Create Login Flow for Native Apps

GET /auth/self-service/login/api

This endpoint initiates a login flow for native apps that do not use a browser, such as mobile devices, smart TVs, and so on.

If a valid provided session cookie or session token is provided, a 400 Bad Request error will be returned unless the URL query parameter ?refresh=true is set.

To fetch an existing login flow call /login/flows?flow=<flow_id>.

You MUST NOT use this endpoint in client-side (Single Page Apps, ReactJS, AngularJS) nor server-side (Java Server Pages, NodeJS, PHP, Golang, ...) browser applications. Using this endpoint in these applications will make you vulnerable to a variety of CSRF attacks, including CSRF login attacks.

In the case of an error, the error.id of the JSON response body can be one of:

session_already_available: The user is already signed in. session_aal1_required: Multi-factor auth (e.g. 2fa) was requested but the user has no session yet. security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred.

This endpoint MUST ONLY be used in scenarios such as native mobile apps (React Native, Objective C, Swift, Java, ...).

Request

Responses

200
400
default

loginFlow

Create Login Flow for Native Apps

/auth/self-service/login/api

Request​

Responses​

Request

Responses