Skip to main content


Use the login endpoint to authenticate your user and allow them to access secure endpoints.


If your application is available on Safari please use the noATCookie parameter to get the access token in the response headers. Safari by default blocks 3rd party cookies, so you won't be able to use authentication.

Request data

HTTP method: POST

URL format: https://baseUrl/versionNumber/customEndpointRoute/userEndpoint?key=apiKey&login=true[&dataOnly=true][&noATCookie=true]


Request Headers

Content-TypeYesSpecifies the MIME type of the body of the Request.

It must be application/json.

Request Parameters

The following table describes the Request parameters.

baseUrlBase url for calling the API.


versionNumberService version.

Value: The current value is 1.

customEndpointRouteThe route which identifies custom endpoints.

Default value: ce

userEndpointThe endpoint name generated by the user.

Value: the name created at

keyThe API Key of the project.Yes
loginRequired to perform a login.

Value: true

dataOnlyIf used, the endpoint response will be the POST body, without additional information such as ‘uniqueId’.

Value: true


If used, the access token will be returned in the Authorization header instead of the httpOnly cookie. Use this if your application will be available on Safari, since 3rd party cookies are blocked by default.

You should also use this if you plan to use authentication on non browser environments.

Value: true


POST body

The login endpoint expects a JSON with user credentials.

See the table below for more details:

usernameType: StringYes - if email is not used
emailType: StringYes - if username is not used

The user password.

Type: String


Note: Your users can log in with username or email, not both.

Response data

Error codes

Error codeDescription
400Possible reasons:
  • Endpoint or API Key not valid.
  • Wrong Content-Type, it only accepts "application/json".
  • Empty Request body.
  • If username/email or password are not present in the request body.
401Invalid credentials.
403Missing API Key, not allowed origin or disallowed request without orign.

Successful response

uniqueId: "3f38bf9e1bb54d2396d1f1b8fbba1630",
data: { username: "usernameeee" },
createdAt: "2020-12-27T10:58:45.000Z",
updatedAt: "2020-12-27T10:58:45.000Z"

Response Cookies

__Secure-rested-access-tokenIf the credentials are valid, the access token is sent in a httpOnly cookie as part of the response. httpOnly cookies are not accessible via JS.

This token/cookie is valid for 30 days.

To generate a new one a new login is required.

This cookie is deleted when logout is performed.

Note: The cookie is only returned if the noATCookie parameter is not used.

Response Headers


If the credentials are valid and the noATCookie parameter is used, the access token will be returned in the Authorization header following the Bearer schema.

The access token should be stored on the client side and sent in the Authorization header of the request for secure endpoints.