POST /auth/login — Authenticate with email and password to receive a bearer token.

POST/auth/loginNo authentication

Login

Authenticate with email and password to receive a bearer token. Works for all user types — admins, vendor members, and buyers.

What this means in plain English

This is the single login endpoint for the Glass Next REST API. Send your email and password, and the API returns a JWT access token plus your user profile. If your account is linked to an active vendor, the response also includes vendor details.

When to use this

Starting an automated integration that needs to call protected vendor endpoints.
Authenticating as a vendor team member and receiving vendor context in the response.
Obtaining a fresh token when your previous token has expired (tokens expire after 7 days).

Request body

Name	Type	Required	Description
email	string	Yes	The email address associated with your account.
password	string	Yes	Your account password.
storefrontId	string (UUID)	No	Optional storefront UUID. Required when your account is restricted to specific storefronts and you do not have an active vendor membership.

Request example

curl -X POST 'http://localhost:8080/api/v1/auth/login' \
  -H 'Content-Type: application/json' \
  -d '{
  "email": "testvendor2@glass.com",
  "password": "TestVendor2",
  "storefrontId": "550e8400-e29b-41d4-a716-446655440000"
}'

Response examples

200Success (vendor user)

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": "550e8400-e29b-41d4-a716-446655440001",
    "email": "vendor@example.com",
    "firstName": "Jane",
    "lastName": "Vendor",
    "role": "USER",
    "verified": true,
    "status": "ACTIVE"
  },
  "vendor": {
    "id": "550e8400-e29b-41d4-a716-446655440010",
    "name": "Jane's Store",
    "slug": "janes-store",
    "status": "ACTIVE"
  }
}

200Success (non-vendor user)

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
  "user": {
    "id": "550e8400-e29b-41d4-a716-446655440002",
    "email": "buyer@example.com",
    "firstName": "John",
    "lastName": "Buyer",
    "role": "USER",
    "verified": true,
    "status": "ACTIVE"
  },
  "vendor": null
}

401Invalid credentials

Email or password is incorrect, or the account is inactive.

{
  "statusCode": 401,
  "message": "Invalid credentials",
  "error": "Unauthorized"
}

403Account not verified

The account exists but email verification is not complete.

{
  "statusCode": 403,
  "message": "USER_NOT_VERIFIED",
  "error": "Forbidden"
}

403Storefront restricted

The user is restricted to specific storefronts and the request is missing or has an invalid storefrontId.

{
  "statusCode": 403,
  "message": "This user is not authorized for this storefront",
  "error": "Forbidden"
}

Status codes

200

Authentication succeeded. Token and user returned.

400

Bad Request

Validation failed (invalid email format, missing fields).

401

Unauthorized

Invalid email/password or inactive account.

403

Forbidden

Account not verified or not authorized for the storefront.

429

Too Many Requests

Rate limit exceeded (10 requests per 15 minutes on login).

500

Internal Server Error

Unexpected server error.

This is a unified login endpoint — one call works for admins, vendor members, and buyers.

The vendor field is included only when the user has an active vendor membership. Admin users always receive vendor: null.

Tokens expire after 7 days (JWT_EXPIRES_IN). Re-authenticate via this endpoint to obtain a new token.

When using Try it on this page, a successful login automatically saves your token and vendor ID for all Vendor API endpoints.

Store the access_token securely. Never expose it in client-side code or public repositories.

If your account is linked to specific storefronts, you must include a valid storefrontId (unless you have an active vendor membership).

Try it

email *password *storefrontId