Authenticates a user providing an access_token (JWT) for subsequent calls
The access_token
must be used as a Bearer in the HTTP Authorization
header of all non-public endpoints and it will have a short duration (normally 1 hour). The login endpoint also returns a refresh_token
: bear in mind this just provides a basic refresh token functionality (for simplicity it does not intend to follow the OAuth 2.0 standard), this refresh token functionality it is provided mainly to prevent a user session to be abruptly interrupted while he is active if the access_token
suddenly expires, providing a way to the caller so it can quickly call /auth/refresh-token
endpoint and then inmmediately retry the original call with the new access_token
Headers
-
Specify effective organization_id for Admin and Group Organization Admins. This is a global header for all endpoints only taken into consideration when it makes sense (it won't be used in Auth, for example)
Responses
-
200 */*
User successfully logged in
-
Created
-
Missing or invalid request body
-
401 */*
Unauthorized. Please check field error_code:
- bad-credentials: Invalid username and/or password
- account-not-validated: User needs to validate his account (normally his/her email)
- token-expired: JWT token expired
- inactive-account: Account has been disabled/deleted
-
Forbidden
-
Not Found
-
Internal error
curl \
-X POST http://localhost:8080/auth/login \
-H "Content-Type: application/json" \
-d '{"password":"string","username":"string"}'
# Headers
# Payload
{
"password": "string",
"username": "string"
}
{
"access_token": "string",
"jwt_token": "string",
"refresh_token": "string"
}
{
"error_code": "account-not-validated",
"extra_attributes": {
"resend_code": "d2e93fb1-5541-4a90-8215-ca1ebcdcab8b",
},
"trace_id": "2835818043d277b0"
"message": "Account not validated",
}