Auth
Log in
Authenticate with email and password and start a session.
POST
Authenticates a user and starts a session by setting httpOnly auth cookies. Public endpoint, rate-limited to 50 requests per 15 minutes per IP.
On success the response sets two httpOnly cookies —
Body
token (the access token) and refreshToken — plus a non-httpOnly vm_session hint cookie. The tokens are not included in the JSON body. For server-to-server calls, read the value of the token cookie and send it as Authorization: Bearer <token> on subsequent requests.
If the account exists but its email is not yet verified, the request returns 403 and a fresh verification code is emailed:
