Skip to main content

Endpoint

POST /api/auth/login
Authenticates a user with their username and password credentials. Returns JWT access and refresh tokens upon successful authentication.

Request Body

username
string
required
The user’s username. Must be between 3-50 characters.
password
string
required
The user’s password. Must be at least 8 characters.

Response

token
string
JWT access token used to authenticate API requests. This token is short-lived and should be included in the Authorization header as Bearer {token}.
refresh_token
string
JWT refresh token used to obtain new access tokens when they expire. Store this securely as it is long-lived.
expires_at
integer
Unix timestamp (seconds since epoch) indicating when the access token expires.

Example Request

curl -X POST https://api.vega.ai/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "[email protected]",
    "password": "securePassword123"
  }'

Example Response

200 OK
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImpvaG4uZG9lQGV4YW1wbGUuY29tIiwicm9sZSI6IlNUQU5EQVJEIiwidG9rZW5fdHlwZSI6ImFjY2VzcyIsImlzcyI6IlZlZ2EgQUkiLCJzdWIiOiJqb2huLmRvZUBleGFtcGxlLmNvbSIsImlhdCI6MTcwOTgzMjAwMCwiZXhwIjoxNzA5ODM1NjAwfQ.example_signature",
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6ImpvaG4uZG9lQGV4YW1wbGUuY29tIiwicm9sZSI6IlNUQU5EQVJEIiwidG9rZW5fdHlwZSI6InJlZnJlc2giLCJpc3MiOiJWZWdhIEFJIiwic3ViIjoiam9obi5kb2VAZXhhbXBsZS5jb20iLCJpYXQiOjE3MDk4MzIwMDAsImV4cCI6MTcxMDQzNjgwMH0.example_signature",
  "expires_at": 1709835600
}
400 Bad Request
{
  "error": "invalid request body"
}
401 Unauthorized
{
  "error": "invalid username or password"
}

Implementation Details

The login endpoint performs the following operations (see internal/api/auth/handlers.go:86):
  1. Request Validation - Validates that username and password are provided
  2. Credential Verification - Looks up the user and verifies the password using bcrypt
  3. Token Generation - Generates JWT access and refresh tokens with appropriate expiry times
  4. Last Login Update - Updates the user’s last login timestamp
  5. Response - Returns both tokens and expiration time
Security: Failed login attempts are logged for security monitoring. The endpoint is protected by rate limiting to prevent brute force attacks.

Token Claims

The access token JWT contains the following claims: 
{
  "user_id": 1,
  "username": "[email protected]",
  "role": "STANDARD",
  "token_type": "access",
  "iss": "Vega AI",
  "sub": "[email protected]",
  "iat": 1709832000,
  "exp": 1709835600
}
user_id
integer
Unique identifier for the user
username
string
The user’s username (typically email)
role
string
User role: either ADMIN or STANDARD
token_type
string
Token type: access for access tokens, refresh for refresh tokens
iss
string
Token issuer (application name)
sub
string
Token subject (username)
iat
integer
Issued at timestamp (Unix epoch)
exp
integer
Expiration timestamp (Unix epoch)

Using the Token

Once authenticated, include the access token in subsequent API requests: 
curl -X GET https://api.vega.ai/api/jobs \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Next Steps

Refresh Token

Learn how to refresh expired access tokens

Google OAuth

Alternative authentication using Google

Build docs developers (and LLMs) love

Get started for freeTalk to us