Login

Authenticates an admin user and returns a short-lived JWT access token. The rotatable refresh token is set in an HttpOnly cookie — it is not included in the response body.

Dispatches by the provider field to a strategy registered in Spree.admin_authentication_strategies. When provider is omitted it defaults to email, which uses the built-in email/password strategy.

To plug in a third-party identity provider (Okta, Azure AD, Google Workspace SSO, a custom JWT issuer, SAML, etc.), register a Spree::Authentication::Strategies::BaseStrategy subclass under a provider key, then send { "provider": "<your_key>", ... } with the fields your strategy requires. The endpoint returns the same Spree-issued JWT regardless of which strategy authenticated the request.

POST

api

admin

auth

Spree Admin SDK

import { createAdminClient } from '@spree/admin-sdk'

const client = createAdminClient({
  baseUrl: 'https://your-store.com',
  secretKey: 'sk_xxx',
})

// The refresh token is set as an HttpOnly cookie; only `token` and `user` come back in the body.
const auth = await client.auth.login({
  email: 'admin@example.com',
  password: 'password123',
})

{
  "token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VyX3R5cGUiOiJhZG1pbiIsImp0aSI6IjA1MDE2NWYyLWIxMzgtNGUxNS1hODQzLTViOGQ3ZmQwNDRiNiIsImlzcyI6InNwcmVlIiwiYXVkIjoiYWRtaW5fYXBpIiwiZXhwIjoxNzgwNjY1NDAyfQ.kRkK_K3OdO_o-Nt1pqtAYJSsL0xmTAby07V95YGqhQU",
  "user": {
    "id": "admin_UkLWZg9DAJ",
    "email": "admin@example.com",
    "first_name": "Ingrid",
    "last_name": "Powlowski",
    "full_name": "Ingrid Powlowski",
    "created_at": "2026-06-05T13:11:41.926Z",
    "updated_at": "2026-06-05T13:11:41.926Z",
    "roles": [
      {
        "id": "role_UkLWZg9DAJ",
        "name": "admin"
      }
    ]
  }
}

Authorizations

x-spree-api-key

string

header

required

Secret API key for admin access

Headers

x-spree-api-key

string

required

Body

application/json

EmailPasswordLogin
ProviderLogin

Built-in email/password authentication (default when provider is omitted).

string<email>

required

Example:

"admin@example.com"

password

string

required

Example:

"password123"

provider

enum<string>

default:email

Available options:

email

Response

token

string

required

JWT access token

user

object

required

Show child attributes

Disable a webhook endpoint

Refresh token

⌘I

Spree Admin SDK

import { createAdminClient } from '@spree/admin-sdk'

const client = createAdminClient({
  baseUrl: 'https://your-store.com',
  secretKey: 'sk_xxx',
})

// The refresh token is set as an HttpOnly cookie; only `token` and `user` come back in the body.
const auth = await client.auth.login({
  email: 'admin@example.com',
  password: 'password123',
})

{
  "token": "eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VyX3R5cGUiOiJhZG1pbiIsImp0aSI6IjA1MDE2NWYyLWIxMzgtNGUxNS1hODQzLTViOGQ3ZmQwNDRiNiIsImlzcyI6InNwcmVlIiwiYXVkIjoiYWRtaW5fYXBpIiwiZXhwIjoxNzgwNjY1NDAyfQ.kRkK_K3OdO_o-Nt1pqtAYJSsL0xmTAby07V95YGqhQU",
  "user": {
    "id": "admin_UkLWZg9DAJ",
    "email": "admin@example.com",
    "first_name": "Ingrid",
    "last_name": "Powlowski",
    "full_name": "Ingrid Powlowski",
    "created_at": "2026-06-05T13:11:41.926Z",
    "updated_at": "2026-06-05T13:11:41.926Z",
    "roles": [
      {
        "id": "role_UkLWZg9DAJ",
        "name": "admin"
      }
    ]
  }
}