Skip to main content
POST
/
api
/
auth
/
login
Login
curl --request POST \
  --url https://api.example.com/api/auth/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "password": "<string>"
}
'
{
  "success": true,
  "message": "<string>",
  "data": {
    "user": {
      "id": "<string>",
      "email": "<string>",
      "role": "<string>"
    },
    "accessToken": "<string>",
    "refreshToken": "<string>"
  }
}
Authenticates a user with email and password credentials. Returns JWT access and refresh tokens along with user information.

Request

email
string
required
User’s email address. Email is case-insensitive and will be normalized to lowercase.
password
string
required
User’s password. Minimum 1 character required.

Response

success
boolean
Indicates if the request was successful
message
string
Response message (e.g., “Login successful”)
data
object

Example Request

curl -X POST https://api.millenniumpotters.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "SecurePass123"
  }'

Example Response

{
  "success": true,
  "message": "Login successful",
  "data": {
    "user": {
      "id": "123e4567-e89b-12d3-a456-426614174000",
      "email": "[email protected]",
      "role": "ADMIN"
    },
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Error Responses

Returned when email doesn’t exist or password is incorrect.
{
  "success": false,
  "message": "Invalid credentials"
}
Returned when the user account has been deactivated.
{
  "success": false,
  "message": "Account is inactive"
}
Returned when email or password is missing or invalid.
{
  "success": false,
  "message": "Invalid email address"
}

Session Management

Successful login creates a new session with the following characteristics:
  • Sessions are limited to 3 active sessions per user
  • When the limit is reached, the oldest session is automatically revoked
  • Each session is tracked with IP address and user agent
  • Sessions expire after 7 days
  • Login attempts (successful and failed) are logged for security auditing

Implementation Details

  • Email addresses are normalized to lowercase before authentication
  • Passwords are validated against bcrypt hashes
  • Failed login attempts are tracked in the user activity log
  • Soft-deleted users cannot log in

Build docs developers (and LLMs) love

Get started for freeTalk to us