Skip to main content
POST
/
api
/
auth
/
login
Login
curl --request POST \
  --url https://api.example.com/api/auth/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "password": "<string>"
}
'
{
  "message": "<string>",
  "accessToken": "<string>",
  "refreshToken": "<string>",
  "user": {
    "id": 123,
    "email": "<string>",
    "nombre": {},
    "apellido": {},
    "telefono": {},
    "email_verified": true
  }
}
Authenticates a user with email and password, returning access and refresh tokens for subsequent API requests.
This endpoint has strict rate limiting: 5 requests per 15 minutes in production.

Request Body

email
string
required
User’s email address. Must be a valid email format.
password
string
required
User’s password. Cannot be empty.

Response

message
string
Success message indicating login was successful.
accessToken
string
JWT access token for authenticating API requests. Short-lived.
refreshToken
string
JWT refresh token for obtaining new access tokens. Long-lived.
user
object
The authenticated user object.
id
number
User’s unique identifier.
email
string
User’s email address.
nombre
string | null
User’s first name.
apellido
string | null
User’s last name.
telefono
string | null
User’s phone number.
email_verified
boolean
Whether the user’s email has been verified.

Error Responses

400 Bad Request

Returned when:
  • Email is missing or invalid type
  • Password is missing or invalid type

401 Unauthorized

Returned when:
  • Email or password is incorrect (generic message for security)
  • Account was registered with Google and has no password

500 Internal Server Error

Returned when:
  • Database query fails
  • Password comparison fails
  • Token generation fails
For security reasons, the API does not reveal whether a specific email exists in the system. Invalid credentials always return the same generic error message.

Example Request

curl -X POST https://api.tresacontafy.com/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "securePassword123"
  }'

Example Response

{
  "message": "Login exitoso",
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": 123,
    "email": "[email protected]",
    "nombre": "Juan",
    "apellido": "Pérez",
    "telefono": "+52 55 1234 5678",
    "email_verified": true
  }
}

Token Usage

Include the access token in subsequent API requests using the Authorization header: 
Authorization: Bearer <accessToken>
When the access token expires, use the refresh token with the /api/auth/refresh endpoint to obtain a new access token.

Build docs developers (and LLMs) love

Get started for freeTalk to us