Skip to main content
POST
/
api
/
auth
/
login
Login
curl --request POST \
  --url https://api.example.com/api/auth/login \
  --header 'Content-Type: application/json' \
  --data '
{
  "Email": "<string>",
  "Password": "<string>"
}
'
{
  "AccessToken": "<string>",
  "RefreshToken": "<string>",
  "AccessTokenExpiry": {},
  "User": {}
}

Description

Authenticates a user with email and password credentials. Returns authentication tokens upon successful login. The service implements brute-force protection: after 5 failed login attempts, the account is temporarily locked for 15 minutes.

Authentication

No authentication required.

Request Body

Email
string
required
User’s email address. Must be a valid email format.
Password
string
required
User’s password.

Response

AccessToken
string
JWT access token for authenticating subsequent requests. Typically expires in 15 minutes.
RefreshToken
string
Refresh token used to obtain new access tokens. Typically expires in 7 days.
AccessTokenExpiry
datetime
ISO 8601 timestamp indicating when the access token expires.
User
object
User information object containing:
  • Id (guid): Unique user identifier
  • Username (string): The username
  • Email (string): The user’s email address
  • CreatedAt (datetime): Account creation timestamp

Status Codes

  • 200 OK: Successfully authenticated
  • 401 Unauthorized: Invalid credentials, account inactive, or account locked

Example Request

cURL
curl -X POST http://localhost:5000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "Email": "john@example.com",
    "Password": "SecureP@ss123"
  }'

Example Response

200 OK
{
  "AccessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "RefreshToken": "a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
  "AccessTokenExpiry": "2026-03-10T15:45:00Z",
  "User": {
    "Id": "123e4567-e89b-12d3-a456-426614174000",
    "Username": "johndoe",
    "Email": "john@example.com",
    "CreatedAt": "2026-03-10T15:30:00Z"
  }
}
401 Unauthorized
{
  "message": "Credenciales inválidas."
}
401 Account Locked
{
  "message": "Cuenta bloqueada temporalmente. Intenta en 12 minuto(s)."
}