Skip to main content

Overview

Use valid admin credentials to receive a JWT access token. Use that token as Authorization: Bearer <token> on protected endpoints.

Endpoint

POST /auth/login

Authentication

No authentication required.

Rate Limiting

  • Limit: 5 requests per 60 seconds (configurable via THROTTLE_LOGIN_LIMIT)
  • Window: 60 seconds (configurable via THROTTLE_TTL_MS)

Request Body

username
string
required
Admin usernameExample: admin
password
string
required
Admin passwordExample: secret

Response

accessToken
string
JWT access token to use in subsequent requestsExample: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsInVzZXJuYW1lIjoiYWRtaW4ifQ.signature
tokenType
string
Token type (always “Bearer”)Example: Bearer
expiresIn
string
Token expiration durationExample: 1h

Example Request

curl -X POST http://localhost:3000/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "username": "admin",
    "password": "secret"
  }'

Example Response

{
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsInVzZXJuYW1lIjoiYWRtaW4ifQ.signature",
  "tokenType": "Bearer",
  "expiresIn": "1h"
}

Error Codes

Status CodeDescription
200Login successful
400Validation error in request body (missing username or password)
401Invalid username or password
429Login rate limit exceeded (5 requests per 60 seconds)
503Rate limiter backend unavailable

Error Response Format

All errors follow this format: 
{
  "statusCode": 400,
  "message": "username should not be empty",
  "error": "Bad Request"
}
The message field may be a string or an array of validation error messages.

Build docs developers (and LLMs) love

Get started for freeTalk to us