Skip to main content

POST /api/auth/login

Authenticates a user and returns a JWT token. Supports TOTP-based two-factor authentication.

Request

email
string
required
Registered email address.
password
string
required
Account password.
totpCode
string
Six-digit TOTP code from an authenticator app. Required if 2FA is enabled on the account.
backupCode
string
One-time backup code. Use this instead of totpCode if the authenticator app is unavailable.
curl -X POST https://auth.panguard.ai/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "secureP@ssw0rd"
  }'

Response

{
  "ok": true,
  "data": {
    "user": {
      "id": "usr_a1b2c3d4e5f6",
      "email": "user@example.com",
      "name": "Alice Chen",
      "tier": "solo",
      "totpEnabled": false
    },
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "expiresAt": "2026-03-08T12:00:00.000Z"
  }
}

Two-Factor Authentication Flow

When 2FA is enabled on an account, the login process requires two steps:
The totpCode and backupCode fields are mutually exclusive. Provide one or the other, not both. Backup codes are single-use and are consumed upon successful authentication.

Token Lifetime

JWT tokens expire after 24 hours by default. The expiresAt field indicates the exact expiration timestamp. To maintain a session, re-authenticate before the token expires.
The CLI (panguard login) handles the full login flow automatically, including 2FA prompts and secure token storage in ~/.panguard/credentials.json.