Exchange email + password for a JWT

Returns a session JWT plus the `workspace_id` and `user_id`. The account's email must be verified before login succeeds; an unverified account returns `403 EMAIL_NOT_VERIFIED`. Failed attempts are throttled per email. After 5 failures within 15 minutes a 30-second cooldown is enforced; after 10 the account is locked out for the remainder of the 15-minute window. Both states return `429 TOO_MANY_ATTEMPTS` with a `retry_after` field in the JSON body. Rate-limited to 20 requests per minute per source IP independently of email-based throttling.

Request

This endpoint expects an object.
emailstringRequired
passwordstringRequired

Response

Authentication successful
tokenstring

Signed JWT — use as Authorization: Bearer {token} for subsequent dashboard requests. Distinct from API keys (pk_*), which never expire.

workspace_idstring
Workspace owned by this user.
user_idstring

Errors

401
Login Request Unauthorized Error
403
Login Request Forbidden Error
429
Login Request Too Many Requests Error