Skip to content

Password login (namespace-scoped)

POST
/v1/ns/{nsid}/login
curl --request POST \
--url https://example.com/v1/ns/2489E9AD-2EE2-8E00-8EC9-32D5F69181C0/login \
--header 'Content-Type: application/json' \
--data '{ "username": "example", "email": "example", "password": "example" }'

Authenticates a user owned by this namespace. On success the response is either a bootstrap LoginResponse (no TOTP enrolled — enroll one, then log in again) or a PasswordLoginChallengeResponse (TOTP enrolled — complete the 2FA step).

nsid
required
string format: uuid

Namespace UUID

Media typeapplication/json

Supply exactly one of username/email (username wins if both are set) plus the password.

object
username
string
email
string
password
required
string
Examplegenerated
{
"username": "example",
"email": "example",
"password": "example"
}

Bootstrap token, or a 2FA challenge

Media typeapplication/json
One of:

Returned by the API-key login and the 2FA-exchange step with a full token, and by password login (no TOTP enrolled) with a bootstrap token.

object
success
required
boolean
token
required

The JWT to send as Authorization: Bearer <jwt>.

string
type
required

full grants every endpoint the user is authorized for; bootstrap only opens the TOTP-enrollment endpoints.

string
Allowed values: full bootstrap
Example
{
"type": "full"
}

Error response

Media typeapplication/problem+json

RFC 7807 Problem Details

object
type

Problem type slug URI

string
title
string
status
integer
detail
string
key
additional properties
any
Examplegenerated
{
"type": "example",
"title": "example",
"status": 1,
"detail": "example"
}