Skip to main content
POST
/
api
/
auth
/
login
Login User
curl --request POST \
  --url https://api.example.com/api/auth/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "password": "<string>"
}
'
{
  "message": "Invalid email or password"
}

Description

Authenticates an existing user with their email and password credentials. Upon successful login, a JWT token is automatically set as an HTTP-only cookie with a 1-day expiration.

Request Body

email
string
required
The email address of the user account
password
string
required
The password for the user account

Response

message
string
Success message indicating the user logged in successfully
user
object
The authenticated user object

Success Response (200)

{
  "message": "User loggedIn successfully.",
  "user": {
    "id": "507f1f77bcf86cd799439011",
    "username": "johndoe",
    "email": "[email protected]"
  }
}
A JWT token is automatically set as an HTTP-only cookie named token with a 1-day expiration. The token contains:
  • id: User’s unique identifier
  • username: User’s username
  • exp: Token expiration timestamp

Error Responses

{
  "message": "Invalid email or password"
}
The same error message is returned for both invalid email and invalid password to prevent user enumeration attacks.

Example Request

curl -X POST https://api.example.com/api/auth/login \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{
    "email": "[email protected]",
    "password": "securePassword123"
  }'

Implementation Details

  • Password verification uses bcrypt.compare() for secure comparison
  • JWT tokens are signed with JWT_SECRET environment variable
  • Token expiration is set to 1 day (24 hours)
  • The cookie is set automatically by the server
  • No authentication required (public endpoint)
  • Returns the same error message for invalid email or password to prevent user enumeration

Build docs developers (and LLMs) love

Get started for freeTalk to us