token
10 minutes
Yes (via resend)
⚠️ Rate Limiting Best Practices
Implement exponential backoff for failed requests
Display remaining attempts to users
Show cooldown timers for resend operations
Handle rate limit responses gracefully
Security Specifications
JWT Token Structure
Algorithm: HS256 (HMAC SHA-256)
Type Claims:
ACCESSfor access tokensREFRESHfor refresh tokensTEMPfor temporary tokens
Standard Claims:
sub,iat,expCustom Claims:
tokenType,purpose(for temp tokens)
Password Security
Encoding: BCrypt with configurable rounds
Complexity: Enforced server-side
History: Not tracked (current implementation)
Reset: OTP-based verification required
OTP Security
Generation: Cryptographically secure random 6-digit codes
Storage: Hashed using BCrypt
Delivery: Multiple channels supported
Expiration: 10 minutes from generation
Attempts: Maximum 3 verification attempts
Account Security Features
Email Verification: Required for password reset
Account Verification: Required for full access
Role-Based Access: Three-tier role system
Automatic Bucket Creation: MinIO storage provisioning
Audit Trail: Creation and modification timestamps
ℹ️ Security Recommendations
Store access tokens in memory or sessionStorage
Store refresh tokens in httpOnly cookies when possible
Implement proper CSRF protection
Use HTTPS in production
Validate all input on client and server side
API Version: 1.0 Last Updated: September 7, 2025
Last updated