Authentication & Session Management
Sign in to the API and maintain a secure session using JWT access tokens and refresh tokens. This lets users authenticate once, renew access without re-entering credentials, and protect routes according to role or public access.
Overview & Concepts
High-level explanation of the authentication and session model: short‑lived JWT access tokens, long‑lived refresh tokens, session persistence and revocation, public routes, and role-based access control.
Sign In & Token Issuance
How to authenticate with email and password, the request/response DTOs, and what you receive: short‑lived access (JWT) and refresh tokens. Includes wiring and examples for login endpoints.
Refresh Flow, Token Lifecycle & Blacklisting
Detailed refresh flow: how to exchange a refresh token for a new access token, refresh token persistence and expiry, automatic rotation (if used), and blacklist/revoke mechanics for logout or remote invalidation.
Guards, Strategies & Route Decorators
Runtime enforcement and wiring: JwtAuthGuard, JwtRefreshGuard and RolesGuard behavior; passport-like strategies (jwt.strategy.ts, jwt-refresh.strategy.ts); and decorators to mark public routes or required roles.