Login

Valid credentials return a tenant-scoped access token and rotate the refresh-token cookie. When `tenantId` is omitted, the service selects the user's most recent membership.

Request Body

application/json

TypeScript Definitions

Use the request body type in TypeScript.

email*string

User email address.

Formatemail

Length3 <= length <= 320

password*string

User password.

Length1 <= length <= 256

tenantId?object

Optional explicit tenant selection per ADR 0008. When omitted, the service picks the user's most-recent membership.

Formatuuid

Response Body

`application/json`

curl -X POST "https://api.monitoring.crahe-arthur.com/api/v1/auth/login" \  -H "Content-Type: application/json" \  -d '{    "email": "admin@acme.example",    "password": "correct horse battery staple"  }'

{
  "accessToken": "eyJhbGciOi...",
  "user": {
    "id": "018f7b9a-57dd-4748-9e13-6e3e3e5b9eaf",
    "email": "admin@acme.example",
    "fullName": "Arthur Crahé"
  },
  "tenant": {
    "id": "018f7b9a-6f8d-4c1d-8d72-1bbecdadc101",
    "slug": "acme-monitoring",
    "orgRole": "owner"
  }
}

Creates the user and an owner-scoped tenant in a single transaction. The tenant display name mirrors `fullName`; the URL slug is derived from it server-side and a random suffix is appended on collision (the user never picks one). Owners can rename the tenant later from the settings.

Refresh session

Reads the refresh token from the HTTP-only cookie. The active tenant is taken from the persisted refresh-token row (audit F-002 / ASVS V3.5.1) — the `X-Tenant-Id` header is consulted only as a defence-in-depth equality check; switching tenants is the `/auth/switch-tenant` endpoint's job. Replay detection clears the client cookie.

Login

Request Body

Response Body

200application/json

`application/json`