Calls getTokenData('etiketarToken', 'role') but the app stores the token under 'frigappToken' everywhere else. The role will always be null, breaking menu filtering and any role-based access.

There are two identical useEffect(()=>{...}, []) hooks that both read etiketarToken and call setAgency. The second is a dead duplicate — remove it.

redirect is imported from react-router-dom but it only works inside data-router loaders/actions. Calling it in a regular function does nothing — after login the URL stays at /login. Use useNavigate() hook instead.

jwtDecode(localStorage.getItem(token)) — if the key doesn't exist, getItem returns null and jwtDecode(null) throws an exception. UserButton and AdminLayout call this on mount with no guard, causing a crash on fresh sessions.

~10 functions use catch(err) { console.log(err) } with no return. Callers get undefined instead of an error object, so res.success throws a TypeError. Either return err or return { success: false, message: err.message }.

The login page hero reads "Y este negro cree que me va a joder." and Welcome.jsx echoes similar text. These strings will be visible to real users — replace them with actual product copy before any release.

getAgencyBySubdomain() is referenced in admin.js → setNewPassword but it lives in utils/token.js, not in api/constants.js where it is called as CONS.getAgencyBySubdomain(). This will throw CONS.getAgencyBySubdomain is not a function at runtime.

The <form> has onSubmit calling sendData() and the <Button> also has onClick={sendData}. Pressing Enter or clicking the button fires sendData twice, sending two simultaneous API requests.

The regex test runs first; only the else if branch checks for empty fields. An empty email string fails the regex and shows "formato inválido" instead of "campos vacíos". Swap the order: check empty first, then validate format.

(comImg === null) ? formData.append('file', comImg) : formData.append('file', comImg.file, comImg.file.name) — when comImg is null, it appends null to the form. The ternary branches are swapped.

Sends DELETE ${CONS.admin}/${id} (e.g. /api/admin/5) but the get/update functions use ${CONS.admin}/users/${id}. The delete endpoint is almost certainly /api/admin/users/${id}.

Avatar and ScrollArea are imported from @mantine/core but never used. Minor — remove to keep the bundle clean.

The function body is entirely commented out and always returns undefined. Either implement it or remove it so it doesn't mislead future developers.

The backend URL https://frigapp-back.azurewebsites.net/api is hardcoded. Use an environment variable (import.meta.env.VITE_API_URL) so different environments (staging, prod) can be configured without touching source code.

Pages like Calculator, Products, Support, etc. render a bare <h1> only. Not a bug, but these need implementation before the app is usable.