Overview Authenticates a user using NextAuth’s credentials provider. This endpoint validates the user’s email and password, and returns a session with JWT tokens for subsequent API requests.
Noteverse uses NextAuth for authentication with a JWT session strategy. Sessions are valid for 30 days by default.
Authentication Flow The sign-in process uses NextAuth’s CredentialsProvider with the following flow:
User submits email and password
System validates credentials against the database
Password is compared using bcrypt
On success, JWT token is created with user data and auth token
Session is established with access to user ID, email, and verification status
Request Body Parameters The user’s email address registered in the system.
The user’s password in plain text. Will be compared against the hashed password in the database.
Response NextAuth handles the response automatically. On successful authentication, a session is created containing:
User information object. The user’s unique identifier.
The user’s email address.
The user’s authentication token (authToken from database) for API requests.
Whether the user has verified their email address.
The verification token if email is not yet verified, null otherwise.
Status Codes
200 OK - Authentication successful, session created401 Unauthorized - Invalid credentials or user not found400 Bad Request - Missing email or password
Examples cURL
JavaScript (NextAuth Client)
JavaScript (Fetch)
Python
curl -X POST https://your-domain.com/api/auth/signin \ -H "Content-Type: application/json" \ -d '{ "email": "alice@example.com", "password": "SecurePass123!" }'
Success Response (200) { "user" : { "id" : 1 , "email" : "alice@example.com" , "name" : "Alice Johnson" }, "accessToken" : "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6" , "isEmailVerified" : true , "verificationToken" : null }
Error Response (401) { "error" : "Authorization error: Error: Invalid password" }
Error Cases Authentication Errors : The endpoint returns specific error messages for different authentication failures to help diagnose issues while maintaining security.
Common Error Scenarios
Missing Credentials
Status: 401
Cause: Email or password not provided in request body
Response: null user (handled by NextAuth)
User Not Found
Status: 401
Message: “Authorization error: Error: No user found”
Cause: No user exists with the provided email
Invalid Password
Status: 401
Message: “Authorization error: Error: Invalid password”
Cause: Password doesn’t match the hashed password in database
Database Error
Status: 401
Message: “Authorization error: [error details]”
Cause: Database connection or query error
Implementation Details
Session Strategy : JWT tokens with 30-day expirationPassword Verification : bcrypt comparison of plain text password against hashed passwordToken Generation : Auth token is retrieved from the database and included in the sessionEmail Verification : Users can sign in before verifying email, but isEmailVerified flag indicates verification status
JWT Token Contents The JWT token includes:
User ID
Access token (authToken from database)
Email verification status
Verification token (if email not verified)
Session Object The session object accessible via getSession() includes:
user.id: User’s database IDuser.email: User’s emailuser.name: User’s usernameaccessToken: For authenticated API requestsisEmailVerified: Email verification statusverificationToken: For email verification if needed
Alternative Authentication Noteverse also supports Google OAuth authentication. Users who sign in with Google automatically have their email verified and don’t require password credentials.
Next Steps After successful sign-in:
Store the session token for subsequent authenticated requests
Check isEmailVerified status
If email is not verified, prompt user to verify using the Verify Email endpoint
Use the accessToken for authenticated API requests to other endpoints