Skip to main content
POST
/
api
/
auth
/
login
Login
curl --request POST \
  --url https://api.example.com/api/auth/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "password": "<string>"
}
'
{
  "msg": "Login is only allowed with an @adgitmdelhi.ac.in email or a valid user ID."
}
This endpoint authenticates a user with their email and password, returning a JWT token for subsequent authenticated requests.

Request Body

email
string
required
User’s email address or user ID used during signup
password
string
required
User’s password

Request Example

curl -X POST https://api.meetmates.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "securepassword123"
  }'

{
  "email": "[email protected]",
  "password": "securepassword123"
}

Response

token
string
JWT authentication token valid for 7 days. Include this in the Authorization header as Bearer <token> for protected endpoints

Response Example

200 - Success
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjY1N2Y0ZDhlOTBjMjNhNDU2N2IzOGY5MSIsImlhdCI6MTcwMjg5NzYwMCwiZXhwIjoxNzAzNTAyNDAwfQ.xyz123..."
}

Error Responses

msg
string
Error message describing what went wrong
error
string
System error message (for 500 errors)

Error Codes

{
  "msg": "Login is only allowed with an @adgitmdelhi.ac.in email or a valid user ID."
}

Authentication

This endpoint does not require authentication. It is used to obtain the authentication token.

Token Details

The JWT token contains:
  • id: User’s MongoDB ObjectId
  • iat: Token issued at timestamp
  • exp: Token expiration timestamp (7 days from issue)

Using the Token

Include the token in subsequent requests using the Authorization header: 
curl -X GET https://api.meetmates.com/api/protected-endpoint \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Security Notes

  • The email is normalized (trimmed and converted to lowercase) before lookup
  • Both incorrect email and incorrect password return the same “Invalid credentials” message to prevent user enumeration
  • Passwords are compared using bcrypt’s secure comparison method
  • The token expires after 7 days and must be refreshed
  • Google OAuth users cannot login using this endpoint (they don’t have passwords)

Build docs developers (and LLMs) love

Get started for freeTalk to us