The login endpoint authenticates an existing user account. It validates the request body with the same Zod schema used by registration, looks up the user record by email, and usesDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/astrxnomo/shop-microservers/llms.txt
Use this file to discover all available pages before exploring further.
bcrypt.compare to verify the submitted password against the stored hash. If both checks pass, a fresh JWT is signed and returned alongside the user object. Neither the stored hash nor any internal credentials are ever exposed in the response.
Endpoint
Request Body
The email address associated with the account. Must be a valid email format — validated by Zod’s
z.string().email() rule.The plain-text password to verify against the stored bcrypt hash. Must be at least 6 characters long (enforced by
z.string().min(6)). The value is never logged or persisted; it is used only for the bcrypt.compare check.Example Request
Success Response
Status:200 OK
Response Fields
A freshly signed JWT. The payload contains the user’s
id (as sub) and email, signed with JWT_SECRET, and set to expire in 7 days from the moment of issuance. Use this token in the Authorization: Bearer <token> header on all authenticated requests.The user’s CUID-format database identifier (e.g.,
clxxxxxxxxxxxxx).The authenticated user’s email address.
Error Responses
| Status | Cause |
|---|---|
400 Bad Request | Validation failed — missing email or password field, invalid email format, or password shorter than 6 characters. |
401 Unauthorized | The email was not found in the database, or the provided password did not match the stored bcrypt hash. |
Both “user not found” and “password mismatch” return the same
401 with the message "Invalid credentials". This is intentional — distinguishing between the two cases would allow enumeration of registered email addresses.