> ## Documentation Index > Fetch the complete documentation index at: https://spreecommerce.org/docs/llms.txt > Use this file to discover all available pages before exploring further. # Login > Authenticates an admin user and returns a short-lived JWT access token. The rotatable refresh token is set in an HttpOnly cookie — it is not included in the response body. Dispatches by the `provider` field to a strategy registered in `Spree.admin_authentication_strategies`. When `provider` is omitted it defaults to `email`, which uses the built-in email/password strategy. To plug in a third-party identity provider (Okta, Azure AD, Google Workspace SSO, a custom JWT issuer, SAML, etc.), register a `Spree::Authentication::Strategies::BaseStrategy` subclass under a provider key, then send `{ "provider": "", ... }` with the fields your strategy requires. The endpoint returns the same Spree-issued JWT regardless of which strategy authenticated the request. ## OpenAPI ````yaml /api-reference/admin.yaml post /api/v3/admin/auth/login openapi: 3.0.3 info: title: Admin API contact: name: Spree Commerce url: https://spreecommerce.org email: hello@spreecommerce.org description: > Spree Admin API v3 - Administrative API for managing products, orders, and store settings. ## Authentication The Admin API requires a secret API key passed in the `x-spree-api-key` header. Secret API keys can be generated in the Spree admin dashboard. ## Response Format All responses are JSON. List endpoints return paginated responses with `data` and `meta` keys. Single resource endpoints return a flat JSON object. ## Resource IDs Every resource is identified by an opaque string ID (e.g. `prod_86Rf07xd4z`, `variant_k5nR8xLq`, `or_UkLWZg9DAJ`). Use these IDs everywhere — URL paths, request bodies, and Ransack filters all accept them directly. ## Error Handling Errors return a consistent format: ```json { "error": { "code": "validation_error", "message": "Validation failed", "details": { "name": ["can't be blank"] } } } ``` version: v3 servers: - url: http://{defaultHost} variables: defaultHost: default: localhost:3000 security: [] tags: - name: Authentication description: Admin user authentication - name: Product Catalog description: Products, variants, and option types - name: Orders description: >- Order management — orders, items, payments, fulfillments, refunds, gift cards, store credits - name: Customers description: Customer management — profiles, addresses, store credits, credit cards - name: Configuration description: Store configuration — payment methods, tag autocomplete paths: /api/v3/admin/auth/login: post: tags: - Authentication summary: Login description: > Authenticates an admin user and returns a short-lived JWT access token. The rotatable refresh token is set in an HttpOnly cookie — it is not included in the response body. Dispatches by the `provider` field to a strategy registered in `Spree.admin_authentication_strategies`. When `provider` is omitted it defaults to `email`, which uses the built-in email/password strategy. To plug in a third-party identity provider (Okta, Azure AD, Google Workspace SSO, a custom JWT issuer, SAML, etc.), register a `Spree::Authentication::Strategies::BaseStrategy` subclass under a provider key, then send `{ "provider": "", ... }` with the fields your strategy requires. The endpoint returns the same Spree-issued JWT regardless of which strategy authenticated the request. parameters: - name: x-spree-api-key in: header required: true schema: type: string requestBody: content: application/json: schema: oneOf: - title: EmailPasswordLogin description: >- Built-in email/password authentication (default when `provider` is omitted). type: object properties: provider: type: string enum: - email default: email email: type: string format: email example: admin@example.com password: type: string example: password123 required: - email - password - title: ProviderLogin description: > Provider-dispatched login. The `provider` key selects a registered strategy class; the remaining fields are forwarded to the strategy's `authenticate` method. Required fields depend on the registered strategy — consult its documentation. type: object properties: provider: type: string example: okta description: Registered provider key (anything other than `email`). not: enum: - email required: - provider additionalProperties: true responses: '200': description: login successful content: application/json: example: token: >- eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxLCJ1c2VyX3R5cGUiOiJhZG1pbiIsImp0aSI6IjA1MDE2NWYyLWIxMzgtNGUxNS1hODQzLTViOGQ3ZmQwNDRiNiIsImlzcyI6InNwcmVlIiwiYXVkIjoiYWRtaW5fYXBpIiwiZXhwIjoxNzgwNjY1NDAyfQ.kRkK_K3OdO_o-Nt1pqtAYJSsL0xmTAby07V95YGqhQU user: id: admin_UkLWZg9DAJ email: admin@example.com first_name: Ingrid last_name: Powlowski full_name: Ingrid Powlowski created_at: '2026-06-05T13:11:41.926Z' updated_at: '2026-06-05T13:11:41.926Z' roles: - id: role_UkLWZg9DAJ name: admin schema: $ref: '#/components/schemas/AuthResponse' '401': description: invalid credentials content: application/json: example: error: code: authentication_failed message: Invalid email or password schema: $ref: '#/components/schemas/ErrorResponse' security: - api_key: [] x-codeSamples: - lang: javascript label: Spree Admin SDK source: >- import { createAdminClient } from '@spree/admin-sdk' const client = createAdminClient({ baseUrl: 'https://your-store.com', secretKey: 'sk_xxx', }) // The refresh token is set as an HttpOnly cookie; only `token` and `user` come back in the body. const auth = await client.auth.login({ email: 'admin@example.com', password: 'password123', }) components: schemas: AuthResponse: type: object properties: token: type: string description: JWT access token user: $ref: '#/components/schemas/AdminUser' required: - token - user ErrorResponse: type: object properties: error: type: object properties: code: type: string example: record_not_found message: type: string example: Record not found details: type: object description: Field-specific validation errors nullable: true example: name: - is too short - is required email: - is invalid required: - code - message required: - error example: error: code: validation_error message: Validation failed details: name: - is too short email: - is invalid AdminUser: type: object properties: id: type: string email: type: string first_name: type: string nullable: true last_name: type: string nullable: true full_name: type: string nullable: true created_at: type: string updated_at: type: string roles: type: array items: $ref: '#/components/schemas/AdminUserRoleAssignment' required: - id - email - first_name - last_name - full_name - created_at - updated_at - roles x-typelizer: true AdminUserRoleAssignment: type: object description: A role assignment for the current store on a staff member properties: id: type: string description: Prefixed role ID example: role_abc123 name: type: string description: Role name example: admin required: - id - name securitySchemes: api_key: type: apiKey name: x-spree-api-key in: header description: Secret API key for admin access ````