Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/astrxnomo/shop-microservers/llms.txt

Use this file to discover all available pages before exploring further.

The login endpoint authenticates an existing user account. It validates the request body with the same Zod schema used by registration, looks up the user record by email, and uses bcrypt.compare to verify the submitted password against the stored hash. If both checks pass, a fresh JWT is signed and returned alongside the user object. Neither the stored hash nor any internal credentials are ever exposed in the response.

Endpoint

POST /api/auth/login
Authentication: Not required.

Request Body

email
string
required
The email address associated with the account. Must be a valid email format — validated by Zod’s z.string().email() rule.
password
string
required
The plain-text password to verify against the stored bcrypt hash. Must be at least 6 characters long (enforced by z.string().min(6)). The value is never logged or persisted; it is used only for the bcrypt.compare check.

Example Request

curl -X POST http://localhost/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com", "password": "mysecretpassword"}'

Success Response

Status: 200 OK
{
  "success": true,
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "user": {
      "id": "clxxxxxxxxxxxxx",
      "email": "user@example.com"
    }
  },
  "error": null
}

Response Fields

data.token
string
A freshly signed JWT. The payload contains the user’s id (as sub) and email, signed with JWT_SECRET, and set to expire in 7 days from the moment of issuance. Use this token in the Authorization: Bearer <token> header on all authenticated requests.
data.user.id
string
The user’s CUID-format database identifier (e.g., clxxxxxxxxxxxxx).
data.user.email
string
The authenticated user’s email address.

Error Responses

StatusCause
400 Bad RequestValidation failed — missing email or password field, invalid email format, or password shorter than 6 characters.
401 UnauthorizedThe email was not found in the database, or the provided password did not match the stored bcrypt hash.
Example 401 response:
{
  "success": false,
  "data": null,
  "error": "Invalid credentials"
}
Both “user not found” and “password mismatch” return the same 401 with the message "Invalid credentials". This is intentional — distinguishing between the two cases would allow enumeration of registered email addresses.
Each successful login issues a brand-new token with a fresh 7-day expiry window. Tokens are not invalidated server-side when you log in again, so any previously issued tokens remain valid until their own expiry timestamp. If you need to force a logout on all devices, rotate the JWT_SECRET environment variable and restart the Auth service.

Build docs developers (and LLMs) love