Email/password login

On correct password, normally returns the user object and sets the access JWT cookie. If the account has MFA enabled, returns { "mfa_required": true } (HTTP 200) and sets the slugbase.mfa_pending cookie instead of issuing an access JWT until POST /api/auth/mfa/verify succeeds. Failed credentials always return 401 (no mfa_required) to avoid account enumeration.

curl -X POST "//api/auth/login" \
  -H "Content-Type: application/json" \
  -d '{
  "email": "user@example.com",
  "password": "example_string"
}'

import requests
import json

url = "//api/auth/login"
headers = {
  "Content-Type": "application/json"
}
data = {
  "email": "user@example.com",
  "password": "example_string"
}

response = requests.post(url, headers=headers, json=data)
print(response.json())

const response = await fetch("//api/auth/login", {
  method: "POST",
  headers: {
  "Content-Type": "application/json"
},
  body: JSON.stringify({
  "email": "user@example.com",
  "password": "example_string"
})
});

const data = await response.json();
console.log(data);

package main

import (
    "fmt"
    "net/http"
    "bytes"
    "encoding/json"
)

func main() {
    data := []byte(`{
  "email": "user@example.com",
  "password": "example_string"
}`)

    req, err := http.NewRequest("POST", "//api/auth/login", bytes.NewBuffer(data))
    if err != nil {
        panic(err)
    }

    req.Header.Set("Content-Type", "application/json")

    client := &http.Client{}
    resp, err := client.Do(req)
    if err != nil {
        panic(err)
    }
    defer resp.Body.Close()

    fmt.Println("Response Status:", resp.Status)
}

require 'net/http'
require 'json'

uri = URI('//api/auth/login')
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true

request = Net::HTTP::Post.new(uri)
request['Content-Type'] = 'application/json'
request.body = '{
  "email": "user@example.com",
  "password": "example_string"
}'

response = http.request(request)
puts response.body

{
  "id": "example_string",
  "email": "user@example.com",
  "name": "John Doe",
  "user_key": "example_string",
  "is_admin": true,
  "email_verified": true,
  "language": "example_string",
  "theme": "example_string"
}

POST

/api/auth/login

POST

Content-Typestring

Required

The media type of the request body

Options: application/json

emailstring

Format: email

passwordstring

Request Preview

Response

Response will appear here after sending the request

Body

application/json

emailstring

passwordstring

Responses

idstring

emailstring

namestring

user_keystring

is_adminboolean

email_verifiedboolean

languagestring

themestring

mfa_requiredboolean

Required

Allowed values:true

errorstring

codestring

Was this page helpful?

Last updated Apr 17, 2026

Built with Documentation.AI

{ "id": "example_string", "email": "user@example.com", "name": "John Doe", "user_key": "example_string", "is_admin": true, "email_verified": true, "language": "example_string", "theme": "example_string" }