Skip to main content
POST
/
api
/
users
/
login
Login
curl --request POST \
  --url https://api.example.com/api/users/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "username": "<string>",
  "password": "<string>"
}
'
{
  "message": "<string>",
  "token": "<string>",
  "userId": 123,
  "username": "<string>",
  "error": "<string>"
}

Endpoint

POST /api/users/login
Authenticates a user with username and password. Returns a JWT token valid for 7 days upon successful authentication.

Request Body

username
string
required
The user’s username.
password
string
required
The user’s password. Will be compared against the stored bcrypt hash.

Response

message
string
Success message: “Inicio de sesión exitoso”
token
string
JWT authentication token valid for 7 days. Include in Authorization header for authenticated requests.
userId
integer
Unique identifier for the authenticated user.
username
string
The authenticated user’s username.

Code Examples

curl -X POST https://api.mediguide.com/api/users/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "johndoe",
    "password": "securePassword123"
  }'

Response Example

Success Response (200)
{
  "message": "Inicio de sesión exitoso",
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "userId": 42,
  "username": "johndoe"
}

Error Responses

error
string
Error message describing what went wrong.

400 Bad Request

Returned when required fields are missing.
Missing Fields
{
  "error": "Usuario y contraseña requeridos"
}

401 Unauthorized

Returned when credentials are invalid. The same error message is used for both invalid username and invalid password to prevent user enumeration.
Invalid Credentials
{
  "error": "Usuario o contraseña incorrectos"
}

500 Internal Server Error

Returned when an unexpected server error occurs.
Server Error
{
  "error": "Error interno del servidor"
}

Implementation Details

  • Password verification is performed using bcrypt.compare() against stored hash
  • JWT tokens are signed with HS256 algorithm and expire after 7 days
  • Same error message is returned for invalid username or password to prevent username enumeration
  • Successful authentication is logged with user ID for security auditing
  • Source: src/routes/users.js:51

Build docs developers (and LLMs) love

Get started for freeTalk to us