Log in with email and password
POST/api/v1/auth/login
Authenticate with email and password.
If the user has 2FA enabled, returns TwoFactorLoginResponse with a
partial_token; the client completes login via POST /auth/login/2fa.
Otherwise returns a full JWT Token.
- Trusted-device short-circuit: a valid
__Host-aisafe_trusted_devicecookie skips the 2FA challenge. Invalid/expired/tampered cookies fall through to the normal 2FA prompt and are cleared from the response. - Rate limits: 10 / 15 min / IP (
auth_passwordtier) + per-email limiter.
Request
Responses
- 200
- 400
- 404
- 409
- 422
- 429
- 500
Successful Response
Bad request — malformed input or failed validation.
Resource not found, or hidden for tenant-enumeration safety (the caller lacks permission to know whether the resource exists).
Conflict — the current resource state does not allow this operation (e.g. assessment already started, email already in use).
Semantic validation failure — request shape was valid but contents were not.
Too many requests — rate limited. Retry after the window resets.
Internal server error — unexpected failure.