Calling this endpoint authenticates an existing player and returns a fresh pair of JWT tokens. The response shape is identical to POST /auth/register, so your token-handling code works for both flows without modification.
Endpoint No authentication is required.
Request body The player’s registered email address.
Example request curl -X POST https://playsmart-gateway-1w8ko864.uc.gateway.dev/auth/login \ -H "Content-Type: application/json" \ -d '{ "email": "player@example.com", "password": "s3cur3pass" }'
Response 200 OK A signed JWT bearer token. Include this in the Authorization: Bearer header on every authenticated request. Expires in 30 days.
A signed JWT refresh token. Use this to obtain a new access token when the current one expires. Expires in 180 days.
The player’s unique identifier. Matches the auth_user_id stored on the account and the sub claim in the JWT.
The player’s email address.
The player’s display name.
Total games the player has completed.
{ "data" : { "access_token" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." , "refresh_token" : "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." , "user" : { "id" : "device-abc-123" , "email" : "player@example.com" , "pseudo" : "CoolPlayer99" , "total_games_completed" : 42 } } }
Error responses HTTP status Code Message Meaning 400 BAD_REQUESTBAD_REQUESTinvalid_payloadThe request body failed validation. Check details for field-level errors. 401 UNAUTHORIZEDUNAUTHORIZEDinvalid_credentialsNo account exists for this email, or the password is incorrect.
{ "error" : { "code" : "UNAUTHORIZED" , "message" : "invalid_credentials" } }
