Skip to main content

Login as Local or Guest

The Auth Flows for login as Local Account or Guest

Log in with Local Account

This flow verifies that a user can successfully register a local account and then log in.

Step 1: Register Local Account

  1. Call POST /api/auth/register with the following request body:
{
  "firstName": "Cersei",
  "lastName": "Lannister",
  "email": "cersei-lannister@gmail.com",
  "password": "C3rs3i#L4nnist3r",
  "passwordConfirm": "C3rs3i#L4nnist3r"
}

Or

{
  "firstName": "Cersei",
  "lastName": "Lannister",
  "username": "cersei-lannister",
  "password": "C3rs3i#L4nnist3r",
  "passwordConfirm": "C3rs3i#L4nnist3r"
}
  1. Expect a 200 OK response with the following body:
{
  "success": true
}
Note

Only valid email registration will require an email confirmation, if register with no email step 2 is not required

Step 2: Confirmation email with sent code (required for email registration only)

  1. Call GET /api/auth/confirm-email/:verifyToken, where :verifyToken is the verification token sent to the user's email address.
  2. Expect a 200 OK response with the following body:
{
  "success": true,
  "message": "Email verified"
}

Step 3: Login with password and username or email

  1. Call POST /api/auth/login with the following request body:
{
  "type": "password",
  "clientId": "client-app-id",
  "withPassword": {
    "emailOrUsername": "cersei-lannister@gmail.com",
    "password": "C3rs3i#L4nnist3r"
  }
}
  1. Expect a 200 OK response with an accessToken property.
{
  "accessToken": "...",
  "refreshToken": "..."
}
Note

If login without email confirmation, access token will still issue, but any subsequence call will be blocked with 401 http status error and message 'Email is not verified'.

Only /api/auth//resend-email-verification api is callable at this point

Log in as Guest Account

Step 1: Login as Guest

  1. Call POST /api/auth/login with the following request body:
{
  "type": "guest",
  "clientId": "client-app-id",
  "asGuest": {
    "username": "cersei-lannister@gmail.com"
  }
}

If using random username, pass asGuest = {}

  1. Expect a 200 OK response with an accessToken property.
{
  "accessToken": "...",
  "refreshToken": "..."
}

Addtionally includes device and location info

Login method include some extra fields to include device and location infomation along with user credential data, this kind of info will be store as last logged in info for administrator purposes

{
  //... credential data
  "deviceInfo": {
    "deviceType": "string",
    "os": "string",
    "browser": "string",
    "deviceId": "string",
    "deviceBrand": "string",
    "deviceModel": "string"
  },
  "locationInfo": {
    "latitude": 0,
    "longitude": 0,
    "city": "string",
    "state": "string",
    "country": "string"
  }
}

Use Access Token to access other API

After logging in, you can use the access token to authenticate subsequent requests to your server by attaching authorization header Bearer ...

curl -X GET \
  https://example.com/api \
  -H 'Authorization: Bearer your_token_here'
  • POST /api/auth/register: Register new account
  • GET /api/auth/confirm-email/:verifyToken: Confirm email adress with provide token
  • POST /api/auth/login: Login user.
  • POST /api/auth/link/google: Link account with google.