> ## Documentation Index
> Fetch the complete documentation index at: https://docs.insforge.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# User login

> Authenticates user and returns access token. For web clients, sets httpOnly refresh token cookie. For mobile/desktop/server clients, returns refreshToken in response body.



## OpenAPI

````yaml https://raw.githubusercontent.com/InsForge/InsForge/main/openapi/auth.yaml post /api/auth/sessions
openapi: 3.0.3
info:
  title: Insforge Authentication API
  version: 2.0.0
  description: Authentication endpoints with separated auth and profile tables
servers: []
security: []
paths:
  /api/auth/sessions:
    post:
      tags:
        - Client
      summary: User login
      description: >-
        Authenticates user and returns access token. For web clients, sets
        httpOnly refresh token cookie. For mobile/desktop/server clients,
        returns refreshToken in response body.
      parameters:
        - name: client_type
          in: query
          schema:
            type: string
            enum:
              - web
              - mobile
              - desktop
              - server
            default: web
          description: >
            Client type determines how refresh tokens are returned:

            - web: Refresh token stored in httpOnly cookie, csrfToken returned
            in response

            - mobile/desktop/server: refreshToken returned directly in response
            body
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required:
                - email
                - password
              properties:
                email:
                  type: string
                  format: email
                password:
                  type: string
      responses:
        '200':
          description: Login successful
          content:
            application/json:
              schema:
                type: object
                properties:
                  user:
                    $ref: '#/components/schemas/UserResponse'
                  accessToken:
                    type: string
                  csrfToken:
                    type: string
                    nullable: true
                    description: >-
                      CSRF token for use with refresh endpoint (web clients
                      only)
                  refreshToken:
                    type: string
                    nullable: true
                    description: >-
                      Refresh token for mobile/desktop/server clients (null for
                      web clients)
        '401':
          description: Invalid credentials
        '403':
          description: Email verification required
components:
  schemas:
    UserResponse:
      type: object
      properties:
        id:
          type: string
          format: uuid
        email:
          type: string
          format: email
        profile:
          type: object
          nullable: true
          additionalProperties: true
          description: User profile data (name, avatar_url, and custom fields)
          properties:
            name:
              type: string
            avatar_url:
              type: string
              format: uri
        metadata:
          type: object
          nullable: true
          additionalProperties: true
          description: System metadata (device ID, login IP, etc.)
        emailVerified:
          type: boolean
        providers:
          type: array
          items:
            type: string
        createdAt:
          type: string
          format: date-time
        updatedAt:
          type: string
          format: date-time

````