How to login using the Cosync REST API #

Login to user account. This function is passed a handle and a password parameter. The password parameter must be in MD5 format.

The handle parameter can either be an email or a user name (if the app supports user names).

If the user has two-factor authentication enabled, the login function simply returns a StatusCode of 200 along with a login-token. If the application’s two-factor verification is phone, the Cosync service sends a six-digit code to the user’s phone number. If the phone number is not verified and two-factor authentication is enabled, the login will fail. For two-factor authentication, the client application must call loginComplete to complete the login. If the application’s two-factor verification is google, the user can retrieve the six digit code from the Google authentication application for login. This Google authentication code is used in the call to loginComplete.

If there is no two-factor verification for the user account, the login function will send back a JWT token that contains

  • aud - audience (the Realm App Id)
  • sub - subject (the user login handle - email)
  • exp - an expiration date for the JWT token
  • iat - the issue date for the JWT token
  • metadata fields - metadata for the user

The metadata fields are defined by the application metadata array of metaDataField objects. Each metaDataField object defines a path and a field name. The root of the path shows up as a claim on the JWT token, fields are child properties.

The JWT token is signed with the application private key that is held by the CoSync Auth service. The JWT token is used to login into MongoDB Realm by the client device.

The login function will also send back a signed access token for the logged in user. This access token contains:

  • handle - user email handle
  • appId - CoSync Auth application id
  • scope - user
  • iat - time at which claim was issued

If two-factor authentication is turned on for the user, the login function will return a signed login-token instead of a JWT token and an access token. The signed login token contains:

  • handle- user email handle
  • appId - CoSync Auth application id
  • iat - time at which claim was issued

This signed login token is used as parameter to the LoginComplete function described below.

  • handle
Method #
Headers #
	app-token: "<App Token>"
Data Parameter #
        handle: "<user handle>",
        password: "<user password>"

Response: #

Success: #

StatusCode: #
    200 (OK)
Contents: #
        jwt: "<JWT for logged in user>",
        access-token: "<access token for user>": 
        login-token: "<signed login token>",

Error: #

StatusCode: #
    400 (BAD REQUEST)
Content: #
        code: "<internal error code>",
        message: "<readable error description>"

The internal codes are integers:

  • 400 - invalid app token
  • 401 - app no longer exists
  • 402 - app is suspended
  • 403 - missing parameter
  • 404 - user account is suspended
  • 413 - app is migrated
  • 500 - internal server error
  • 600 - invalid login credentials
  • 603 - email does not exist
  • 607 - user name does not exist
  • 608 - account has not been verified
  • 611 - apple account already exist
  • 612 - google account already exist