Authenticates a user providing an access_token (JWT) for subsequent calls

POST /auth/login

The access_token must be used as a Bearer in the HTTP Authorization header of all non-public endpoints and it will have a short duration (normally 1 hour). The login endpoint also returns a refresh_token: bear in mind this just provides a basic refresh token functionality (for simplicity it does not intend to follow the OAuth 2.0 standard), this refresh token functionality it is provided mainly to prevent a user session to be abruptly interrupted while he is active if the access_token suddenly expires, providing a way to the caller so it can quickly call /auth/refresh-token endpoint and then inmmediately retry the original call with the new access_token


  • Specify effective organization_id for Admin and Group Organization Admins. This is a global header for all endpoints only taken into consideration when it makes sense (it won't be used in Auth, for example)



  • password string
  • username string

    User identifier: it can be a username, the account's email or the account's mobile phone. (The name of the field is username for historical reasons but will be change on a future version of the API


  • 200 */*

    User successfully logged in

    Hide response attributes Show response attributes object
  • Created

  • Missing or invalid request body

  • 401 */*

    Unauthorized. Please check field error_code:

    • bad-credentials: Invalid username and/or password
    • account-not-validated: User needs to validate his account (normally his/her email)
    • token-expired: JWT token expired
    • inactive-account: Account has been disabled/deleted
  • Forbidden

  • Not Found

  • Internal error

POST /auth/login
curl \
 -X POST \
 -H "Content-Type: application/json" \
 -d '{"password":"string","username":"string"}'
Request examples
# Headers

# Payload
  "password": "string",
  "username": "string"
Response examples (200)
{"access_token"=>"string", "jwt_token"=>"string", "refresh_token"=>"string"}
Response examples (401)
  "error_code": "account-not-validated",
  "extra_attributes": {
     "resend_code": "d2e93fb1-5541-4a90-8215-ca1ebcdcab8b",
  "trace_id": "2835818043d277b0"
  "message": "Account not validated",