Exchange email + password for a JWT
Exchange email + password for a JWT
Returns a session JWT plus the `workspace_id` and `user_id`. The
account's email must be verified before login succeeds; an
unverified account returns `403 EMAIL_NOT_VERIFIED`.
Failed attempts are throttled per email. After 5 failures within
15 minutes a 30-second cooldown is enforced; after 10 the account
is locked out for the remainder of the 15-minute window. Both
states return `429 TOO_MANY_ATTEMPTS` with a `retry_after` field
in the JSON body. Rate-limited to 20 requests per minute per
source IP independently of email-based throttling.
Request
This endpoint expects an object.
email
password
Response
Authentication successful
token
Signed JWT — use as Authorization: Bearer {token} for subsequent dashboard requests. Distinct from API keys (pk_*), which never expire.
workspace_id
Workspace owned by this user.
user_id
Errors
401
Login Request Unauthorized Error
403
Login Request Forbidden Error
429
Login Request Too Many Requests Error