Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ALEJ4NDRO2025/urban-store/llms.txt

Use this file to discover all available pages before exploring further.

The login endpoint validates a user’s credentials against the stored bcrypt hash and, on success, issues a signed JSON Web Token (JWT). This token must be included in the Authorization header for all protected endpoints. The token is valid for 7 days from the moment of issuance. Accounts that have not completed email verification, or that have been deactivated, are blocked from logging in even if the password is correct.

Endpoint

POST /api/users/login/

Authentication

None required. This endpoint is publicly accessible.

Request Body

email
string
required
The email address used during registration.
password
string
required
The account’s plain-text password. Compared against the stored bcrypt hash server-side.

Request Example

curl -X POST https://your-domain.com/api/users/login/ \
  -H "Content-Type: application/json" \
  -d '{
    "email": "alex@example.com",
    "password": "mysecret123"
  }'

Response — 200 OK

{
  "message": "Login exitoso",
  "access": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "email": "alex@example.com",
  "name": "Alex",
  "is_admin": false
}
message
string
Confirmation string: "Login exitoso".
access
string
A signed HS256 JWT Bearer token. Include this value in the Authorization header of subsequent requests.
email
string
The authenticated user’s email address.
name
string
The user’s first_name as stored in the database.
is_admin
boolean
true if the user has admin privileges, false otherwise.

JWT Token Details

The token is signed with the application’s SECRET_KEY using the HS256 algorithm. The decoded payload contains:
ClaimTypeDescription
user_idstringThe user’s MongoDB ObjectId, serialized as a string
emailstringThe user’s email address
is_adminbooleanWhether the account has admin privileges
expintegerUnix timestamp — exactly 7 days from the moment of issuance

Using the Token

Include the token in the Authorization header of every request to a protected endpoint: 
Authorization: Bearer <token>
For example: 
curl -X GET https://your-domain.com/api/users/profile/ \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
The server decodes and verifies the token on each request. An expired or malformed token returns 401 Unauthorized.

Error Responses

StatusBodyCause
401{ "error": "Credenciales incorrectas" }Email not found, or password does not match the stored hash
403{ "error": "Cuenta desactivada. Contacta al soporte." }Account exists but is_active is False (soft-deleted)
403{ "error": "Debes verificar tu correo antes de iniciar sesión" }Account exists and password is correct, but is_verified is False
400Serializer validation errorsMalformed request body (e.g. missing fields)
Both “email not found” and “wrong password” return the same 401 response with "Credenciales incorrectas". This is intentional — identical error messages prevent user enumeration attacks.

Build docs developers (and LLMs) love

Get started for freeTalk to us