# Authenticate user with password

Authenticate a local user using their email and password.

Include the user's login credentials in the request body. This endpoint supports optional parameters such as an invitation token (for sign-up flows via invitation) and a reCAPTCHA token (if reCAPTCHA is enabled for login).

If the credentials are valid, the response includes a signed JWT and a refresh token that can be used for future authenticated requests.

Endpoint: POST /resources/auth/v1/user
Security: bearer

## Header parameters:

  - `frontegg-vendor-host` (string)
    The vendor host domain

## Request fields (application/json):

  - `email` (string)

  - `username` (string)
    Username. Either email or username must be provided.

  - `password` (string, required)

  - `recaptchaToken` (string)

  - `invitationToken` (string)

## Response 200 fields (application/json):

  - `tokenType` (string)

  - `otcToken` (string)

  - `mfaRequired` (boolean, required)

  - `mfaToken` (string)

  - `resetPasswordToken` (string)

  - `passwordExpiresIn` (number)

  - `notificationPeriod` (number)

  - `mfaEnrolled` (boolean)

  - `mfaDevices` (object)

  - `mfaDevices.webauthn` (array, required)

  - `mfaDevices.webauthn.id` (string, required)

  - `mfaDevices.webauthn.deviceType` (string, required)
    Enum: "Platform", "CrossPlatform"

  - `mfaDevices.webauthn.name` (string, required)

  - `mfaDevices.phones` (array, required)

  - `mfaDevices.phones.phoneNumber` (string, required)

  - `mfaDevices.authenticators` (array, required)

  - `mfaDevices.emails` (array, required)

  - `mfaDevices.emails.email` (string, required)

  - `mfaStrategies` (object)

  - `qrCode` (string)

  - `recoveryCode` (string)

  - `accessToken` (string, required)

  - `refreshToken` (string, required)

  - `expiresIn` (number, required)

  - `expires` (string, required)

  - `userId` (string)

  - `userEmail` (string)

  - `emailVerified` (boolean)

  - `isBreachedPassword` (boolean)