Login

curl -X POST https://your-instance.replit.app/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your-secure-password"
  }' \
  -c cookies.txt

{
  "message": "Login successful",
  "user": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "email": "[email protected]",
    "organizationId": "660e8400-e29b-41d4-a716-446655440000",
    "role": "admin",
    "firstName": "John",
    "lastName": "Doe"
  }
}

POST

api

auth

curl -X POST https://your-instance.replit.app/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your-secure-password"
  }' \
  -c cookies.txt

{
  "message": "Login successful",
  "user": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "email": "[email protected]",
    "organizationId": "660e8400-e29b-41d4-a716-446655440000",
    "role": "admin",
    "firstName": "John",
    "lastName": "Doe"
  }
}

Overview

Authenticates a user with email and password. On success, sets an HTTP-only session cookie that must be included in all subsequent requests.

Request Body

string

required

User’s email address

password

string

required

User’s password (minimum 8 characters)

Response

message

string

Success message

user

object

User object containing:

Show user properties

string

User’s unique identifier (UUID)

string

User’s email address

organizationId

string

User’s organization ID (UUID)

role

string

User’s role: user, admin, or super_admin

firstName

string

User’s first name

lastName

string

User’s last name

curl -X POST https://your-instance.replit.app/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "your-secure-password"
  }' \
  -c cookies.txt

{
  "message": "Login successful",
  "user": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "email": "[email protected]",
    "organizationId": "660e8400-e29b-41d4-a716-446655440000",
    "role": "admin",
    "firstName": "John",
    "lastName": "Doe"
  }
}

Notes

The session cookie (sessionId) is automatically set in the response headers. It expires after 7 days of inactivity.

The response includes a Set-Cookie header:

Set-Cookie: sessionId=abc123...; Path=/; HttpOnly; Secure; SameSite=Strict; Max-Age=604800

Cookie Properties:

HttpOnly: Cannot be accessed by JavaScript (security)
Secure: Only sent over HTTPS
SameSite=Strict: CSRF protection
Max-Age: 7 days (604800 seconds)

Using the Session

Include the session cookie in all subsequent requests:

// Fetch automatically includes cookies when credentials: 'include'
fetch('https://your-instance.replit.app/api/customers', {
  credentials: 'include'
});

API documentation

Endpoint examples

Overview

Request Body

Response

Notes

Using the Session

Next Steps

View All Auth Endpoints

API documentation

Endpoint examples

​Overview

​Request Body

​Response

​Notes

​Session Cookie

​Using the Session

​Next Steps

View All Auth Endpoints

Overview

Request Body

Response

Notes

Session Cookie

Using the Session

Next Steps