Skip to main content
POST
/
auth
/
login
Login
curl --request POST \
  --url https://api.example.com/auth/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "password": "<string>"
}
'
{
  "access_token": "<string>",
  "statusCode": 123,
  "message": "<string>",
  "error": "<string>"
}
Authenticates an admin user with email and password credentials. Returns a JWT access token upon successful authentication.

Request Body

email
string
required
Admin email address. Must be a valid email format.
password
string
required
Admin password. Cannot be empty.

Response

access_token
string
JWT access token for authenticating subsequent API requests. The token contains the admin’s ID, email, and role as payload.

Success Response

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjEyMzQ1Njc4OTAiLCJlbWFpbCI6ImFkbWluQGV4YW1wbGUuY29tIiwicm9sZSI6IkFETUlOIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

Error Responses

statusCode
number
HTTP status code (400 for bad requests)
message
string
Error message describing what went wrong
error
string
Error type identifier

Invalid Credentials

{
  "statusCode": 400,
  "message": "Invalid credentials",
  "error": "Bad Request"
}
This error is returned when:
  • The email doesn’t match any admin user
  • The admin account is inactive
  • The password is incorrect

Validation Errors

{
  "statusCode": 400,
  "message": [
    "email must be an email",
    "password should not be empty"
  ],
  "error": "Bad Request"
}
This error is returned when the request body doesn’t meet validation requirements.

Examples

curl -X POST https://api.example.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "securePassword123"
  }'

Implementation Details

  • Endpoint: POST /auth/login
  • Controller: auth.controller.ts:9
  • Service: auth.service.ts:12
  • DTO: login.dto.ts:3
  • Authentication: Not required (public endpoint)
  • Password Hashing: Uses bcrypt for secure password comparison
  • JWT Payload: Contains id, email, and role fields

Security Notes

  • Only active admin accounts can authenticate
  • Passwords are never returned in responses
  • Failed login attempts return generic “Invalid credentials” messages to prevent user enumeration
  • Access tokens should be stored securely and included in the Authorization header for protected endpoints

Build docs developers (and LLMs) love

Get started for freeTalk to us