Authenticate an existing player
POST/auth/login
Authenticate an existing player.
Current behavior:
- With password: verifies credentials and returns access + refresh tokens.
- With
password: null: sends OTP email and returns success message (no tokens yet). - Invalid password returns
401.
Base URL examples
POST http://localhost:8001/auth/loginPOST http://localhost:8000/client/auth/login
Required headers
x-client-id: <project_client_id>x-client-secret: <project_client_secret>Content-Type: application/json
If either client credential header is missing or invalid, the API returns 401.
Request
Responses
- 200
- 422
Successful Response
Validation Error
Request body (password login)
{
"email": "player@example.com",
"password": "StrongPassword123"
}
Request body (passwordless login)
{
"email": "player@example.com",
"password": null
}
Response behavior
{
"success": true,
"access_token": "jwt-or-null",
"refresh_token": "jwt-or-null",
"message": "human-readable status"
}
When password: null is used, token fields remain null until POST /auth/verify-otp succeeds.
cURL examples
Password login:
curl -X POST "http://localhost:8001/auth/login" \
-H "x-client-id: <client-id>" \
-H "x-client-secret: <client-secret>" \
-H "Content-Type: application/json" \
-d '{"email":"player@example.com","password":"StrongPassword123"}'
Passwordless login:
curl -X POST "http://localhost:8001/auth/login" \
-H "x-client-id: <client-id>" \
-H "x-client-secret: <client-secret>" \
-H "Content-Type: application/json" \
-d '{"email":"player@example.com","password":null}'