Skip to main content

Endpoint

method
string
default:"POST"
HTTP Method
endpoint
string
default:"/login"
API Endpoint

Authentication

This endpoint does not require authentication (uses guest middleware).

Request Body

email
string
required
The user’s email address.
  • Must be a valid email format
password
string
required
The user’s password.
remember
boolean
Whether to remember the user’s session.
  • Default: false
  • When true, extends the session lifetime

Response

status
number
default:"204"
No Content - Login successful. Session is created and cookie is set.

Example Request

cURL
curl -X POST https://your-api.com/login \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "SecurePassword123!",
    "remember": true
  }'
Next.js
const response = await fetch('http://localhost:8000/login', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Accept': 'application/json',
  },
  credentials: 'include', // Important for session cookies
  body: JSON.stringify({
    email: '[email protected]',
    password: 'SecurePassword123!',
    remember: true,
  }),
});

if (response.status === 204) {
  // Login successful
}

Success Response

HTTP/1.1 204 No Content
Set-Cookie: laravel_session=...; path=/; httponly

Error Responses

Invalid Credentials (422)

{
  "message": "These credentials do not match our records.",
  "errors": {
    "email": [
      "These credentials do not match our records."
    ]
  }
}

Rate Limit Exceeded (422)

After 5 failed login attempts, the endpoint is rate limited: 
{
  "message": "Too many login attempts. Please try again in 60 seconds.",
  "errors": {
    "email": [
      "Too many login attempts. Please try again in 60 seconds."
    ]
  }
}

Validation Error (422)

{
  "message": "The email field is required. (and 1 more error)",
  "errors": {
    "email": [
      "The email field is required."
    ],
    "password": [
      "The password field is required."
    ]
  }
}

Rate Limiting

  • Maximum 5 login attempts per email/IP combination
  • Rate limit window resets after successful login
  • Lockout duration varies based on number of failed attempts
  • Rate limiting is tracked per email address + IP address combination

Notes

  • Session is regenerated after successful login for security
  • The remember parameter extends session lifetime when set to true
  • Authentication uses Laravel’s Auth::attempt() method
  • Failed login attempts increment the rate limiter counter
  • Successful login clears any existing rate limit counters

Build docs developers (and LLMs) love

Get started for freeTalk to us