Skip to main content
POST
/
api
/
auth
/
login
Login User
curl --request POST \
  --url https://api.example.com/api/auth/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "password": "<string>"
}
'
{
  "success": true,
  "message": "<string>",
  "data": {
    "token": "<string>",
    "user": {
      "id": "<string>",
      "firstName": "<string>",
      "lastName": "<string>",
      "fullName": "<string>",
      "email": "<string>",
      "role": "<string>",
      "phone": "<string>",
      "isActive": true,
      "isEmailVerified": true,
      "fitnessProfile": {
        "questionnaireCompleted": true,
        "gender": "<string>",
        "age": 123,
        "height": 123,
        "weight": 123,
        "fitnessLevel": "<string>",
        "mainGoal": "<string>",
        "trainingLocation": "<string>",
        "trainingDaysPerWeek": 123,
        "sessionDuration": "<string>"
      },
      "bmi": 123,
      "bmiCategory": "<string>",
      "fitnessStats": {
        "totalWorkouts": 123,
        "totalExercises": 123,
        "totalMinutes": 123,
        "totalHours": "<string>",
        "totalCalories": 123,
        "currentStreak": 123,
        "maxStreak": 123,
        "lastWorkoutDate": "<string>",
        "achievements": [
          {}
        ],
        "workoutHistory": [
          {}
        ]
      },
      "customerLevel": "<string>",
      "totalOrders": 123,
      "totalSpent": 123,
      "loyaltyPoints": 123,
      "createdAt": "<string>"
    }
  },
  "error": "<string>"
}

Overview

This endpoint authenticates users with their email and password, returning a JWT token for subsequent authenticated requests.
This endpoint is rate-limited to prevent brute force attacks. After 5 failed login attempts, the account will be locked for 30 minutes.

Authentication

Authorization
string
Not required - public endpoint

Request Body

email
string
required
User’s registered email address
  • Must be a valid email format
  • Will be converted to lowercase
  • Example: “[email protected]
password
string
required
User’s password
  • Minimum 1 character (actual validation)
  • Example: “MySecure123”

Response

success
boolean
Indicates if the login was successful
message
string
Success message: “Login exitoso”
data
object
Response data object

Error Responses

success
boolean
Will be false for errors
error
string
Error type or message
message
string
Detailed error message

Common Errors

Status CodeError MessageDescription
400”Email y contraseña son requeridos”Missing email or password
401”Email o contraseña incorrectos”Invalid credentials
401”Tu cuenta ha sido desactivada. Contacta soporte.”Account is inactive
401”Demasiados intentos fallidos. Intenta en 30 minutos.”Account locked due to failed attempts
404”Email o contraseña incorrectos”User not found
429Rate limit exceededToo many requests

Code Examples

curl -X POST https://api.fitaiid.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "MySecure123"
  }'

Example Response

{
  "success": true,
  "message": "Login exitoso",
  "data": {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY1ZTRhMzIxYjRmNzg5MDEyMzQ1Njc4OSIsImVtYWlsIjoiam9obi5kb2VAZXhhbXBsZS5jb20iLCJyb2xlIjoiY3VzdG9tZXIiLCJpYXQiOjE3MDk2MzQxNzcsImV4cCI6MTcxMjIyNjE3N30.xyz123...",
    "user": {
      "id": "65e4a321b4f78901234567890",
      "firstName": "John",
      "lastName": "Doe",
      "fullName": "John Doe",
      "email": "[email protected]",
      "role": "customer",
      "phone": "5551234567",
      "isActive": true,
      "isEmailVerified": true,
      "fitnessProfile": {
        "questionnaireCompleted": true,
        "gender": "hombre",
        "age": 28,
        "height": 175,
        "weight": 75,
        "fitnessLevel": "intermedio",
        "mainGoal": "ganar masa muscular",
        "trainingLocation": "gym",
        "trainingDaysPerWeek": 5,
        "sessionDuration": "1 hr"
      },
      "bmi": 24.5,
      "bmiCategory": "Peso normal",
      "fitnessStats": {
        "totalWorkouts": 42,
        "totalExercises": 315,
        "totalMinutes": 2520,
        "totalHours": "42.0",
        "totalCalories": 21000,
        "currentStreak": 7,
        "maxStreak": 14,
        "lastWorkoutDate": "2024-03-06T09:00:00.000Z",
        "achievements": [
          {
            "achievementId": "first_workout",
            "nombre": "Primera Rutina",
            "unlockedAt": "2024-01-15T10:00:00.000Z"
          },
          {
            "achievementId": "week_streak",
            "nombre": "Racha de 7 días",
            "unlockedAt": "2024-02-20T08:30:00.000Z"
          }
        ],
        "workoutHistory": []
      },
      "customerLevel": "silver",
      "totalOrders": 5,
      "totalSpent": 750000,
      "loyaltyPoints": 750,
      "createdAt": "2024-01-10T15:30:00.000Z"
    }
  }
}

Security Features

Account Locking

After 5 failed login attempts, the account is automatically locked for 30 minutes to prevent brute force attacks.

Rate Limiting

This endpoint is rate-limited to prevent abuse. Excessive requests will result in HTTP 429 errors.

Password Hashing

Passwords are hashed using bcrypt with 12 salt rounds and never stored or returned in plain text.

Activity Logging

All login attempts are logged with IP address and user agent for security auditing.

Using the Token

After successful login, include the token in the Authorization header for all authenticated requests: 
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Tokens expire after 30 days by default. Users will need to log in again after expiration.

Next Steps

Get Profile

Retrieve user profile information

Update Profile

Update user profile data

Build docs developers (and LLMs) love

Get started for freeTalk to us