Email/password login
On correct password, normally returns the user object and sets the access JWT cookie.
If the account has MFA enabled, returns { "mfa_required": true } (HTTP 200) and sets the slugbase.mfa_pending cookie instead of issuing an access JWT until POST /api/auth/mfa/verify succeeds.
Failed credentials always return 401 (no mfa_required) to avoid account enumeration.
curl -X POST "https://slugbase.app/api/auth/login" \
-H "Content-Type: application/json" \
-d '{
"email": "user@example.com",
"password": "example_string"
}'
import requests
import json
url = "https://slugbase.app/api/auth/login"
headers = {
"Content-Type": "application/json"
}
data = {
"email": "user@example.com",
"password": "example_string"
}
response = requests.post(url, headers=headers, json=data)
print(response.json())
const response = await fetch("https://slugbase.app/api/auth/login", {
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: JSON.stringify({
"email": "user@example.com",
"password": "example_string"
})
});
const data = await response.json();
console.log(data);
package main
import (
"fmt"
"net/http"
"bytes"
"encoding/json"
)
func main() {
data := []byte(`{
"email": "user@example.com",
"password": "example_string"
}`)
req, err := http.NewRequest("POST", "https://slugbase.app/api/auth/login", bytes.NewBuffer(data))
if err != nil {
panic(err)
}
req.Header.Set("Content-Type", "application/json")
client := &http.Client{}
resp, err := client.Do(req)
if err != nil {
panic(err)
}
defer resp.Body.Close()
fmt.Println("Response Status:", resp.Status)
}
require 'net/http'
require 'json'
uri = URI('https://slugbase.app/api/auth/login')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Post.new(uri)
request['Content-Type'] = 'application/json'
request.body = '{
"email": "user@example.com",
"password": "example_string"
}'
response = http.request(request)
puts response.body
{
"id": "example_string",
"email": "user@example.com",
"name": "John Doe",
"user_key": "example_string",
"is_admin": true,
"email_verified": true,
"language": "example_string",
"theme": "example_string"
}
{
"mfa_required": true
}
{
"error": "Unauthorized",
"message": "Authentication required. Please provide a valid API token",
"code": 401
}
{
"error": "Forbidden",
"message": "You don't have permission to access this resource",
"code": 403
}
POST
/api/auth/login
POST
Content-Typestring
RequiredThe media type of the request body
Options: application/json
emailstring
Format: email
Request Preview
Response
Response will appear here after sending the request
Responses
idstring
emailstring
namestring
user_keystring
is_adminboolean
email_verifiedboolean
languagestring
themestring
mfa_requiredboolean
RequiredAllowed values:
trueerrorstring
errorstring
codestring
Was this page helpful?
Last updated Apr 17, 2026
Built with Documentation.AI