Skip to main content
POST
/
login
Login
curl --request POST \
  --url https://api.example.com/login \
  --header 'Accept: <accept>' \
  --header 'Content-Type: <content-type>' \
  --header 'X-XSRF-TOKEN: <x-xsrf-token>' \
  --data '
{
  "email": "<string>",
  "password": "<string>",
  "remember": true
}
'

Overview

Authenticate a user with their email address and password. On success, creates an authenticated session. If the user has two-factor authentication enabled, you’ll need to complete the two-factor challenge flow.
Before making this request, you must retrieve a CSRF token from /sanctum/csrf-cookie.

Endpoint

POST /login

Request Headers

X-XSRF-TOKEN
string
required
CSRF token retrieved from cookie
Content-Type
string
required
Must be application/json
Accept
string
required
Must be application/json

Request Body

email
string
required
User’s email address (converted to lowercase)
password
string
required
User’s password
remember
boolean
Whether to keep the user logged in (“Remember Me” functionality)Default: false

Response

Successful authentication. The response includes a session cookie.
{
  "two_factor": false
}
two_factor
boolean
Indicates if two-factor authentication is required. If true, you must complete the two-factor challenge.
Set-Cookie Header:
Set-Cookie: laravel_session=...; Path=/; HttpOnly; SameSite=Lax

Code Examples

// Step 1: Get CSRF cookie
await fetch('https://your-domain.com/sanctum/csrf-cookie', {
  credentials: 'include'
});

// Step 2: Get CSRF token from cookie
const csrfToken = document.cookie
  .split('; ')
  .find(row => row.startsWith('XSRF-TOKEN='))
  ?.split('=')[1];

// Step 3: Login
const response = await fetch('https://your-domain.com/login', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Accept': 'application/json',
    'X-XSRF-TOKEN': decodeURIComponent(csrfToken)
  },
  credentials: 'include',
  body: JSON.stringify({
    email: '[email protected]',
    password: 'password123',
    remember: true
  })
});

const data = await response.json();

if (data.two_factor) {
  // Redirect to 2FA challenge page
  console.log('Two-factor authentication required');
} else {
  // User is authenticated
  console.log('Login successful');
}

Rate Limiting

Login attempts are rate-limited to 5 requests per minute per unique combination of email and IP address.
The rate limiter uses a sliding window, so the limit resets gradually rather than all at once.

Logout

To logout an authenticated user: 
POST /logout
This will invalidate the current session.

Example

await fetch('https://your-domain.com/logout', {
  method: 'POST',
  headers: {
    'Accept': 'application/json',
    'X-XSRF-TOKEN': csrfToken
  },
  credentials: 'include'
});

Common Issues

The CSRF token is missing or invalid. Make sure to:
  1. Request /sanctum/csrf-cookie before login
  2. Include the X-XSRF-TOKEN header
  3. Use the same session for both requests
  • Verify the email address is correct (case-insensitive)
  • Check the password is correct (case-sensitive)
  • Ensure the user account exists and is active
Make sure your HTTP client:
  • Supports cookies
  • Has credentials: 'include' (fetch) or equivalent
  • Uses the same session across requests

Register

Create a new account

Two-Factor

Complete 2FA challenge

Password Reset

Reset forgotten password

Build docs developers (and LLMs) love

Get started for freeTalk to us