Skip to main content
Authenticate an existing account using an email and password. A successful response includes a short-lived access token and a longer-lived refresh token you can use to obtain new access tokens without re-entering credentials.

Request

POST /auth/login
email
string
required
The email address of the account.
password
string
required
The account password.
role
string
Override the session role for this login. Accepted values: USER, RIDER, DRIVER, ADMIN. Falls back to the role stored on the account if omitted or unrecognized.

Response

accessToken
string
A signed JWT to include in the Authorization: Bearer <token> header of subsequent requests.
refreshToken
string
A token you can exchange for a new access token via Refresh Token.
tokenType
string
Always "Bearer".
expiresIn
number
Number of seconds until the access token expires.
name
string
The display name of the authenticated user.
role
string
The effective role for this session.
id
number
The numeric ID of the authenticated user.

Example

curl -X POST http://localhost:8080/auth/login \
  -H "Content-Type: application/json" \
  -d '{"email": "alex@example.com", "password": "s3cur3P@ss"}'
Store the refreshToken securely (for example, in an HttpOnly cookie or secure storage). You need it to obtain a new access token once the current one expires. Never expose it in client-side JavaScript or logs.

Error codes

StatusMeaning
400email or password is missing
401No account found for the given email, or the password is incorrect