Skip to main content
POST
/
auth
/
login
Login
curl --request POST \
  --url https://api.example.com/auth/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "password": "<string>"
}
'
{
  "access_token": "<string>"
}

​
Description

Authenticates a user with their email and password. On successful authentication, returns an access token and sets a refresh token as an HTTP-only cookie.
This endpoint is protected by rate limiting (ThrottlerGuard) to prevent brute force attacks.
Users must verify their email before they can log in. Unverified users will receive an authorization error.

​
Request Body

​
email
string
required
User’s email address (must be valid email format)
​
password
string
required
User’s password

​
Request Example

curl -X POST https://api.sociapp.com/auth/login \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{
    "email": "[email protected]",
    "password": "SecurePassword123!"
  }'

​
Response

​
Success Response

​
access_token
string
JWT access token valid for 15 minutes. Use this token in the Authorization header for authenticated requests.
The refresh token is automatically set as an HTTP-only cookie named refresh_token with the following properties:
  • Path: /auth/refresh
  • Max Age: 7 days
  • SameSite: strict
  • Secure: true (in production)
  • HttpOnly: true
{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEyMzQ1LCJlbWFpbCI6Imp1YW4uZ2FyY2lhQGV4YW1wbGUuY29tIiwiaWF0IjoxNzA5NTUwMDAwLCJleHAiOjE3MDk1NTA5MDB9.abc123def456"
}

​
Error Responses

{
  "statusCode": 401,
  "message": "Invalid credentials",
  "error": "Unauthorized"
}

​
Authentication Flow

  1. User submits email and password
  2. System validates credentials using bcrypt password comparison
  3. System checks if email is verified
  4. If verification code has expired, the registration is deleted
  5. On success, system generates two JWT tokens:
    • Access token (15 minutes expiry)
    • Refresh token (7 days expiry)
  6. Access token is returned in response body
  7. Refresh token is set as HTTP-only cookie

​
Using the Access Token

Include the access token in the Authorization header for authenticated requests: 
curl -X GET https://api.sociapp.com/auth/me \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

​
Token Payload

The JWT access token contains the following claims:
  • sub: User ID (IdUsuario)
  • email: User’s email address
  • iat: Issued at timestamp
  • exp: Expiration timestamp

Build docs developers (and LLMs) love

Get started for freeTalk to us