Skip to main content

POST /api/login

Authenticates a user with email and password credentials. Returns an access token and sets secure HTTP-only cookies for both access and refresh tokens.

Request Body

email
string
required
User’s email address (will be normalized)Validation: Must be a valid email format
password
string
required
User’s password

Response

message
string
Success message
accessToken
string
JWT access token for API authentication

Cookies Set

The endpoint sets two HTTP-only cookies:
refreshToken
cookie
Expiry: 8-9 daysDevelopment:
  • httpOnly: true
  • secure: false
  • sameSite: Lax
  • expires: 9 days
Production:
  • httpOnly: true
  • secure: true
  • sameSite: Strict
  • domain: .deployhub.cloud
  • expires: 8 days
AccessToken
cookie
Expiry: 6-10 hoursDevelopment:
  • httpOnly: true
  • secure: false
  • sameSite: Lax
  • expires: 10 hours
Production:
  • httpOnly: true
  • secure: true
  • sameSite: Strict
  • domain: .deployhub.cloud
  • expires: 6 hours

Status Codes

  • 200 - Login successful
  • 400 - Validation error, account doesn’t exist, or invalid password
  • 500 - Internal server error

Example Request

curl -X POST https://api.deployhub.cloud/api/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "john@example.com",
    "password": "SecurePass123!"
  }'

Example Response

{
  "message": "Login Success",
  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}

Error Responses

{
  "error": "Invalid email Formet"
}

Token Details

Access Token JWT Payload: 
{
  "_id": "user_id",
  "verified": true,
  "exp": 1234567890
}
Refresh Token JWT Payload: 
{
  "_id": "user_id",
  "exp": 1234567890
}

Notes

  • Passwords are compared using bcrypt hashing
  • The refresh token is stored in the database for validation
  • Access tokens should be included in the Authorization header for authenticated requests
  • Email addresses are normalized before lookup (lowercase, trimmed)