Authenticate user
POST/api/auth/login
Authenticates the user and creates a new session. Returns a short-lived access token (30 minutes) and a long-lived refresh token (7 days). The access token is validated against the session record in the database on every request. When the access token expires, call POST /api/auth/refresh with the refresh token to rotate both tokens and extend the session by another 30 minutes. The Remember Me choice is a frontend storage decision: store tokens in localStorage (persists across browser restarts) or sessionStorage (cleared when the tab closes). The backend issues the same token lifetimes regardless of this choice.
Request
Responses
- 200
- 400
- 401
- 429
- 500
Login successful. Access token expires in 30 minutes; refresh token expires in 7 days.
Validation error
Invalid credentials or account locked
Too many authentication attempts, please try again later
Server error