POST /api/auth/login

Authenticate a user and start a new session.

This endpoint authenticates a user using email and password.

On successful authentication, it returns a short-lived access token and sets a refresh token as an HTTP-only cookie.

When to use

When a user logs in with email and password
When starting a new authenticated session

Request

HTTP

POST /api/auth/login
Content-Type: application/json

Request Body

{
  "email": "user@example.com",
  "password": "strong-password"
}

Request Fields

Field	Type	Required	Description
email	string	Yes	User’s registered email address
password	string	Yes	User’s password

Response

Success (200 OK)

Response

{
  "success": true,
  "data": {
    "accessToken": "<jwt-access-token>",
    "user": {
      "id": "user_id",
      "email": "user@example.com"
    }
  }
}

The refresh token is set as an HTTP-only cookie and is not accessible from JavaScript.

Cookies

This endpoint sets a refresh token cookie.

HTTP-only
Secure in production
Automatically sent on refresh requests

Your client must allow cookies to be sent with requests.

Fetch / Axios

credentials: "include"

Errors

Invalid credentials (401)

Error

{
  "success": false,
  "message": "Invalid email or password"
}

Invalid request (400)

Error

{
  "success": false,
  "message": "Email and password are required"
}

Rate limited (429)

Error

{
  "success": false,
  "message": "Too many login attempts"
}

Notes

Passwords are verified using secure hashing
Access tokens are short-lived by design
Refresh tokens are rotated and stored securely

Related APIs

POST /api/auth/register – Create a user account
POST /api/auth/refresh – Refresh access token
POST /api/auth/logout – End the session
GET /api/auth/me – Get current user