Skip to main content

Submit a Login Flow

POST 
/auth/self-service/login

Use this endpoint to complete a login flow. This endpoint behaves differently for API and browser flows.

API flows expect application/json to be sent in the body and responds with HTTP 200 and a application/json body with the session token on success; HTTP 410 if the original flow expired with the appropriate error messages set and optionally a use_flow_id parameter in the body; HTTP 400 on form validation errors.

Browser flows expect a Content-Type of application/x-www-form-urlencoded or application/json to be sent in the body and respond with a HTTP 303 redirect to the post/after login URL or the return_to value if it was set and if the login succeeded; a HTTP 303 redirect to the login UI URL with the flow ID containing the validation errors otherwise.

Browser flows with an accept header of application/json will not redirect but instead respond with HTTP 200 and a application/json body with the signed in identity and a Set-Cookie header on success; HTTP 303 redirect to a fresh login flow if the original flow expired with the appropriate error messages set; HTTP 400 on form validation errors.

If this endpoint is called with Accept: application/json in the header, the response contains the flow without a redirect. In the case of an error, the error.id of the JSON response body can be one of:

session_already_available: The user is already signed in. security_csrf_violation: Unable to fetch the flow because a CSRF violation occurred. security_identity_mismatch: The requested ?return_to address is not allowed to be used. Adjust this in the configuration! browser_location_change_required: Usually sent when an AJAX request indicates that the browser needs to open a specific URL. Most likely used in Social Sign In flows.

Request

Responses

successfulNativeLogin