Skip to main content
POST
/
auth
/
login
Login
curl --request POST \
  --url https://api.example.com/auth/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "phoneNumber": "<string>",
  "password": "<string>",
  "appAudience": {},
  "sessionType": {},
  "expectedUserType": {},
  "deviceInfo": {
    "deviceInfo.os": "<string>",
    "deviceInfo.browser": "<string>",
    "deviceInfo.model": "<string>",
    "deviceInfo.appVersion": "<string>"
  },
  "ipAddress": "<string>",
  "userAgent": "<string>",
  "location": {
    "location.latitude": 123,
    "location.longitude": 123,
    "location.city": "<string>",
    "location.country": "<string>"
  }
}
'
{
  "accessToken": "<string>",
  "refreshToken": "<string>",
  "sessionType": {},
  "accessTokenExpiresAt": 123,
  "refreshTokenExpiresAt": 123,
  "401 Unauthorized": {},
  "403 Forbidden": {},
  "400 Bad Request": {}
}
Authenticate a user and create a new session. Returns access and refresh tokens for the authenticated user.

Authentication

This endpoint is public and does not require authentication.

Request Body

email
string
User’s email address. Either email or phoneNumber is required.
phoneNumber
string
User’s phone number (7-20 characters). Either email or phoneNumber is required.
password
string
required
User’s password (8-100 characters).
appAudience
enum
required
Application audience that determines the expected user type.
  • driver_app - Driver application (requires DRIVER user type)
  • passenger_app - Passenger application (requires PASSENGER user type)
  • admin_panel - Admin panel (requires ADMIN user type)
  • api_client - API client (requires ADMIN user type)
sessionType
enum
Type of session to create. If not provided, it will be inferred from device information.
  • web - Web browser session (refresh token sent via HttpOnly cookie)
  • mobile_app - Mobile application session (refresh token returned in response body)
  • api_client - API client session
expectedUserType
enum
Optional explicit user type validation.
  • DRIVER
  • PASSENGER
  • ADMIN
deviceInfo
object
Device information for session tracking.
deviceInfo.os
string
Operating system name
deviceInfo.browser
string
Browser name
deviceInfo.model
string
Device model
deviceInfo.appVersion
string
Application version
ipAddress
string
Client IP address
userAgent
string
Client user agent string
location
object
User’s location information.
location.latitude
number
Latitude coordinate
location.longitude
number
Longitude coordinate
location.city
string
City name
location.country
string
Country name

Response

accessToken
string
JWT access token for authenticating API requests. Valid for 15 minutes.
refreshToken
string
JWT refresh token for obtaining new access tokens. Only returned for mobile/API clients. For web sessions, this is sent as an HttpOnly cookie.
sessionType
enum
Type of session created.
  • web
  • mobile_app
  • api_client
accessTokenExpiresAt
number
Access token expiration timestamp in milliseconds since epoch.
refreshTokenExpiresAt
number
Refresh token expiration timestamp in milliseconds since epoch (typically 7 days).
The session ID (sid) and user information are embedded in the JWT access token payload, not returned as separate response fields. Decode the access token to access these values.

Error Responses

401 Unauthorized
error
Invalid credentials provided.
{
  "statusCode": 401,
  "message": "Email o contraseña inválidos"
}
403 Forbidden
error
Account is not active or user doesn’t have permission for this application.
{
  "statusCode": 403,
  "message": "La cuenta no está activa"
}

{
  "statusCode": 403,
  "message": "No tienes permisos para esta aplicación"
}
400 Bad Request
error
Invalid request parameters or unexpected error.
{
  "statusCode": 400,
  "message": "Error inesperado durante el login"
}

Examples

Login with Email (Web)

curl -X POST https://api.rodando.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "securePassword123",
    "appAudience": "passenger_app",
    "sessionType": "web"
  }'

Login with Phone Number (Mobile)

curl -X POST https://api.rodando.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "phoneNumber": "+1234567890",
    "password": "securePassword123",
    "appAudience": "driver_app",
    "sessionType": "mobile_app",
    "deviceInfo": {
      "os": "iOS",
      "model": "iPhone 14",
      "appVersion": "2.1.0"
    }
  }'

Response Example

{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "sessionType": "mobile_app",
  "accessTokenExpiresAt": 1709999999999,
  "refreshTokenExpiresAt": 1710604799999
}
User information, session ID (sid), and user type are embedded in the JWT access token payload. Decode the token to access these fields:
{
  "sub": "user-123",
  "sid": "550e8400-e29b-41d4-a716-446655440000",
  "aud": "driver_app",
  "role": "DRIVER",
  "iat": 1709999999,
  "exp": 1710000999
}

Notes

  • For web sessions, the refresh token is automatically set as an HttpOnly cookie and will not be present in the response body
  • For mobile and API clients, both tokens are returned in the response body
  • The appAudience parameter must match the user’s type (e.g., driver_app requires a DRIVER user)
  • User account must be in ACTIVE status to login
  • Sessions are tracked with device information for security and analytics purposes

Build docs developers (and LLMs) love

Get started for freeTalk to us